Accepting request 1094364 from devel:languages:nodejs

- Update to version 20.3.1 (security fixes only). The following CVEs are fixed in this release: * (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass Experimental Policy Mechanism (High) * (CVE-2023-30584, bsc#1212575): Path Traversal Bypass in Experimental Permission Model (High) * (CVE-2023-30587, bsc#1212576): Bypass of Experimental Permission Model via Node.js Inspector (High) * (CVE-2023-30582, bsc#1212577): Inadequate Permission Model Allows Unauthorized File Watching (Medium) * (CVE-2023-30583, bsc#1212578): Bypass of Experimental Permission Model via fs.openAsBlob() (Medium) * (CVE-2023-30585, bsc#1212579): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) * (CVE-2023-30586, bsc#1212580): Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium) * (CVE-2023-30588, bsc#1212581): Process interuption due to invalid Public Key information in x509 certificates (Medium) * (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via Empty headers separated by CR (Medium) * (CVE-2023-30590, bsc#1212583): DiffieHellman does not generate keys after setting a private key (Medium) OBS-URL: https://build.opensuse.org/request/show/1094364 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nodejs20?expand=0&rev=7
2023-06-22 21:24:41 +00:00 · 2023-06-22 21:24:41 +00:00 · bac0238f0c
commit bac0238f0c
parent b31b0ec054 86bbf8af98
6 changed files with 71 additions and 44 deletions
--- a/SHASUMS256.txt
+++ b/SHASUMS256.txt
@ -1,41 +1,41 @@
-45375449725aa845f605a77e6ff88886a2f73294183e82ea8d38e0c24722f853  node-v20.3.0-aix-ppc64.tar.gz
-ce9af071a58909f81a0601b976c688ef04a027442b1bca2baa35445efca53b2d  node-v20.3.0-arm64.msi
-25d5db6192ebcb7013f4138c71a7c423d0da33f28149d28b3b6df7c00527dd40  node-v20.3.0-darwin-arm64.tar.gz
-c45ff3a1c6a3d69fde8fb8023ec21b987e5c56d5bd3d527ecde0932378e562af  node-v20.3.0-darwin-arm64.tar.xz
-24293d0217f009cbf821e5f399dcf72c1df2cb27f70cb1f05fd07af2ee6ad2c2  node-v20.3.0-darwin-x64.tar.gz
-f26e9e3f1fb8bd603b879ae7e81fdf6bcc3ee97a15afa4c5af3e88fab7fb7368  node-v20.3.0-darwin-x64.tar.xz
-01015dffc18bc86e56b3d59773391cc812cd0ce8e69d96e23b2e9a6540f43340  node-v20.3.0-headers.tar.gz
-729408bc7548f384412a8744c579bc4fecb1452cba1bc4e4f57e5b1198bd4cd2  node-v20.3.0-headers.tar.xz
-c3476b293f3b26a14163184171896ef17dc33ee26a208256170556b493a2b2c5  node-v20.3.0-linux-arm64.tar.gz
-9b661e54f8ea73a3b0a1c92c2af32cf020f67f2c123789539fb343f2a1e36ffd  node-v20.3.0-linux-arm64.tar.xz
-25a06a1477cd5c91e4b69d86bae03890d80e07c996c677032de4278fa389eed3  node-v20.3.0-linux-armv7l.tar.gz
-7efca84caaaf9003bb6adc7cfee3c13048891494e928018f6994cb4b7887176d  node-v20.3.0-linux-armv7l.tar.xz
-36ccc8c274d00a5eb195477b62cacc9aec0e1f56a6965b07c9de7f28a67ca52b  node-v20.3.0-linux-ppc64le.tar.gz
-620662ccf99973835cecc8d6c16f5d20c5af8d76f5da18deb21f41cef78e985e  node-v20.3.0-linux-ppc64le.tar.xz
