Accepting request 1118025 from devel:languages:nodejs

- Security fixes relase 20.8.1 * (CVE-2023-44487, bsc#1216190): nghttp2 Security Release * (CVE-2023-45143, bsc#1216205): undici Security Release * (CVE-2023-39332, bsc#1216271): Path traversal through path stored in Uint8Array * (CVE-2023-39331, bsc#1216270): Permission model improperly protects against path traversal * (CVE-2023-38552, bsc#1216272): Integrity checks according to policies can be circumvented * (CVE-2023-39333, bsc#1216273): Code injection via WebAssembly export names - fix_ci_tests.patch: refreshed OBS-URL: https://build.opensuse.org/request/show/1118025 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nodejs20?expand=0&rev=14
2023-10-17 18:22:28 +00:00 · 2023-10-17 18:22:28 +00:00 · a2711d83a3
commit a2711d83a3
parent ea39387820 6513469645
7 changed files with 77 additions and 64 deletions
--- a/SHASUMS256.txt
+++ b/SHASUMS256.txt
@ -1,41 +1,41 @@
-f8f5888d82c428136fd3a9b1951ebc06b759533eda5abf94a5676904417d7dd2  node-v20.8.0-aix-ppc64.tar.gz
-7614f7b8464378a4077aedcb378a0b220c366bab722472ff3e07aa3d1512f6e0  node-v20.8.0-arm64.msi
-cbcb7fdbcd9341662256df5e4488a0045242f87382879242093e0f0699511abc  node-v20.8.0-darwin-arm64.tar.gz
-ea1362cdb1c062ab5bc134219b1467d39272b2ce6b30a6743d8e7a798185f3f2  node-v20.8.0-darwin-arm64.tar.xz
-a6f6b573ea656c149956f69f35e04ebb242b945d59972bea2e96a944bbf50ad1  node-v20.8.0-darwin-x64.tar.gz
-598538764639b67750e9002f2d3b6dca2a5f7576f9714d24816f060ada7b92ea  node-v20.8.0-darwin-x64.tar.xz
-400a9ae60e48816943f0016a9ec10fdc0c09ea8e6db97de203806431807ac49b  node-v20.8.0-headers.tar.gz
-3016b71eb7879c52ed19395f352b121250bf917e35497a87b937731f76e3438d  node-v20.8.0-headers.tar.xz
-cec9be5a060f63bfda7ef5b5a368cba5cfa0ce673b117bae8c146ec5df767cbe  node-v20.8.0-linux-arm64.tar.gz
-ec2d98894d58d07260e61e6a70b88cabea98292f0b2801cbeebd864d242e1087  node-v20.8.0-linux-arm64.tar.xz
-1922c4ff0c710b18bc6946e4efcc592b832e8c22853066b70a74181ac6d92a36  node-v20.8.0-linux-armv7l.tar.gz
-6df86705df9f63cda322b5570efa26a7509bfe4fbf2721d0d1acc81e0e3c9105  node-v20.8.0-linux-armv7l.tar.xz
-44beb7fb1ebacedf5a4c08cc4cd5d346820058a3f3316d9f34bc2fa16a29fd8c  node-v20.8.0-linux-ppc64le.tar.gz
-ae8130354dbf2526ddffa92c406864d97c08044ddb66b8aaaccb54be03085a27  node-v20.8.0-linux-ppc64le.tar.xz
-7f1c1f515eb4a93ef00ef8630de6f1e308c21969ce4b3ff482269cedb7929595  node-v20.8.0-linux-s390x.tar.gz
-a529f569b6783bd3cb948b7cb5cfee2270a720db1b347e1e168f46ad9123394d  node-v20.8.0-linux-s390x.tar.xz
-ae6f288a21a3bc7a82b79d3f00c52216df6de09c45eac0ea754243a9c7fb5e69  node-v20.8.0-linux-x64.tar.gz
-66056a2acc368db142b8a9258d0539e18538ae832b3ccb316671b0d35cb7c72c  node-v20.8.0-linux-x64.tar.xz
-6a98a466aaf7d4180365e7fe17a168fc305923d8bc64048daddd706428142e07  node-v20.8.0.pkg
-daa1f39d262b8e07a06c272f2671337f1bfce54000db9662de0dfce3c18fff3c  node-v20.8.0.tar.gz
