From 96f27bdb9224f769d08922d9419001f7a2cd28a65bf8ce6c588b8c2f4176f809 Mon Sep 17 00:00:00 2001
From: Adam Majer <amajer@suse.com>
Date: Fri, 16 Feb 2024 16:24:14 +0000
Subject: [PATCH] - Update to 20.11.1: (security updates)   * (CVE-2024-21892,
 bsc#1219992) - Code injection and privilege escalation through Linux
 capabilities- (High)   * (CVE-2024-22019, bsc#1219993) - http: Reading
 unprocessed HTTP request with unbounded chunk extension allows DoS attacks-
 (High)   * (CVE-2024-21896, bsc#1219994) - Path traversal by monkey-patching
 Buffer internals- (High)   * (CVE-2024-22017, bsc#1219995) - setuid() does
 not drop all privileges due to io_uring - (High)   * (CVE-2023-46809,
 bsc#1219997) - Node.js is vulnerable to the Marvin Attack (timing variant of
 the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)   *
 (CVE-2024-21891, bsc#1219998) - Multiple permission model bypasses due to
 improper path traversal sequence sanitization - (Medium)   * (CVE-2024-21890,
 bsc#1219999) - Improper handling of wildcards in --allow-fs-read and
 --allow-fs-write (Medium)   * (CVE-2024-22025, bsc#1220014) - Denial of
 Service by resource exhaustion in fetch() brotli decoding - (Medium)   *
 undici version 5.28.3 (CVE-2024-24758, bsc#1220017)   * libuv version 1.48.0
 (CVE-2024-24806, bsc#1219724)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs20?expand=0&rev=68
---
 SHASUMS256.txt       |  78 +++++++++++++++++++++----------------------
 SHASUMS256.txt.sig   | Bin 566 -> 438 bytes
 node-v20.11.0.tar.xz |   3 --
 node-v20.11.1.tar.xz |   3 ++
 nodejs20.changes     |  15 +++++++++
 nodejs20.spec        |  10 +++---
 6 files changed, 62 insertions(+), 47 deletions(-)
 delete mode 100644 node-v20.11.0.tar.xz
 create mode 100644 node-v20.11.1.tar.xz

diff --git a/SHASUMS256.txt b/SHASUMS256.txt
index fe17dc6..b3f7b85 100644
--- a/SHASUMS256.txt
+++ b/SHASUMS256.txt
@@ -1,41 +1,41 @@
-f76a47616ceb47b9766cb7182ec6b53100192349de6a8aebb11f3abce045748f  node-v20.11.0-aix-ppc64.tar.gz
-6f36120adc4a49657ceeb7e55b1d42fa58e1006f4ebd04e12a0c6858f58f7b1e  node-v20.11.0-arm64.msi
-94e443d007e2882f8e5aecc85d978f7591520dc3b642adc7583b3cb0b3fc37d7  node-v20.11.0-darwin-arm64.tar.gz
-f18a7438723d48417f5e9be211a2f3c0520ffbf8e02703469e5153137ca0f328  node-v20.11.0-darwin-arm64.tar.xz
-c0ba02c905814258bd99a362027f8d4d2cc738218a9cf1dce2620e8735e3a80e  node-v20.11.0-darwin-x64.tar.gz
-d4b4ab81ebf1f7aab09714f834992f27270ad0079600da00c8110f8950ca6c5a  node-v20.11.0-darwin-x64.tar.xz
-c456d00c993b3d60d29c50e3389edc4f181145934b4ed38ad2fd047938440f22  node-v20.11.0-headers.tar.gz
-5629e124cf240c73540df0c79d683b9568bab34d53a632e2d8a2c4ad279d7da1  node-v20.11.0-headers.tar.xz
-402178cd5438b9ed89bffafc119e2bd4148616390bcdfd7089090ffc4615c981  node-v20.11.0-linux-arm64.tar.gz