-02e287c74218d6418af5173a641f8b78d7539e11e96c2af4bf946437c9833e0c  node-v20.3.0-linux-s390x.tar.gz
-26444015212c8e6cc00516826de48ae9447015405f7890ce053c77c61f4dd6c2  node-v20.3.0-linux-s390x.tar.xz
-80238ee1a9dee6b0d5d1081503c6fdd1c7f81bdf4ca6abd90aa5a568712a2eaa  node-v20.3.0-linux-x64.tar.gz
-2dd1f5c0e01732024ba1f5de4517fa3976eb0976fa7976ff687ec09b62dd73fa  node-v20.3.0-linux-x64.tar.xz
-7fe22ee0fc446ed2e2cc153947ed7861a83a5c8b5182d86f80314049d0ed4172  node-v20.3.0.pkg
-2f5f80be36315a2dd4a0da123597c3cbbba2b0ec19ba7832bf93414b1a645ca4  node-v20.3.0.tar.gz
-1ba8d49423ed3a75729066bb3ea26493ee9cb7d6568ef948597fc9ef454f7435  node-v20.3.0.tar.xz
-15297e64b07742719cceca13acb66b067c06e7d610114d85834a2e33eb58e11f  node-v20.3.0-win-arm64.7z
-700065af61429edc88ed714f1e2e64fe476a289ccc30d4345b7f6472a9b943b4  node-v20.3.0-win-arm64.zip
-b8bda54d0936e2295dd3267dba7d61903af92a0427dac56251047fed2e8ff05f  node-v20.3.0-win-x64.7z
-43be53f9f4d6fa19e27efdb724e10cbdf3c7abfaebe0d852af62fc80c6f465a2  node-v20.3.0-win-x64.zip
-32f63af144aa64c5fbe83a26dced8305934063393e34886aec7abf4e1d6637d8  node-v20.3.0-win-x86.7z
-56699afcf06278f8b136a325bc34e5dbaf1cf836f57030630496fa28fe853e6f  node-v20.3.0-win-x86.zip
-9a8404fc31d9dce5a490a31f8624c3fc6f8adeee7686f255d0fe031c80188c04  node-v20.3.0-x64.msi
-015e02672d93f5cc162a690cd5010df5cd45a46f884f97d0e7be8875feb71355  node-v20.3.0-x86.msi
-6efd7b085f4b6e7b893963e34522dda7c01d8bcfd6bdb7ceeda7734a39c63242  win-arm64/node.exe
+74408b56e0a20601cd073e52f90ffcafeb8d63a4e8deb8583fc3f0d26b502081  node-v20.3.1-aix-ppc64.tar.gz
+fe48243bff912a26a76a7d5553c6f848a8b738c05ca976738d3a49af5621a584  node-v20.3.1-arm64.msi
+fabf0d5bde4e1c16b6b96c310115425508c3750cd2b1d2992fa03d52b0050cf1  node-v20.3.1-darwin-arm64.tar.gz
+5b9ba231a2502f9369295454a80e85468225f2695289ed163870a675eb5ed29f  node-v20.3.1-darwin-arm64.tar.xz
+fd2be29c8e17ef1460a3c67b5fd36ead27159367a8958fae8fe8f3945465e0db  node-v20.3.1-darwin-x64.tar.gz
+37684d83976612774f553e428a1f2610fb7efb270cca32657950c6e2542b250b  node-v20.3.1-darwin-x64.tar.xz
+0e5265e18039399e4e4e013622d5cd5878f3aa9e7d96fc551a74713e0ea447c2  node-v20.3.1-headers.tar.gz
+c5d8b256a6acd91178342cb4634d0f1652a6aceb32565a72f99c71d69dd22550  node-v20.3.1-headers.tar.xz
+4785061286dccf43cef673d8f9fec637f7a27d7e4c5b075f393e99ae13089f17  node-v20.3.1-linux-arm64.tar.gz
+75f820e7e0c460d902eb2c35716d158c06a4692e69f9a6cf2be30a721d7e0b42  node-v20.3.1-linux-arm64.tar.xz
+f9f8fa6e90e341b2e334589fea5247dfffada4b8ac1eecfb1577b3bbc538f2de  node-v20.3.1-linux-armv7l.tar.gz
+55d405b0ce92fe85a2604c56e92757ba255fff698f7e7d1bc5c9a3f5efcc966c  node-v20.3.1-linux-armv7l.tar.xz
+6e786adcc4bce1d790af579829d29d11a59221c608b760fe5ba2557ee8e3c2c4  node-v20.3.1-linux-ppc64le.tar.gz
+8463ced01d4aa008be5c699ac4c0f75edac341d6da3bb4c34d5e708bc164e660  node-v20.3.1-linux-ppc64le.tar.xz
+4fe866b2e8f001d0861a3042d3778189ccbc494dfe7fb1c0b6af9ff8e5086ff4  node-v20.3.1-linux-s390x.tar.gz