-412be847ae6df61010ba9da3cc3e6be5b67aa002e354e919f59ec8360371704c  node-v20.8.0.tar.xz
-e5872b8a701033b57e91a6feead96a8468165cc40698885689478aebe4aea0f9  node-v20.8.0-win-arm64.7z
-7426fbd791871f07a3672750b938dd3d9d82bcdb6c0a75cc5b588bbfba30e90b  node-v20.8.0-win-arm64.zip
-fe703df746cb22f970b85134096a5097c8585fa377a394df1f68ab687ae39d65  node-v20.8.0-win-x64.7z
-6afd5a7aa126f4e255f041de66c4a608f594190d34dcaba72f7b348d2410ca66  node-v20.8.0-win-x64.zip
-93b1e13ed8ffce4214e2549daed15ab5a0cae1559164700ac9d90ab2626cfd35  node-v20.8.0-win-x86.7z
-6b3d1d5ed4b1c6220fa1c55943d923977a8cda90808af0d16d7956727f0cd275  node-v20.8.0-win-x86.zip
-83e4bad748d667799d8bb0a8cb8068c4c7ce702825d27d464cbdf746b8ae5682  node-v20.8.0-x64.msi
-34143ccf8409fd219590d54f4c6c016153699721d15299f76cbe18a0e8652795  node-v20.8.0-x86.msi
-701c5023d9a63b49d5e6a09793c5d80521252eb1ce088a8634b3e91b08271737  win-arm64/node.exe
-eab9876602b7187761bbbef60be4d67194d51fc5be949e076a10e357573451f6  win-arm64/node.lib
-9e6227bb37aee49f48478b42ad82c4777643d438c25503f4ff6640212d556c3d  win-arm64/node_pdb.7z
-1def19747c1c7b8ae98b2bb15b10ea2c6d8d649a221473ca3bf3daef3ccf433e  win-arm64/node_pdb.zip
-5f259ef0e934281c92e493555eff65595e679a0ca1697b0e220805b41422f2cd  win-x64/node.exe
+eea26c68c1f4799fc3ac3f2da9bfd4038b987d51d19d9c4ba8b145b3eee53c7d  node-v20.8.1-aix-ppc64.tar.gz
+93a5796c02c4e97378d6d0e2fcd8ac7b39418d97c21cf9aa6d9aa605814a1bff  node-v20.8.1-arm64.msi
+5451f3651c89cd8f224e74961c84e68f4c8d63fe288431a3223b0465cc8b961e  node-v20.8.1-darwin-arm64.tar.gz
+147e700ec86f8dbb8428600675673de303eb8710273b531031e5e9f3cde64644  node-v20.8.1-darwin-arm64.tar.xz
+92b00b357c311eb45dd86516b032d80c63894aa069821c3ae3c8b3bbd00fdb9a  node-v20.8.1-darwin-x64.tar.gz
+679843744b44ac897479fd53340fdc6d96e5b5c139e90b9cdcbad8a403eaf807  node-v20.8.1-darwin-x64.tar.xz
+b2db83feb961721f17142e792643974b04456cf2da34c22da3ac29cd00123226  node-v20.8.1-headers.tar.gz
+298e41b8d7fd17738049f9c5f6e315bb0f935ab90f9b542d1a55cf6488cc3d67  node-v20.8.1-headers.tar.xz
+c0420fef5f6e637888be3f400e99297bb844932166fbad5ffa4f188ce59cfcdf  node-v20.8.1-linux-arm64.tar.gz
+fec6edefa7ff959b29c7887735582ff2a2211b36a65a539da0f37db6797b7cff  node-v20.8.1-linux-arm64.tar.xz
+679fb1cc74ecc460b4a8178b90be2847af28ee817fa2f39d986c832405c0ee1e  node-v20.8.1-linux-armv7l.tar.gz
+f8370aaecd2cc2f26f8571aed7ffcf8efb6dc884a9a5e8e7a5e225e5ccfe6b74  node-v20.8.1-linux-armv7l.tar.xz
+162bbf69b2c1aefc8163c371324cfd70582b8527e7623436d6e53823987a23d2  node-v20.8.1-linux-ppc64le.tar.gz
+648d80fcb4a160e3078a66b3fc8c8eac669d28de3cfa533abed0bf8cb5af5785  node-v20.8.1-linux-ppc64le.tar.xz
+d6a384293f18ba49b7507b67ce2ca1958050930768cae817d4705c3d3e672af2  node-v20.8.1-linux-s390x.tar.gz
+4aa14458f2bac422989cc4526c431b14743c2f07889559fd1f2163cc6f3071f4  node-v20.8.1-linux-s390x.tar.xz
+a42ac1f81704b14c7d07ddde989a8e290087b0487ee3f47185eb0240ba518195  node-v20.8.1-linux-x64.tar.gz
