nodejs/nodejs12
SHA256
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
nodejs12/nodejs12.changes

1001 lines
39 KiB
Plaintext
Raw Permalink Blame History

-------------------------------------------------------------------
Tue Oct 29 13:16:53 UTC 2024 - Adam Majer <adam.majer@suse.de>
- openssl31.patch: fix unit tests with OpenSSL 3.1 (bsc#1232756)
-------------------------------------------------------------------
Thu Apr 11 10:51:31 UTC 2024 - Adam Majer <adam.majer@suse.de>
- CVE-2024-27983.patch - Assertion failed in
node::http2::Http2Session::~Http2Session() leads to
HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983)
- CVE-2024-27982.patch - HTTP Request Smuggling via Content Length
Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982)
-------------------------------------------------------------------
Tue Feb 20 09:52:34 UTC 2024 - Adam Majer <adam.majer@suse.de>
* CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack
(timing variant of the Bleichenbacher attack against
PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997)
* CVE-2024-22019.patch: http: Reading unprocessed HTTP request with
unbounded chunk extension allows DoS attacks- (High)
(CVE-2024-22019, bsc#1219993)
* CVE-2024-22025.patch: fix Denial of Service by resource exhaustion
in fetch() brotli decoding (CVE-2024-22025, bsc#1220014)
* CVE-2024-24806.patch: fix improper domain lookup that
potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053)
-------------------------------------------------------------------
Tue Oct 24 15:45:11 UTC 2023 - Adam Majer <adam.majer@suse.de>
- CVE-2023-38552.patch: Integrity checks according to policies
can be circumvented (CVE-2023-38552, bsc#1216272)
- CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190)
- nodejs.keyring: include new releaser keys
- newicu_test_fixup.patch: workaround whitespaces funnies in
some icu versions
-------------------------------------------------------------------
Thu Aug 17 14:58:33 UTC 2023 - Adam Majer <adam.majer@suse.de>
- CVE-2023-30581.patch: fixes mainModule.__proto__ Bypass
Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574)
- CVE-2023-30589.patch: HTTP Request Smuggling via empty headers
separated by CR (CVE-2023-30589, bsc#1212582)
- CVE-2023-30590.patch: DiffieHellman does not generate keys
after setting a private key (CVE-2023-30590, bsc#1212583)
- CVE-2023-23918.patch: fixes permissions policies can be
bypassed via process.mainModule (bsc#1208481, CVE-2023-23918)
- CVE-2023-32002.patch:
+ fixes policies can be bypassed via Module._load
+ fixes policies can be bypassed by module.constructor.createRequire
(CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156)
- CVE-2023-32559.patch: Policies can be bypassed via
process.binding (CVE-2023-32559, bsc#1214154)
-------------------------------------------------------------------
Thu Apr 13 14:24:48 UTC 2023 - Adam Majer <adam.majer@suse.de>
- CVE-2022-25881.patch: http-cache-semantics(npm): Don't use regex
to trim whitespace (bsc#1208744, CVE-2022-25881)
-------------------------------------------------------------------
Wed Feb 22 11:04:43 UTC 2023 - Adam Majer <adam.majer@suse.de>
- CVE-2023-23920.patch: fixes insecure loading of ICU data
through ICU_DATA environment variable (bsc#1208487, CVE-2023-23920)
-------------------------------------------------------------------
Fri Dec 23 11:31:12 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Update _constraints:
* Less RAM for aarch64 and 32-bit arm
* Use 'asimdrdm' cpu flag to use aarch64 workers where tests
are more stable
-------------------------------------------------------------------
Mon Nov 7 09:05:57 UTC 2022 - Adam Majer <adam.majer@suse.de>
- CVE-2022-43548.patch:
* inspector: DNS rebinding in --inspect via invalid octal IP
(bsc#1205119, CVE-2022-43548)
-------------------------------------------------------------------
Thu Sep 29 11:06:39 UTC 2022 - Adam Majer <adam.majer@suse.de>
- CVE-2022-35256.patch: update llhttp to 2.1.6
+ fixes CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325)
+ fixes incorrect parsing of header fields (CVE-2022-35256, bsc#1203832)
-------------------------------------------------------------------
Mon Jul 11 15:10:25 UTC 2022 - Adam Majer <adam.majer@suse.de>
- CVE-2022-32213.patch: http: stricter Transfer-Encoding and header separator parsing
(bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213,
CVE-2022-32214, CVE-2022-32215)
- CVE-2022-32212.patch: fix IPv4 validation in inspector_socket
