If you are only looking into it for Node.js, these are only security vulnerability in Chromium's threat model which defends against untrusted code. In the threat model <https://github.com/nodejs/node/blob/main/SECURITY.md#the-nodejs-threat-model> of Node.js, which trusts all JS code given to it to execute, these are at most regular bugs. V8 doesn't maintain these old releases and Node.js maintains support for its vendored version of V8 in active releases to some extent, you could submit a backport to Node.js's v20 and v18 release lines (see https://github.com/nodejs/node/blob/main/doc/contributing/maintaining/maintaining-V8.md), though it'll be up to the Node.js release team to decide whether or when they'll be accepted (as these are not really security vulnerabilities for Node.js, they are not likely to be considered prioritized).
Regards, Joyee On Friday, August 9, 2024 at 7:09:24 PM UTC+2 omer...@chromium.org wrote: > I don't recall the exact criteria, but V8 doesn't usually back merge fixes > that far back. > Version 11.3 is over a year old and version 10.2 is over 2 years old by > now. > On Thursday, August 8, 2024 at 9:52:37 PM UTC+2 giancarlo.c...@gmail.com > wrote: > >> Good morning/afternoon. >> >> There are 3 high V8 CVEs that have been recently fixed. I'd like to know >> if they will be backported to V8 versions 10.2.154.x (used by Node 18.20.4) >> and 11.3.244.x (Used by Node 20.16.0) >> >> See >> >> - >> https://github.com/nodejs/node/blob/v18.20.4/deps/v8/include/v8-version.h >> - >> https://github.com/nodejs/node/blob/v20.16.0/deps/v8/include/v8-version.h >> >> The CVEs are: >> *https://nvd.nist.gov/vuln/detail/CVE-2024-4761 >> <https://nvd.nist.gov/vuln/detail/CVE-2024-4761>. (Score 8.8)* >> >> - Out of bounds write. >> - Fixed in version 12.6.213 >> <https://github.com/v8/v8/releases/tag/12.6.213> >> - Fixed by this commit >> <https://github.com/v8/v8/commit/f320600cd1f48ba6bb57c0395823fe0c5e5ec52e> >> >> >> *https://nvd.nist.gov/vuln/detail/CVE-2024-4947 >> <https://nvd.nist.gov/vuln/detail/CVE-2024-4947>* >> >> - Type Confusion. >> - Fixed in version 12.0.267.27 >> <https://github.com/v8/v8/releases/tag/12.0.267.27> >> - Fixed by this commit <https://github.com/v8/v8/commit/2944ee9846e> >> >> *https://nvd.nist.gov/vuln/detail/CVE-2024-5274 >> <https://nvd.nist.gov/vuln/detail/CVE-2024-5274>* >> >> - Type Confusion. >> - Fixed in version 12.4.254.20 >> <https://github.com/v8/v8/releases/tag/12.4.254.20> >> - Fixed by this commit <https://github.com/v8/v8/commit/6e5e1053fa6> >> >> >> These are high CVEs identified by CISA as being KEV. >> >> -- -- v8-dev mailing list v8-dev@googlegroups.com http://groups.google.com/group/v8-dev --- You received this message because you are subscribed to the Google Groups "v8-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to v8-dev+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/v8-dev/aaf49f70-5266-4598-8060-6e7112115e9dn%40googlegroups.com.