-f6df68c6793244071f69023a9b43a0cf0b13d65cbe86d55925c28e4134d9aafb  node-v20.11.0-linux-arm64.tar.xz
-04bc09322f3d71230c32364a6f55d64c67bdb4fe032f07bab5d3cb0a940b6b86  node-v20.11.0-linux-armv7l.tar.gz
-f943abd348d2b8ff8754ca912c118a20301eb6a0014cc4cdea86cff021fde8e6  node-v20.11.0-linux-armv7l.tar.xz
-333b51abb06931348640a8707a16ce8a71ac7c1c11ba6a7bd9ce0941f8bbde81  node-v20.11.0-linux-ppc64le.tar.gz
-6a0e1fa23d7bc707711bbc36159b4220eca123e13435d266d690c6b6c443dc67  node-v20.11.0-linux-ppc64le.tar.xz
-8d093b2f49017f67cff368fcfeafe036d9c3d0eca2656b379132afef2bf12725  node-v20.11.0-linux-s390x.tar.gz
-cc92efa3fa101d613539451b1cf323ea9ac6198b4a68a7d3bf3b1090c6a7b5da  node-v20.11.0-linux-s390x.tar.xz
-9556262f6cd4c020af027782afba31ca6d1a37e45ac0b56cecd2d5a4daf720e0  node-v20.11.0-linux-x64.tar.gz
-822780369d0ea309e7d218e41debbd1a03f8cdf354ebf8a4420e89f39cc2e612  node-v20.11.0-linux-x64.tar.xz
-e2acb2da96b455a9b8ce9c88f7f00eabeda75d2724e6789dfe65ee71b50298c2  node-v20.11.0.pkg
-9884b22d88554d65025352ba7e4cb20f5d17a939231bea41a7894c0344fab1bf  node-v20.11.0.tar.gz
-31807ebeeeb049c53f1765e4a95aed69476a4b696dd100cb539ab668d7950b40  node-v20.11.0.tar.xz
-5ba71917c41059deada7fc51bc838dcbe7c72017a13818fe12052f32a4a79920  node-v20.11.0-win-arm64.7z
-89c1f7034dcd6ff5c17f2af61232a96162a1902f862078347dcf274a938b6142  node-v20.11.0-win-arm64.zip
-83f1621f7f5debb14466e2a5a439b03a5508bf6ff9e36dd3be812d101d31b9d4  node-v20.11.0-win-x64.7z
-893115cd92ad27bf178802f15247115e93c0ef0c753b93dca96439240d64feb5  node-v20.11.0-win-x64.zip
-d0594c790377493ac1331c97c688527c2610fff5b2d788c86879dec99befd198  node-v20.11.0-win-x86.7z
-7233041955deca69a0cd7b958f9a927969a9c49c38c4bc7b627d57ee626095a6  node-v20.11.0-win-x86.zip
-9a8c2e99b1fca559e1a1a393d6be4a23781b0c66883a9d6e5584272d9bf49dc2  node-v20.11.0-x64.msi
-01484d759ca9aa758ca1e1ddf080c00ef850b2aa98645dafe4557a46e9fa0e7d  node-v20.11.0-x86.msi
-40c82471f28e5998d6978b59c8870177e68326f313e99141c5194fe4de849eca  win-arm64/node.exe
+43a881788549e1b3425eb5f2b92608f438f146e08213de09c5bd5ff841cae7ae  node-v20.11.1-aix-ppc64.tar.gz
+3f8e77b775372c0b27d2b85ce899d80339691f480e64dde43d4eb01504a58679  node-v20.11.1-arm64.msi
+e0065c61f340e85106a99c4b54746c5cee09d59b08c5712f67f99e92aa44995d  node-v20.11.1-darwin-arm64.tar.gz
+fd771bf3881733bfc0622128918ae6baf2ed1178146538a53c30ac2f7006af5b  node-v20.11.1-darwin-arm64.tar.xz
+c52e7fb0709dbe63a4cbe08ac8af3479188692937a7bd8e776e0eedfa33bb848  node-v20.11.1-darwin-x64.tar.gz
+ed69f1f300beb75fb4cad45d96aacd141c3ddca03b6d77c76b42cb258202363d  node-v20.11.1-darwin-x64.tar.xz
+0aa42c91b441e945ff43bd3a837759c58b436de57dcd033d02e5cbcd2fba1f87  node-v20.11.1-headers.tar.gz
+edce238817acf5adce3123366b55304aff2a1f0849231d1b49f42370e454b6f8  node-v20.11.1-headers.tar.xz
+e34ab2fc2726b4abd896bcbff0250e9b2da737cbd9d24267518a802ed0606f3b  node-v20.11.1-linux-arm64.tar.gz