(bsc#1201328, CVE-2022-32212)
- openssl_update.patch: deps: update openssl to 1.1.1q
affecting SLE-12 codestream only
(bsc#1201099, CVE-2022-2097)
-------------------------------------------------------------------
Wed Apr 20 11:00:47 UTC 2022 - Adam Majer <adam.majer@suse.de>
- CVE-2021-44906.patch: fix prototype pollution in npm dependency
(bsc#1198247, CVE-2021-44906)
- CVE-2021-44907.patch: fix insuficient sanitation in npm dependency
(bsc#1197283, CVE-2021-44907)
- CVE-2022-0235.patch: fix passing of cookie data and sensitive headers
to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235)
-------------------------------------------------------------------
Wed Apr 13 13:47:37 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to 12.22.12
* node-api: avoid SecondPassCallback crash
+ fix shutdown crashes
+ make reference weak parameter an indirect link to references
+ fix crash in finalization
+ stop ref gc during environment teardown
+ force env shutdown deferring behavior
* src: fix finalization crash
-------------------------------------------------------------------
Fri Mar 18 14:48:16 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to 12.22.11
* deps: upgrade openssl sources to 1.1.1n (bsc#1196877, CVE-2022-0778)
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
More details at https://www.openssl.org/news/secadv/20220315.txt
-------------------------------------------------------------------
Wed Feb 16 13:50:40 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to 12.22.10
* Upgrade npm to 6.14.16
+ CVE-2021-23343 - ReDoS via splitDeviceRe, splitTailRe and
splitPathRe (bsc#1192153)
+ CVE-2021-32803 - node-tar: Insufficient symlink protection
allowing arbitrary file creation and overwrite (bsc#1191963)
+ CVE-2021-32804 - node-tar: Insufficient absolute path sanitization
allowing arbitrary file creation and overwrite (bsc#1191962)
+ CVE-2021-3918 - json-schema is vulnerable to Improperly
Controlled Modification of Object Prototype Attributes (bsc#1192696)
* Updated ICU time zone data
- CVE-2021-3807.patch: node-ansi-regex: Regular expression
denial of service (ReDoS) matching ANSI escape codes
(bsc#1192154, CVE-2021-3807)
- versioned.patch: refreshed
- z15-test-skip.patch: dropped
- fix_ci_tests.patch: fix tests on z15
-------------------------------------------------------------------
Tue Jan 11 18:51:38 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to 12.22.9:
Security update fixing the following issues:
* Improper handling of URI Subject Alternative Names (Medium)
(CVE-2021-44531, bsc#1194511)
* Certificate Verification Bypass via String Injection (Medium)
(CVE-2021-44532, bsc#1194512)
* Incorrect handling of certificate subject and issuer fields (Medium)
(CVE-2021-44533, bsc#1194513)
* Prototype pollution via console.table properties (Low)
(CVE-2022-21824, bsc#1194514)
-------------------------------------------------------------------
Fri Jan 7 21:07:25 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to 12.22.8:
* src: fix crash in AfterGetAddrInfo
* deps: update c-ares to 1.18.1
-------------------------------------------------------------------
Fri Nov 26 12:40:52 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 12.22.7:
* deps: update llhttp to 2.1.4
- HTTP Request Smuggling due to spaced in headers
(bsc#1191601, CVE-2021-22959)
- HTTP Request Smuggling when parsing the body
(bsc#1191602, CVE-2021-22960)
- changes in 12.22.6:
* deps: upgrade npm to 6.14.15 which fixes a number of
security issues
(bsc#1190057, CVE-2021-37701, bsc#1190056, CVE-2021-37712,
bsc#1190055, CVE-2021-37713, bsc#1190054, CVE-2021-39134,
bsc#1190053, CVE-2021-39135)
- versioned.patch: refreshed
-------------------------------------------------------------------
Thu Aug 12 13:19:17 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 12.22.5:
* CVE-2021-3672/CVE-2021-22931: Improper handling of untypical
characters in domain names (bsc#1189370, bsc#1188881)
* CVE-2021-22940: Use after free on close http2 on stream canceling
(bsc#1189368)
* CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter
(bsc#1189369)
- Fix-build-with-icu-69.patch: dropped, not for factory
- cares_public_headers.patch: don't use private headers
-------------------------------------------------------------------
Mon Aug 9 12:54:28 UTC 2021 - Adam Majer <adam.majer@suse.de>
- z15-test-skip.patch: skip problematic test on s390x
-------------------------------------------------------------------