+62737d306d1a3c25b794a362a354092cbce5f04f22f9e8f5cfd61e95aecd487e  node-v20.3.1-linux-s390x.tar.xz
+100507c0c4b4cf2f0661ab8ca79b21790c20a4aae24859e9ab60b7d95fbfd740  node-v20.3.1-linux-x64.tar.gz
+a9f94435763f9c0128a8b6282ccbeefd0413a96e78e4427cfb7831d150c50334  node-v20.3.1-linux-x64.tar.xz
+44ef9d3ceac5b7903948923bebc737bd062116a9768e2f620a0ccf034a0fcdf4  node-v20.3.1.pkg
+785cfbf77998a96949d626f7bc63bc0b8e4737eb5dd2054b2e58d876904f5443  node-v20.3.1.tar.gz
+12a82db306697959b4389b351a5f97848986b1313f9901b0e0b3d8cf4f3f9991  node-v20.3.1.tar.xz
+569cb80351832ec3c1e38d61dabbe18d49f18cf20d658845d129c75d67e6e664  node-v20.3.1-win-arm64.7z
+3ded6baf40440d762928d44df7d05d7c3f0c210a0240b8e5bb65ef3d9ad10edd  node-v20.3.1-win-arm64.zip
+79a85bb3758bfaba66df3abda9e2f29c6ceb65ceedd19d5a5e589c92835b24d5  node-v20.3.1-win-x64.7z
+b9660cf19136d6cfce9d5ec1bd7b8b7dcc5642fe5fb8c5ddde78dc0aba216dd5  node-v20.3.1-win-x64.zip
+72657860e268ca1b778a249531cda920800851c252d9f3680201796f45dc76da  node-v20.3.1-win-x86.7z
+69dce73312904b19b4a9b011bccfc47d05b8ebf05b07dcb58246f8d9c7f91e5b  node-v20.3.1-win-x86.zip
+4afe2af88b327173910085d25645e84bf7986d5849db2872b1e304ffd96e295a  node-v20.3.1-x64.msi
+6371129462ec79c6463be74bbd792bbb8071bf333d43fd8aa510d747da670fb4  node-v20.3.1-x86.msi
+2b1965d736fcdf590c07751948c84b5936d9e09ae2a00d4cd0d307b965437cd9  win-arm64/node.exe
 7d27551370e78fdf44e4e515458ad33d0c39983985853649fb01368999172662  win-arm64/node.lib
-380bde84e409dde3044421ff4ffe49ac4a9f4ffa1a5d58827f44f0c3b1d76aa8  win-arm64/node_pdb.7z
-ff756fde597c62d1a679e6e8843d2131e75d1bf68f65e1e875dcd609ce9c694a  win-arm64/node_pdb.zip
-8b56881aa5cc919897a217106713d4e34697143ba41170e632a482c3c2e891b4  win-x64/node.exe
+44589d9a922591ea1ec4c4a98f77f99cbeae9928ad26c10ec21d6012afc5a48a  win-arm64/node_pdb.7z
+172e8df848141efa31a92ebbb8a557b314b6d97ada7f73cfd49b5397a2dc978d  win-arm64/node_pdb.zip
+016669a5da40b058c02e4a61a990dec2b4ad4d6fc071eeebdd8d07db4d2601db  win-x64/node.exe
 68a3ed4ccb2780dda353f609ec83ff6d6dc02a399f1dfed6621ae8c1f39a5788  win-x64/node.lib
-6e62f3bdc215761372dc38f4c044b4de8bceb16f3d4b1fb5b87cc5764946ef6a  win-x64/node_pdb.7z
-8483f149955a344d3faa6c4659f680f11bfa23757c146fd3c9d510e01340b75c  win-x64/node_pdb.zip
-47c59d9a2ad4924b7886d54af9cd8454129f26d88c30895023b4ef1807940b42  win-x86/node.exe
+7c3a5f02900047ef8451ac4cc134803960f80e2373fe187a8567d505f9b8415b  win-x64/node_pdb.7z
+44c07769d543b300f3a59f34e5deb428fa2454da9a55114ed945133cc9a4e702  win-x64/node_pdb.zip
+38022d2ed2a9cb86998dfbd0e3bb2983e4eabaedbec81949223c2e27a5d4ecc4  win-x86/node.exe
 13fb4b75d9e6fdf5a708b4dc8ea4ca60b565e4a3235514870e4b369e26fade5f  win-x86/node.lib
-40f0966f25b91837d9be795b20cd21c45d9f6b46258838fb62796cec4eb0d90d  win-x86/node_pdb.7z
-122c5f8f61a3cb53454e269c0ab7e131bdc89a549b1c446be3b2ed64286bd03f  win-x86/node_pdb.zip
+2c5750f21ca050a0a7d179970b11d2c54458492166905e7748bd2307c19b2771  win-x86/node_pdb.7z