+c957f29eb4e341903520caf362534f0acd1db7be79c502ae8e283994eed07fe1  node-v20.11.1-linux-arm64.tar.xz
+e42791f76ece283c7a4b97fbf716da72c5128c54a9779f10f03ae74a4bcfb8f6  node-v20.11.1-linux-armv7l.tar.gz
+28e0120d2d150a8f41717899d33167b8b32053778665583d49ff971bfd188d1b  node-v20.11.1-linux-armv7l.tar.xz
+9823305ac3a66925a9b61d8032f6bbb4c3e33c28e7f957ebb27e49732feffb23  node-v20.11.1-linux-ppc64le.tar.gz
+51343cacf5cdf5c4b5e93e919d19dd373d6ef43d5f2c666eae299f26e31d08b5  node-v20.11.1-linux-ppc64le.tar.xz
+4c66b2f247fdd8720853321526d7cda483018fcb32014b75c30f3a54ecacaea7  node-v20.11.1-linux-s390x.tar.gz
+b32616b705cd0ddbb230b95c693e3d7a37becc2ced9bcadea8dc824cceed6be0  node-v20.11.1-linux-s390x.tar.xz
+bf3a779bef19452da90fb88358ec2c57e0d2f882839b20dc6afc297b6aafc0d7  node-v20.11.1-linux-x64.tar.gz
+d8dab549b09672b03356aa2257699f3de3b58c96e74eb26a8b495fbdc9cf6fbe  node-v20.11.1-linux-x64.tar.xz
+f1cd449fcbeb1b948e8498cb8edd9655fa319d109a7f4c5bd96a9b122b91538a  node-v20.11.1-win-arm64.7z
+e85461ec124956a2853c4ee6e13c4f4889d63c88beb3d530c1ee0c4b51dc10e7  node-v20.11.1-win-arm64.zip
+fb9b5348259988a562a48eed7349e7e716c0bec78d98ad0a336b2993a8b3bf34  node-v20.11.1-win-x64.7z
+bc032628d77d206ffa7f133518a6225a9c5d6d9210ead30d67e294ff37044bda  node-v20.11.1-win-x64.zip
+c2b1863d8979546804a39fc63d0a9bc9c6e49cb2f6c9d1e52844a24629b24765  node-v20.11.1-win-x86.7z
+b98e95f78416d1359b647cfa09ba2a48b76d41b56a776df822bf36ffe8e76a2d  node-v20.11.1-win-x86.zip
+c54f5f7e2416e826fd84e878f28e3b53363ae9c3f60a140af4434b2453b5ae89  node-v20.11.1-x64.msi
+63e2aed4dabb96eed6903a3974e006d3c29c218472aac60ae3c3c7de00df13b1  node-v20.11.1-x86.msi
+c46019a095a1549d000e85da13f17972a448e0be5854a51786ecccde7278a012  node-v20.11.1.pkg
+4af1ba6ea848cc05908b8a62b02fb27684dd52b2a7988ee82b0cfa72deb90b94  node-v20.11.1.tar.gz
+77813edbf3f7f16d2d35d3353443dee4e61d5ee84d9e3138c7538a3c0ca5209e  node-v20.11.1.tar.xz
+a5a9d30a8f7d56e00ccb27c1a7d24c8d0bc96a2689ebba8eb7527698793496f1  win-arm64/node.exe
 93529170cebe57c0f4830a4cc6a261b6cc9bcf0cd8b3e88ac4995a5015031d79  win-arm64/node.lib
-0c122978bbc1000ea274041039b1f01b6d6ffbd99d4f3e543ef59aa3ddb478b0  win-arm64/node_pdb.7z
-c2c9d294eff41013afbd61ded5a61f60943366ff9ded0b6224ada51ae1734ba6  win-arm64/node_pdb.zip
-5da5e201155bb3ea99134b404180adebcfa696b0dbc09571d01a09ca5489f53e  win-x64/node.exe
+c14c6e927406b8683cbfb8a67ca4c8fd5093ca7812b5b1627e3d6a53d3674565  win-arm64/node_pdb.7z
+68034cd09d8dfaa755d1b280da13e20388cc486ac57b037b3e11dfe2d6b74284  win-arm64/node_pdb.zip
+bc585910690318aaebe3c57669cb83ca9d1e5791efd63195e238f54686e6c2ec  win-x64/node.exe
 53a982d490cb9fcc4b231a8b95147de423b36186bc6f4ba5697b20117fdcbd5d  win-x64/node.lib
-114e91742393e4f77354d02876d833bb1ee3b4574c6fbb8348be54035f25b433  win-x64/node_pdb.7z
-88533c1475ee77b121cf11bb5a3060314a9405a4cc41c164a4fcc61588e67f88  win-x64/node_pdb.zip