Wed Aug 4 16:21:05 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 12.22.4:
http2: fixes use after free on close http2 on stream canceling
(bsc#1188917, CVE-2021-22930)
deps: upgrade npm to 6.14.14
- versioned.patch: refreshed
-------------------------------------------------------------------
Tue Jul 6 08:45:07 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 12.22.2:
* deps: libuv upgrade - Out of bounds read (Medium)
(bsc#1187973, CVE-2021-22918)
* deps: npm update to 6.14.13 fixing
ssri Regular Expression Denial of Service and hosted-git-info
Regular Expression Denial of Service
(bsc#1187976, bsc#1187977, CVE-2021-27290, CVE-2021-23362)
- specfile cleanup
-------------------------------------------------------------------
Thu Jun 10 14:16:57 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Fix-build-with-icu-69.patch: fix building with ICU 69
-------------------------------------------------------------------
Mon May 31 16:27:44 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Use libalternatives instead of update-alternatives
-------------------------------------------------------------------
Wed Apr 7 12:42:13 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.22.1:
* CVE-2021-3450: OpenSSL - CA certificate check bypass with
X509_V_FLAG_X509_STRICT (High). (bsc#1183851)
* CVE-2021-3449: OpenSSL - NULL pointer deref in
signature_algorithms processing (High) (bsc#1183852)
* CVE-2020-7774: npm - Update y18n to fix Prototype-Pollution
(bsc#1184450)
- Changes in LTS version 12.22.0:
* node-api: define version 8
* http: runtime deprecate legacy HTTP parser
* v8: implement v8.stopCoverage() and v8.takeCoverage()
* worker: add eventLoopUtilization()
- versioned.patch: refreshed
-------------------------------------------------------------------
Tue Feb 23 14:48:43 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.21.0:
* CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service
by resource exhaustion (bsc#1182619)
* CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
* CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
(bsc#1182333)
-------------------------------------------------------------------
Wed Feb 17 17:33:25 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.20.2:
* deps: upgrade npm to 6.14.11
- relax OpenSSL cipher suite policies for unit tests
-------------------------------------------------------------------
Mon Jan 4 19:24:45 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.20.1:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with
a freshly allocated WriteWrap object as first argument.
If the DoWrite method does not return an error, this object is
passed back to the caller as part of a StreamWriteResult structure.
This may be exploited to corrupt memory leading to a
Denial of Service or potentially other exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a
header field in a http request. For example, two Transfer-Encoding
header fields. In this case Node.js identifies the first header
field and ignores the second. This can lead to HTTP Request
Smuggling (https://cwe.mitre.org/data/definitions/444.html).
(bsc#1180554)
* CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference
(High) This is a vulnerability in OpenSSL which may be exploited
through Node.js. (bsc#1179491)
- versioned.patch, nodejs-libpath.patch: refreshed
-------------------------------------------------------------------
Mon Nov 30 19:45:06 UTC 2020 - Adam Majer <adam.majer@suse.de>
- openssl_binary_detection.patch: fixes unit tests on SLE12
-------------------------------------------------------------------
Thu Nov 26 05:58:39 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.20.0:
* deps:
+ update llhttp '2.1.2' -> '2.1.3'
+ update uv '1.39.0' -> '1.40.0'
+ update uvwasi '0.0.10' -> '0.0.11'
* fs: add .ref() and .unref() methods to watcher classes
* http: added scheduling option to http agent
* module:
+ exports pattern support
+ named exports for CJS via static analysis
* n-api: add more property defaults (gh#35214)
-------------------------------------------------------------------
Mon Nov 23 13:55:05 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update Requires: so -devel requires npm
- Rely on rpmbuild to define necessary python dependencies
-------------------------------------------------------------------
Thu Nov 19 11:40:30 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.19.1:
* deps: Denial of Service through DNS request (High).