+44096f6276cf735f3b25f47ffaaa1629b0abad4d9932c3a77d9dcdc743a3ff92  node-v20.8.1-linux-x64.tar.xz
+abd016ae0dd943b196510e67277542c9cd31d24fbfa6834116a485d2c1d2b882  node-v20.8.1-win-arm64.7z
+fbf7709c815f37577995d04b2cc41764033f06545c2c142d253ed257fe497960  node-v20.8.1-win-arm64.zip
+6b3cb0e8d347ac52f0c45ba27a8c6f099b8053f18dfe7f6802e21c0b312aaedf  node-v20.8.1-win-x64.7z
+90b27dab351a582edd3a8de2e8aaa80d95c41f19fe92ebbef83b9a45bac95d00  node-v20.8.1-win-x64.zip
+ea692ad4bb1e80156aa6143c39afda2cfd0d46c36e14a1e03064a5bd084f05cc  node-v20.8.1-win-x86.7z
+ba90977d0bee226db2dc89f55a3964eee4d844caef96e4db6994e1800d9c7dce  node-v20.8.1-win-x86.zip
+c364cda2bab611b08404d5f8c93913b0007b3a19830a27dee5ff5d466807f5eb  node-v20.8.1-x64.msi
+4f3daffb3124c08a31ebeca0a6b9aa4e4effcd5650c1fe1274c61343fb46689c  node-v20.8.1-x86.msi
+097897aa8489962e955700d75238230e8295fbc02a27bcdd53d4462ead2c8c7e  node-v20.8.1.pkg
+18aed385341bc16c7802e9d03189d1d0ad17b87923b2cdf11714d36534783b6a  node-v20.8.1.tar.gz
+f799c66f6a6386bb8ac2c75a378f740c455e97f1fe964393dd39c9f9f6efbc70  node-v20.8.1.tar.xz
+60a3d73fb1d376e6ed0a8b8e6734ab6c80aaa031fa023fd1be42276cc80dff93  win-arm64/node.exe
+90cb9fbf80b276f2ed039533a8b67f1aeaf204f0aaf6396b290ae9c4dcd6d690  win-arm64/node.lib
+6887174c70c5ca8941b9e2bad9b02bb5413158590ec5457f4497bb66d685a545  win-arm64/node_pdb.7z
+3824fb4b85c8f8086f0c33c4e906c1ac448cd6259949a06d6956e2b1b300befe  win-arm64/node_pdb.zip
+ccc62758d85434502141611b18af5fdbbc5c9087facaf4a7900d454f3d2fdd48  win-x64/node.exe
 45d2519b3be3655e7b52ffcee613a484c38e768a59e9b9d4f08a3580d76a768a  win-x64/node.lib
-7cfb8db4f2dea0a90b725e03d308363d2a161fbaf7ddfa583b248d0f95653043  win-x64/node_pdb.7z
-d8e13fcded6542515d4796ac4f1d90cbdaaf484003a5e4338a766f543c9412ef  win-x64/node_pdb.zip
-7cddd80bfd283aa9b89af122ff32c4d0f046cb5680482369a988490601e11716  win-x86/node.exe
-62fe4a233ba54cf69bb528cde835997a84c0d5def5f41d283e02c1e538b4ec5f  win-x86/node.lib
-dcf457f5849dbb50e798631f1bd3827dc884e3ec9ecb1fa8d5523d89b7f44025  win-x86/node_pdb.7z
-0ed977e711297e9c0ab60aeacf932d23877c651a30db7fda9c4a5909d4e18c79  win-x86/node_pdb.zip
+e98706e1126309275692c0d318a0f1c54a50ae2447c11e3bcc1c6c261dced63a  win-x64/node_pdb.7z
+9840a61ea4dea5128c20632f367e1bed2d2ace5fa008fe29b3ae28a9f4c21805  win-x64/node_pdb.zip
+1c6ddd284a55664f0b2514bed7fcfe1fafcfec06f6dd07e82fefad9bb10aac60  win-x86/node.exe
+0809f4b2f415581f7d932d80be4ac3ff7c4344421f7cccb34ff2f30c18c2ba0c  win-x86/node.lib
+63f95d51077f2dd0360c57cc4286cc74a740391b04b63fd04914583007e8cf10  win-x86/node_pdb.7z
+108b21fc46465197cb4c07df4b25143b2a5d348b30e0d64c2536472fd94cba3e  win-x86/node_pdb.zip
--- a/SHASUMS256.txt.sig
+++ b/SHASUMS256.txt.sig
--- a/fix_ci_tests.patch
+++ b/fix_ci_tests.patch
@ -2,10 +2,10 @@ Author: Adam Majer <amajer@suse.de>
 Date: Dec 20 09:18:49 UTC 2017
 Summary: Fix CI unit tests framework for OBS building