-38ca23f8dd943c0b7f29607a8414f11a5a27d06702680fa5071fcf04361dcb43  win-x86/node.exe
-416137df167e2b54548f92425244b039496da62b5a31f40fb6e7f331f07f5040  win-x86/node.lib
-0fe07006b930c9dc72028be8f2048f01e7827cc620ff2cf0bd773f1ea3f812d8  win-x86/node_pdb.7z
-dce7cd4b62a721d783ce961e9f70416ac63cf9cdc87b01f6be46540201333b1e  win-x86/node_pdb.zip
+ccac9f2f5219ed858aeddb306d6493478ba9675c7cbf009e83742437d6752c4f  win-x64/node_pdb.7z
+bec5da4035c84580843978a59ef9bcc1c0eaca881cf9e1c94e63a1862cf14421  win-x64/node_pdb.zip
+3829137e062b1e2eb9947ef05e4b717ae578a8fce1c5c60fe4f6ae7ef2ec0240  win-x86/node.exe
+c5321bb65dcecb3989f9b8f6ec56369c16627ca4bade0c78afb6b88f7dde50e4  win-x86/node.lib
+20ca60ced1fc21f15ea952b4406aec6bde39d20eab11cf042040628841b2249e  win-x86/node_pdb.7z
+bef05cebedce5949ae35e87e7d4789c16fa73caf478483fcf92e5dbb9ba5d774  win-x86/node_pdb.zip
diff --git a/SHASUMS256.txt.sig b/SHASUMS256.txt.sig
index f45c7fee5083843601806899dbce92463ca569986d289940cfeb0e19d5a59e11..4841c1203f0b5a35fe9f4dfb11060752092e6a129c187de52b05e68a3a841637 100644
GIT binary patch
literal 438
zcmV;n0ZIOe0kZ@E0SEvc79j+Q3<%qWc@{734f)%P>a^d_RbKQ30%gqkH~<O>5R2-x
z-_KQE^fM$2{TQ2DGMw2*xHG9VZvD3=Fkk2n<3mEMC0bQvXUUF2by#l(M*3&q#aj!~
zzw$17+2bC<wHjlZ_udV#Co?U+rf3z;RGs+@ixh%YVQq@?LekG2$W`By!ZlX5k;alO
zuC*6eNub3~SM)H)t#CfBH4GwOb}%!IgfDted-U?hh+4(0-4HhC;r_rJI`FTVGltih
zXG|J7lPKsdE`;g0x7(JA<OGV%qq<V=^==f^oU9x$#iMm<S;V|0env3r@22>JYC+Y%
z?adD&xn3ziO_z2xcy{ZKfUynR-cK7ZrVd}Ypskmv<stmMzfgGXZyEvb7}W3})^n&{
zuEhF;qvgCr$i$nbCd>UNEvk}y0P=)<>jE$&nPF&U5^|`dyYUhd<Y6#rzGq3A0lGg}
zR={9CT&=%B7(#mmK?dgMIWGG1%CbGP6%ZY3MT|53UXQw-Sb%QNKE2a(Av;_+6x*UL
g+qBSg7?+fLr9eg*c$!*h*e{SqPf#No>#3g8G|3Lsi~s-t

literal 566
zcmV-60?GY}0y6{v0SEvc79j+t0yQxFQ$`=`k@=hi%|9>R2bFjQ0%e}L@Bj)45CqLX
zFWv{0cq6zE|3DnkeTm|!>ueFM#wDozEPeLvLN@2wK7EIG3rmb_lRCW{8q{xkbCx-E
z&k@l+NZNXd3j5DbhBLWF-bW!UZLC*XaMV=F3iMQnL3+0J+4sFLECLctcaViY*nR?X
zis~uH|5l-j;f6CTH?fXstU>uIP4LC0VRMLs)>w0V>Ft<Z>zkyOMIS|NwLUj~(OpwN
zud9=a02Nw|Di#a{4+$nB+GDJQl*7k`kP8{iwIFzY5*edz0X;BVxZA@BPnlBK(EHQn
za@;24>hZ@8QAztXJskN7K;j)Hdy>Q3HHS}uw3+N_wnU}<#;#2zfk*g!@0S2AQs}0V
z_s1(bC6XCtc0y6OiUq-2F&-KvMatz`$~gHwqRJF!Z-{V@L=|brga$XnE}U`{!=(XI
zR^4d>Sh&3hT{5>3n#^P#30<N}J$2fzd*b(h8Wm?|{;&PJs=FMw-ak*~9Om~97#Fa6
z|7GHAE4fzPZL+DMIZIJim6eeP%EreR%Y>qVC5E=vFaT8ym&`j#!@Z|ug+TK;MNW+I
z7ohETG2t$}7e8IcU<Z8e8hgaw+;exe&9tE^LjCJKG`9oJJ&uUSX05DENv4AdOF*rF
zG-3#5f6EK4GKJYk`8WnGYD_jY{=UzW8ouRTpKrZF7&(fZu26W2w_%&FRqq(PcZ-t@
EHxCgA@Bjb+

diff --git a/node-v20.11.0.tar.xz b/node-v20.11.0.tar.xz
deleted file mode 100644
index ea2c3bb..0000000
--- a/node-v20.11.0.tar.xz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:31807ebeeeb049c53f1765e4a95aed69476a4b696dd100cb539ab668d7950b40
-size 42162348
diff --git a/node-v20.11.1.tar.xz b/node-v20.11.1.tar.xz
new file mode 100644
index 0000000..7a95e18
--- /dev/null