A Node.js application that allows an attacker to trigger a DNS
request for a host of their choice could trigger a Denial of Service
by getting the application to resolve a DNS record with
a larger number of responses (bsc#1178882, CVE-2020-8277)
-------------------------------------------------------------------
Fri Nov 13 15:32:36 UTC 2020 - Adam Majer <adam.majer@suse.de>
- python3.patch: allows building of node with python3 toolchain
-------------------------------------------------------------------
Fri Oct 9 09:34:28 UTC 2020 - Adam Majer <adam.majer@suse.de>
- fix_ci_tests.patch: add support to SUSE's ECDH backport errors
in SLE's openssl
-------------------------------------------------------------------
Wed Oct 7 11:28:08 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.19.0:
* crypto: add randomInt function
* deps:
+ upgrade to libuv 1.39.0
+ deps: upgrade npm to 6.14.7
+ deps: upgrade to libuv 1.38.1
* doc: deprecate process.umask() with no arguments
* module:
+ package "imports" field
+ module: deprecate module.parent
* n-api: create N-API version 7
* zlib: switch to lazy init for zlib streams
- fix_ci_tests.patch: refreshed
- versioned.patch: refreshed
-------------------------------------------------------------------
Wed Sep 23 18:28:20 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.18.4:
* deps:
+ update llhttp to 2.1.2 (bsc#1176605, CVE-2020-8201)
+ fs.realpath.native may cause buffer overflow
(bsc#1176589, CVE-2020-8252)
- fix_ci_tests.patch: re-add missing debug symbol removal before
running unit tests
-------------------------------------------------------------------
Mon Aug 10 16:36:26 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation
on Aarch64 with gcc10 (bsc#1172686)
-------------------------------------------------------------------
Mon Aug 3 12:18:12 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.18.3:
deps:
* upgrade npm to 6.14.6 (claudiahdz) #34246
Fixes information leak through log files (bsc#1173937, CVE-2020-15095)
* update node-inspect to v2.0.0 (Jan Krems) #33447
* uvwasi: cherry-pick 9e75217 (Colin Ihrig) #33521
- fix_ci_tests.patch: refreshed
- versioned.patch: refreshed
-------------------------------------------------------------------
Tue Jul 28 07:13:57 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- avoid rpmbuild warnings on if/else/endif constructs
-------------------------------------------------------------------
Thu Jul 2 20:39:34 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.18.2:
* deps: V8: backport fb26d0bb1835 (Matheus Marchini) #33573
+ Fixes memory leak in PrototypeUsers::Add
* src: use symbol to store AsyncWrap resource (Anna Henningsen) #31745
+ Fixes reported memory leak (bsc#1173653)
-------------------------------------------------------------------
Thu Jun 18 14:14:40 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.18.1:
+ deps:
* V8: cherry-pick 548f6c81d424 (Dominykas Blyžė) #33484
* update to uvwasi 0.0.9 (Colin Ihrig) #33445
* upgrade to libuv 1.38.0 (Colin Ihrig) #33446
* upgrade npm to 6.14.5 (Ruy Adorno) #33239
- skip_no_console.patch: refreshed and mostly upstreamed
- versioned.patch: refreshed
-------------------------------------------------------------------
Tue Jun 9 11:34:55 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Add Require for nodejs12 when intalling npm12. (bsc#1172728)
-------------------------------------------------------------------
Thu Jun 4 11:58:49 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 12.18.0:
* napi: fix various types of memory corruption in napi_get_value_string_*()
(CVE-2020-8174, bsc#1172443)
* http2: fix HTTP/2 Large Settings Frame DoS
(CVE-2020-11080, bsc#1172442)
* TLS session reuse can lead to host certificate verification bypass
(CVE-2020-8172, bsc#1172441)
- use system ICU on SLE-15
-------------------------------------------------------------------
Wed May 27 10:56:40 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.17.0:
* async-hooks: introduce async-storage API
* cli: Added a --trace-sigint CLI flag that will print the current
execution stack on SIGINT #29207.