-Index: node-v20.8.0/test/parallel/test-module-loading-globalpaths.js
+Index: node-v20.8.1/test/parallel/test-module-loading-globalpaths.js
 ===================================================================
--- node-v20.8.0.orig/test/parallel/test-module-loading-globalpaths.js
-+++ node-v20.8.0/test/parallel/test-module-loading-globalpaths.js
+--- node-v20.8.1.orig/test/parallel/test-module-loading-globalpaths.js
+++ node-v20.8.1/test/parallel/test-module-loading-globalpaths.js
@@ -11,6 +11,9 @@ const { addLibraryPath } = require('../c
 
 addLibraryPath(process.env);
@ -16,10 +16,10 @@ Index: node-v20.8.0/test/parallel/test-module-loading-globalpaths.js
 if (process.argv[2] === 'child') {
   console.log(require(pkgName).string);
 } else {
-Index: node-v20.8.0/test/parallel/test-tls-passphrase.js
+Index: node-v20.8.1/test/parallel/test-tls-passphrase.js
 ===================================================================
--- node-v20.8.0.orig/test/parallel/test-tls-passphrase.js
-+++ node-v20.8.0/test/parallel/test-tls-passphrase.js
+--- node-v20.8.1.orig/test/parallel/test-tls-passphrase.js
+++ node-v20.8.1/test/parallel/test-tls-passphrase.js
@@ -223,7 +223,7 @@ server.listen(0, common.mustCall(functio
   }, onSecureConnect());
 })).unref();
@ -29,10 +29,10 @@ Index: node-v20.8.0/test/parallel/test-tls-passphrase.js
 
 // Missing passphrase
 assert.throws(function() {
-Index: node-v20.8.0/test/parallel/test-repl-envvars.js
+Index: node-v20.8.1/test/parallel/test-repl-envvars.js
 ===================================================================
--- node-v20.8.0.orig/test/parallel/test-repl-envvars.js
-+++ node-v20.8.0/test/parallel/test-repl-envvars.js
+--- node-v20.8.1.orig/test/parallel/test-repl-envvars.js
+++ node-v20.8.1/test/parallel/test-repl-envvars.js
@@ -2,7 +2,9 @@
 