+834cb5cd72a281f01dc5273bd47818f12d00a5efacc315dc3addaeb91920a2de  win-x86/node_pdb.zip
--- a/SHASUMS256.txt.sig
+++ b/SHASUMS256.txt.sig
--- a/node-v20.3.0.tar.xz
+++ b/node-v20.3.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:1ba8d49423ed3a75729066bb3ea26493ee9cb7d6568ef948597fc9ef454f7435
-size 41709484
--- a/node-v20.3.1.tar.xz
+++ b/node-v20.3.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:12a82db306697959b4389b351a5f97848986b1313f9901b0e0b3d8cf4f3f9991
+size 41712208
--- a/nodejs20.changes
+++ b/nodejs20.changes
@ -1,3 +1,30 @@
+-------------------------------------------------------------------
+Wed Jun 21 11:24:39 UTC 2023 - Adam Majer <adam.majer@suse.de>
+
+- Update to version 20.3.1 (security fixes only). The following
+  CVEs are fixed in this release:
+  * (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass
+    Experimental Policy Mechanism (High)
+  * (CVE-2023-30584, bsc#1212575): Path Traversal Bypass in
+    Experimental Permission Model (High)
+  * (CVE-2023-30587, bsc#1212576): Bypass of Experimental
+    Permission Model via Node.js Inspector (High)
+  * (CVE-2023-30582, bsc#1212577): Inadequate Permission Model
+    Allows Unauthorized File Watching (Medium)
+  * (CVE-2023-30583, bsc#1212578): Bypass of Experimental
+    Permission Model via fs.openAsBlob() (Medium)
+  * (CVE-2023-30585, bsc#1212579): Privilege escalation via
+    Malicious Registry Key manipulation during Node.js
+    installer repair process (Medium)
+  * (CVE-2023-30586, bsc#1212580): Bypass of Experimental
+    Permission Model via Arbitrary OpenSSL Engines (Medium)
+  * (CVE-2023-30588, bsc#1212581): Process interuption due to invalid
+    Public Key information in x509 certificates (Medium)
+  * (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via
+    Empty headers separated by CR (Medium)
+  * (CVE-2023-30590, bsc#1212583): DiffieHellman does not
+    generate keys after setting a private key (Medium)
+
 -------------------------------------------------------------------
 Thu Jun 15 11:25:18 UTC 2023 - Adam Majer <adam.majer@suse.de>

--- a/nodejs20.spec
+++ b/nodejs20.spec
@ -31,7 +31,7 @@
 %endif

 Name:           nodejs20
-Version:        20.3.0
+Version:        20.3.1
 Release:        0

 # Double DWZ memory limits
@ -293,7 +293,7 @@ BuildRequires:  openssl >= %{openssl_req_ver}
 %else
 # bundled openssl
 %if %node_version_number <= 12 && 0%{?suse_version} == 1315 && 0%{?sle_version} < 120400
-Provides:       bundled(openssl) = 3.0.8
+Provides:       bundled(openssl) = 3.0.9
 %else
 BuildRequires:  bundled_openssl_should_not_be_required
 %endif
@ -375,7 +375,7 @@ BuildRequires:  pkgconfig(libbrotlidec)
 %endif


-Provides:       bundled(llhttp) = 8.1.0
+Provides:       bundled(llhttp) = 8.1.1
 Provides:       bundled(ngtcp2) = 0.8.1
 Provides:       bundled(base64) = 0.5.0
 Provides:       bundled(simdutf) = 3.2.12