* crypto: Various crypto APIs now support Diffie-Hellman secrets
* dns: Added the dns.ALL flag, that can be passed to dns.lookup()
with dns.V4MAPPED to return resolved IPv6 addresses as well as
IPv4 mapped IPv6 addresses #32183.
* events: It is now possible to monitor 'error' events on an EventEmitter
without consuming the emitted error by installing a listener
using the symbol EventEmitter.errorMonitor
* http,https: The default value of server.headersTimeout for
http and https servers was increased from 40000 to 60000ms
* process: It is now possible to monitor 'uncaughtException'
events without overriding the default behavior
* repl:
+ Added REPL substring-based search
+ Added preview
+ Added reverse-i-search
* module: Added a new experimental API to interact with
Source Map V3 data #31132.
* worker: Added support for passing a transferList along
with workerData to the Worker constructor #32278.
For further information, please see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.17.0
- icu-v67.patch: upstreamed
- skip_no_console.patch, versioned.patch: refreshed
-------------------------------------------------------------------
Wed May 13 04:19:25 UTC 2020 - Ismail Dönmez <idonmez@suse.com>
- Add icu-v67.patch to fix build with icu v67
-------------------------------------------------------------------
Mon May 4 12:28:44 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Reduce Requires to Recommends on nodejs12-devel when installing npm12
-------------------------------------------------------------------
Tue Apr 28 15:30:09 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.16.3:
* deps:
+ Updated OpenSSL to 1.1.1g
+ Updated c-ares to 1.16.0
+ Updated experimental uvwasi to 0.0.6
* ESM (experimental): Additional warnings are no longer printed
for modules that use conditional exports or package name self resolution
- fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Mon Apr 27 13:15:17 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.16.2:
* deps:
+ upgrade npm to 6.13.6 (bsc#1166916, CVE-2020-7598)
+ update openssl to 1.1.1e
- openssl_rand_regression.patch, wasi_compile_flags.patch: upstreamed
- versioned.patch, fix_ci_tests.patch: refreshed
- linker_lto_jobs.patch: serialize linker during build
-------------------------------------------------------------------
Mon Mar 2 09:43:10 UTC 2020 - Adam Majer <adam.majer@suse.de>
- openssl_rand_regression.patch: Add getrandom syscall definition
for all Linux platforms. This fixes a runtime error in SLE-12
(bnc#1162117)
-------------------------------------------------------------------
Wed Feb 19 13:41:50 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.16.1:
* Reverted regressions from 12.16.0
+ accidental unflagging of self resolving modules - it now requires
--experimental-modules flag to enable.
+ process cleanup changes introduced WASM-Related assertion
+ use of largepages runtime option introduced linking failure
+ async_hooks was causing an exception when handling errors
+ enumerable Read-Only property on EventEmitter breaks @types/extend
+ exceptions in the HTTP parser were not emitting as an uncaughtException
-------------------------------------------------------------------
Wed Feb 12 10:12:13 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.16.0:
* assert: add experimental assert.match() and assert.doesNotMatch()
methods. These allow matching vs. provided regular expressions.
* child_process, cluster: now support serialization option to
allow for custom serialization mechanism for IPC.
* cli: add --trace-edit and --trance-uncaught flags
* crypto:
+ added support for 'ieee-p1363' signature type for DSA and ECDSA
in addition to DER
+ Added Hash.prototype.copy making it possibly to clone internal
state of Hash object. This allows digest computation between
updates.
* deps:
+ libuv was updated to 1.34.0
+ V8 was updated to 7.8.279.23 - for official changes, see
https://v8.dev/blog/v8-release-78
* events:
+ add EventEmitter.on to async iterate over events
+ allow monitoring error events via EventEmitter.errorMonitor
+ add experimental method to captureRejections for async handlers
* perf_hooks: now considered stable API
* wasi: Add new core module for WebAssebly System Interface as
an experimental feature.