+++ b/node-v20.11.1.tar.xz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:77813edbf3f7f16d2d35d3353443dee4e61d5ee84d9e3138c7538a3c0ca5209e
+size 42159296
diff --git a/nodejs20.changes b/nodejs20.changes
index d2b0154..0a45f5e 100644
--- a/nodejs20.changes
+++ b/nodejs20.changes
@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Fri Feb 16 16:04:46 UTC 2024 - Adam Majer <adam.majer@suse.de>
+
+- Update to 20.11.1: (security updates)
+  * (CVE-2024-21892, bsc#1219992) - Code injection and privilege escalation through Linux capabilities- (High)
+  * (CVE-2024-22019, bsc#1219993) - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
+  * (CVE-2024-21896, bsc#1219994) - Path traversal by monkey-patching Buffer internals- (High)
+  * (CVE-2024-22017, bsc#1219995) - setuid() does not drop all privileges due to io_uring - (High)
+  * (CVE-2023-46809, bsc#1219997) - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
+  * (CVE-2024-21891, bsc#1219998) - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
+  * (CVE-2024-21890, bsc#1219999) - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
+  * (CVE-2024-22025, bsc#1220014) - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
+  * undici version 5.28.3 (CVE-2024-24758, bsc#1220017)
+  * libuv version 1.48.0 (CVE-2024-24806, bsc#1219724)
+
 -------------------------------------------------------------------
 Mon Feb 12 14:27:04 UTC 2024 - Adam Majer <adam.majer@suse.de>
 
diff --git a/nodejs20.spec b/nodejs20.spec
index c121dd6..e36639c 100644
--- a/nodejs20.spec
+++ b/nodejs20.spec
@@ -31,7 +31,7 @@
 %endif
 
 Name:           nodejs20
-Version:        20.11.0
+Version:        20.11.1
 Release:        0
 
 # Double DWZ memory limits
@@ -298,7 +298,7 @@ BuildRequires:  openssl >= %{openssl_req_ver}
 %else
 # bundled openssl
 %if %node_version_number <= 12 && 0%{?suse_version} == 1315 && 0%{?sle_version} < 120400
-Provides:       bundled(openssl) = 3.0.12
+Provides:       bundled(openssl) = 3.0.13
 %else
 BuildRequires:  bundled_openssl_should_not_be_required
 %endif
@@ -383,8 +383,8 @@ BuildRequires:  pkgconfig(libbrotlidec)
 Provides:       bundled(llhttp) = 8.1.1
 Provides:       bundled(ngtcp2) = 0.8.1
 Provides:       bundled(base64) = 0.5.1
-Provides:       bundled(simdutf) = 3.2.18
-
+Provides:       bundled(simdutf) = 4.0.4
+Provides:       bundled(simdjson) = {{nothing}}
 # bundled url-ada parser, not ada
 Provides:       bundled(ada) = 2.7.4
 
@@ -396,7 +396,7 @@ Provides:       bundled(node-cjs-module-lexer) = 1.2.2
 Provides:       bundled(node-corepack) = 0.23.0
 Provides:       bundled(node-minimatch) = 9.0.3
 Provides:       bundled(node-streamsearch) = 1.1.0
-Provides:       bundled(node-undici) = 5.27.2
+Provides:       bundled(node-undici) = 5.28.3
 Provides:       bundled(node-undici-types) = 5.25.1
 
 %description