 // Flags: --expose-internals
@ -44,10 +44,10 @@ Index: node-v20.8.0/test/parallel/test-repl-envvars.js
 const stream = require('stream');
 const { describe, test } = require('node:test');
 const REPL = require('internal/repl');
-Index: node-v20.8.0/Makefile
+Index: node-v20.8.1/Makefile
 ===================================================================
--- node-v20.8.0.orig/Makefile
-+++ node-v20.8.0/Makefile
+--- node-v20.8.1.orig/Makefile
+++ node-v20.8.1/Makefile
@@ -545,7 +545,8 @@ test-ci-js: | clear-stalled
 .PHONY: test-ci
 # Related CI jobs: most CI tests, excluding node-test-commit-arm-fanned
@ -68,10 +68,10 @@ Index: node-v20.8.0/Makefile
 		echo "Skipping tools/doc/node_modules (no crypto)"; \
 	else \
 		cd tools/doc && $(call available-node,$(run-npm-ci)) \
-Index: node-v20.8.0/tools/test.py
+Index: node-v20.8.1/tools/test.py
 ===================================================================
--- node-v20.8.0.orig/tools/test.py
-+++ node-v20.8.0/tools/test.py
+--- node-v20.8.1.orig/tools/test.py
+++ node-v20.8.1/tools/test.py
@@ -1361,7 +1361,7 @@ def BuildOptions():
   result.add_option("-s", "--suite", help="A test suite",
       default=[], action="append")
@ -81,10 +81,10 @@ Index: node-v20.8.0/tools/test.py
   result.add_option("--arch", help='The architecture to run tests for',
       default='none')
   result.add_option("--snapshot", help="Run the tests with snapshot turned on",
-Index: node-v20.8.0/test/parallel/test-crypto-dh.js
+Index: node-v20.8.1/test/parallel/test-crypto-dh.js
 ===================================================================
--- node-v20.8.0.orig/test/parallel/test-crypto-dh.js
-+++ node-v20.8.0/test/parallel/test-crypto-dh.js
+--- node-v20.8.1.orig/test/parallel/test-crypto-dh.js
+++ node-v20.8.1/test/parallel/test-crypto-dh.js
@@ -89,7 +89,7 @@ const crypto = require('crypto');
     dh3.computeSecret('');
   }, { message: common.hasOpenSSL3 ?
--- a/node-v20.8.0.tar.xz
+++ b/node-v20.8.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:412be847ae6df61010ba9da3cc3e6be5b67aa002e354e919f59ec8360371704c
-size 41855692
--- a/node-v20.8.1.tar.xz
+++ b/node-v20.8.1.tar.xz
--- a/nodejs20.changes
+++ b/nodejs20.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Mon Oct 16 09:28:06 UTC 2023 - Adam Majer <adam.majer@suse.de> - 20.8.1
+
+- Security fixes relase 20.8.1
+  * (CVE-2023-44487, bsc#1216190): nghttp2 Security Release
+  * (CVE-2023-45143, bsc#1216205): undici Security Release
+  * (CVE-2023-39332, bsc#1216271): Path traversal through path stored in Uint8Array
+  * (CVE-2023-39331, bsc#1216270): Permission model improperly protects against path traversal
+  * (CVE-2023-38552, bsc#1216272): Integrity checks according to policies can be circumvented
+  * (CVE-2023-39333, bsc#1216273): Code injection via WebAssembly export names
+
+- fix_ci_tests.patch: refreshed
+
 -------------------------------------------------------------------
 Thu Oct  5 13:45:41 UTC 2023 - Adam Majer <adam.majer@suse.de> - 20.8.0

--- a/nodejs20.spec
+++ b/nodejs20.spec
@ -31,7 +31,7 @@
 %endif

 Name:           nodejs20
-Version:        20.8.0
+Version:        20.8.1
 Release:        0

 # Double DWZ memory limits
@ -315,7 +315,7 @@ Provides:       bundled(icu) = 73.2
 %if ! 0%{with intree_nghttp2}
 BuildRequires:  libnghttp2-devel >= 1.41.0
 %else
-Provides:       bundled(nghttp2) = 1.56.0
+Provides:       bundled(nghttp2) = 1.57.0
 %endif

 %if 0%{with valgrind_tests}
@ -390,7 +390,7 @@ Provides:       bundled(node-cjs-module-lexer) = 1.2.2
 Provides:       bundled(node-corepack) = 0.20.0
 Provides:       bundled(node-minimatch) = 9.0.3
 Provides:       bundled(node-streamsearch) = 1.1.0
-Provides:       bundled(node-undici) = 5.25.2
+Provides:       bundled(node-undici) = 5.26.3
 Provides:       bundled(node-undici-types) = 5.25.1

 %description