- wasi_compile_flags.patch: fix header inclusions in uvwasi dependency
-------------------------------------------------------------------
Fri Feb 7 10:38:50 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.15.0:
* fixes a remotely triggerable assertion on a TLS server via a
crafted certificate string (CVE-2019-15604, bsc#1163104)
* fixes an HTTP request smuggling vulnerability via malformed
Transfer-Encoding header (CVE-2019-15605, bsc#1163102)
* trim HTTP header values of optional white space
(CVE-2019-15606, bsc#1163103)
* enabled stricter HTTP header parsing by default.
- fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Thu Jan 9 10:42:21 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.14.1:
* crypto: fix key requirements in asymmetric cipher
* deps:
+ update llhttp to 2.0.1
+ update nghttp2 to 1.40.0
* v8: mark serdes API as stable
- nodejs-libpath.patch: refreshed
-------------------------------------------------------------------
Tue Jan 7 13:12:10 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Really disable LTO when required (nodejs < 12)
-------------------------------------------------------------------
Thu Dec 19 13:56:54 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.14.0:
* deps: update npm to 6.13.4 fixing an arbitrary path overwrite
and access via "bin" field (bsc#1159352, CVE-2019-16777,
CVE-2019-16776, CVE-2019-16775)
- refreshed: fix_ci_tests.patch versioned.patch
-------------------------------------------------------------------
Tue Nov 19 12:00:42 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.13.1:
* improved experimental support for building Node.js with Python3
* ICU time zone data is updated to version 2019c - fixing TZ
offset for Brazil
* deps:
+ upgrade to libuv 1.33.1
+ upgrade npm to 6.12.1
-------------------------------------------------------------------
Tue Nov 5 08:27:58 UTC 2019 - Adam Majer <adam.majer@suse.de>
- skip_no_console.patch: skip tests with dumb console
- versioned.patch: fix symlinks
-------------------------------------------------------------------
Mon Oct 21 12:27:14 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to LTS release 12.13.0 (jsc#SLE-8947):
* deps: update npm to 6.12.0
* doc:
+ fix --enable-source-maps flag in v12.12.0 changelog
+ set module version 72 to node 12
+ fix tls version values
* fs: do not emit 'finish' before 'open' on write empty file
- versioned.patch: refreshed
-------------------------------------------------------------------
Mon Oct 14 13:01:24 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.12.0:
* depreciations: Add documentation-only deprecation for
process._tickCallback()
* esm: Using JSON modules is experimental again
* fs: Introduce opendir() and fs.Dir to iterate through directories
* process: Add source-map support to stack traces by using
--enable-source-maps
* tls:
+ Honor pauseOnConnect option
+ Add option for private keys for OpenSSL engines
- fix_build_with_openssl_1.1.1d.patch: upstreamed
-------------------------------------------------------------------
Mon Oct 14 11:42:48 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.11.1:
* build: fixed building
* deps: Updated small-icu data to support "unit" style in the
Intl.NumberFormat API
- Remove unsupported 32-bit architectures
- fix_ci_tests.patch: correct build with SUSE backport of KDF
patches to OpenSSL 1.1.1d
-------------------------------------------------------------------
Thu Sep 26 15:25:35 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.11.0:
* crypto: Add oaepLabel option
* deps: updated V8 to 7.7.299.11
+ More efficient memory handling
+ Stack trace serialization got faster
+ The Intl.NumberFormat - API gained new functionality
+ more information: https://v8.dev/blog/v8-release-77
* events: Add support for EventTarget in once
* fs: Expose memory file mapping flag UV_FS_O_FILEMAP
* inspector: New API - Session.connectToMainThread
* process: Initial SourceMap support via env.NODE_V8_COVERAGE
* stream: Make _write() optional when _writev() is implemented
* tls: Add option to override signature algorithms
* util: Add encodeInto to TextEncoder
* worker: The worker_thread module is now stable
- versioned.patch: refreshed
-------------------------------------------------------------------
Wed Sep 18 13:44:55 UTC 2019 - Vítězslav Čížek <vcizek@suse.com>
- Fix build with OpenSSL 1.1.1d (bsc#1149792)
* https://github.com/nodejs/node/pull/29550
* add fix_build_with_openssl_1.1.1d.patch
-------------------------------------------------------------------
Fri Sep 6 08:44:26 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.10.0:
* deps:
+ update npm to 6.10.3
* fs:
+ Add recursive option to rmdir()
+ Allow passing true to emitClose option
+ Add *timeNs properties to BigInt Stats objects
* net:
+ Allow reading data into a static buffer
- versioned.patch: refreshed
-------------------------------------------------------------------
Mon Aug 26 14:33:48 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.9.0:
* crypto: Added an oaepHash option to asymmetric encryption which
allows users to specify a hash function when using OAEP padding
* deps: Updated V8 to 7.6.303.29
+ Improves the performance of various APIs such as JSON.parse
and methods called on frozen arrays.
