Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574)
- CVE-2023-30589.patch: HTTP Request Smuggling via empty headers
separated by CR (CVE-2023-30589, bsc#1212582)
- CVE-2023-30590.patch: DiffieHellman does not generate keys
after setting a private key (CVE-2023-30590, bsc#1212583)
- CVE-2023-23918.patch: fixes permissions policies can be
bypassed via process.mainModule (bsc#1208481, CVE-2023-23918)
- CVE-2023-32002.patch:
+ fixes policies can be bypassed via Module._load
+ fixes policies can be bypassed by module.constructor.createRequire
(CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156)
- CVE-2023-32559.patch: Policies can be bypassed via
process.binding (CVE-2023-32559, bsc#1214154)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=150
(bsc#1198247, CVE-2021-44906)
- CVE-2021-44907.patch: fix insuficient sanitation in npm dependency
(bsc#1197283, CVE-2021-44907)
- CVE-2022-0235.patch: fix passing of cookie data and sensitive headers
to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=141
* deps: update llhttp to 2.1.4
- HTTP Request Smuggling due to spaced in headers
(bsc#1191601, CVE-2021-22959)
- HTTP Request Smuggling when parsing the body
(bsc#1191602, CVE-2021-22960)
- changes in 12.22.6:
* deps: upgrade npm to 6.14.15 which fixes a number of
security issues
(bsc#1190057, CVE-2021-37701, bsc#1190056, CVE-2021-37712,
bsc#1190055, CVE-2021-37713, bsc#1190054, CVE-2021-39134,
bsc#1190053, CVE-2021-39135)
- versioned.patch: refreshed
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=135
* CVE-2021-3672/CVE-2021-22931: Improper handling of untypical
characters in domain names (bsc#1189370, bsc#1188881)
* CVE-2021-22940: Use after free on close http2 on stream canceling
(bsc#1189368)
* CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter
(bsc#1189369)
- Fix-build-with-icu-69.patch: dropped, not for factory
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=133
* esm: JSON module support is always enabled under
--experimental-modules. The --experimental-json-modules flag
has been removed
* http, http2: A new flag has been added for overriding
the default HTTP server socket timeout (which is two minutes).
Pass --http-server-default-timeout=milliseconds or
--http-server-default-timeout=0 to respectively change or
disable the timeout. Starting with Node.js 13.0.0,
the timeout will be disabled by default
* inspector: Added an experimental --heap-prof flag to start
the V8 heap profiler on startup and write the heap
profile to disk before exit
* stream: The readable.unshift() method now correctly converts
strings to buffers. Additionally, a new optional argument is
accepted to specify the string's encoding, such as 'utf8' or 'ascii'
* v8: The object returned by v8.getHeapStatistics() has two
new properties: number_of_native_contexts and number_of_detached_contexts
- nodejs-libpath.patch: install npx into proper directory
- versioned.patch, fix_ci_tests.patch: refreshed
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=10
* deps:
+ Fix handling of +0/-0 when constant field tracking is enabled
+ Fix os.freemem() and os.totalmem correctness
- changes in 12.3.0:
* esm: Added the --experimental-wasm-modules flag to support
WebAssembly modules
* process: Log errors using util.inspect in case of fatal exceptions
* repl: Add process.on('uncaughtException') support
* stream: Implemented Readable.from async iterator utility
* tls:
+ Expose built-in root certificates
+ Support net.Server options
+ Expose keylog event on TLSSocket
* worker: Added the ability to unshift messages from the MessagePort
- changes in 12.2.0:
* deps: Updated llhttp to 1.1.3. This fixes a bug that made
Node.js' HTTP parser refuse any request URL that contained
the "|" (vertical bar) character
* tls: Added an enableTrace() method to TLSSocket and an enableTrace
option to tls.createServer(). When enabled, TSL packet trace
information is written to stderr. This can be used to debug
TLS connection problems
* cli:
+ Added --trace-tls enables tracing of TLS connections
+ Added --cpu-prof-interval
* module:
+ Added the createRequire() method. The existing
createRequireFromPath() method is now deprecated
+ Throw on require('./path.mjs')
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs12?expand=0&rev=3
