From c900d3b684dbd02abb137a5cb854025f9effbe7f Mon Sep 17 00:00:00 2001 From: Adam Majer Date: Wed, 28 Sep 2022 12:09:30 +0000 Subject: [PATCH] + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325) (CVE-2022-32215, bsc#1201327) + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832) (CVE-2022-35255, bsc#1203831) - Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl. OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs18?expand=0&rev=17 --- nodejs18.changes | 13 +++++++++---- test-skip-y2038-on-32bit-time_t.patch | 7 +++++-- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/nodejs18.changes b/nodejs18.changes index 4a16b91..4770b35 100644 --- a/nodejs18.changes +++ b/nodejs18.changes @@ -3,12 +3,17 @@ Mon Sep 26 13:13:39 UTC 2022 - Adam Majer - Update to Nodejs 18.9.1: * deps: llhttp updated to 6.0.10 - + CVE-2022-32213 bypass via obs-fold mechanic + + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325) + Incorrect Parsing of Multi-line Transfer-Encoding - (CVE-2022-32215) - + Incorrect Parsing of Header Fields (CVE-35256) + (CVE-2022-32215, bsc#1201327) + + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832) * crypto: fix weak randomness in WebCrypto keygen - (CVE-2022-35255) + (CVE-2022-35255, bsc#1203831) + +------------------------------------------------------------------- +Sat Sep 17 10:35:31 UTC 2022 - Bruno Pitrus + +- Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl. ------------------------------------------------------------------- Thu Sep 15 15:00:25 UTC 2022 - Adam Majer diff --git a/test-skip-y2038-on-32bit-time_t.patch b/test-skip-y2038-on-32bit-time_t.patch index 418c402..1e3b16b 100644 --- a/test-skip-y2038-on-32bit-time_t.patch +++ b/test-skip-y2038-on-32bit-time_t.patch @@ -2,7 +2,7 @@ Skip 'test/parallel/test-fs-utimes-y2K38.js' on some platforms. This test fails if coreutils' touch was built with 64-bit time_t, while nodejs was built with 32-bit time_t. This is currently the case -on i586, ppc and armv7l. Skip the failing last command on those +on i586, ppc and arm. Skip the failing last command on those platforms. The failure was seen since coreutils-9.0. @@ -16,7 +16,7 @@ Index: node-v16.6.2/test/parallel/test-fs-utimes-y2K38.js =================================================================== --- node-v16.6.2.orig/test/parallel/test-fs-utimes-y2K38.js +++ node-v16.6.2/test/parallel/test-fs-utimes-y2K38.js -@@ -20,6 +20,23 @@ if (!common.isWindows) { +@@ -20,6 +20,26 @@ if (!common.isWindows) { common.skip('File system appears to lack Y2K38 support (touch failed)'); } @@ -32,6 +32,9 @@ Index: node-v16.6.2/test/parallel/test-fs-utimes-y2K38.js + if (unameResult.stdout.trim() === 'ppc') { + common.skip('SUSE: test skipped on platforms with 32-bit time_t'); + } ++ if (unameResult.stdout.trim() === 'armv6l') { ++ common.skip('SUSE: test skipped on platforms with 32-bit time_t'); ++ } + if (unameResult.stdout.trim() === 'armv7l') { + common.skip('SUSE: test skipped on platforms with 32-bit time_t'); + }