+ Adds the Promise.allSettled method.
+ Improves support of BigInt in Intl methods.
+ For more information: https://v8.dev/blog/v8-release-76
* fs: Added fs.writev, fs.writevSync and filehandle.writev
(promise version) methods.
* http: Added three properties to OutgoingMessage.prototype:
writableObjectMode, writableLength and writableHighWaterMark
* stream:
+ Added an new property 'readableEnded' to readable streams.
+ Added an new property 'writableEnded' to writable streams.
- fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Fri Aug 16 14:33:44 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.8.1:
Security update regarding HTTP/2 Denial of Service vulnerabilities
For details see,
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.8.1
https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
(CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514,
bsc#1146091, bsc#1146099, bsc#1146094, bsc#1146095,
CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518,
bsc#1146100, bsc#1146090, bsc#1146097, bsc#1146093)
-------------------------------------------------------------------
Fri Aug 16 11:36:48 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Minimum ICU version is 64. Use in-tree ICU copy for older
distributions
-------------------------------------------------------------------
Mon Aug 12 08:12:27 UTC 2019 - Adam Majer <adam.majer@suse.de>
- dont_return_garbage.patch: dropped and turn off unnecessary
errors about it during compilation
-------------------------------------------------------------------
Fri Aug 9 14:40:09 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.8.0:
* crypto:
+ The outputLength option is added to crypto.createHash
+ The maxmem range is increased from 32 to 53 bits
* n-api: Added APIs for per-instance state management
* report: Network interfaces get included in the report
* src: v8.getHeapCodeStatistics() is now exported
-------------------------------------------------------------------
Wed Jul 24 10:44:10 UTC 2019 - Adam Majer <amajer@suse.com>
- Update to 12.7.0:
* deps:
+ Updated nghttp2 to 1.39.1
+ Updated npm to 6.10.0 (bsc#1140290, CVE-2019-13173)
* esm: Implemented experimental "pkg-exports" proposal.
* http:
+ Added response.writableFinished
+ Exposed headers, rawHeaders and other fields on an
http.ClientRequest "information" event
* inspector: Added inspector.waitForDebugger()
* policy: Added --policy-integrity=sri CLI option to mitigate
policy tampering
* readline,tty: Exposed stream API
* src: Use cgroups to get memory limits.
- Changes in version 12.6.0:
* child_process: The promisified versions of child_process.exec
and child_process.execFile now both return a Promise which
has the child instance attached to their child property
* deps: Updated libuv to 1.30.1
* process: A new method, process.resourceUsage() was added
* stream: Added a writableFinished property to writable streams.
* worker: Fixed an issue that prevented worker threads to listen
for data on stdin
- Changes in version 12.5.0:
* build: Improve startup time by enabling V8 snapshots by default
* deps: Updated V8 to 7.5.288.22
* inspector: The --inspect-publish-uid flag was added to specify
ways of the inspector web socket url exposure
* n-api: Accessors on napi_define_* are now ECMAScript-compliant
* report: The cpu info got added to the report output
* src: Restore the original state of the stdio file descriptors
on exit to prevent leaving stdio in raw or non-blocking mode
* worker: worker.terminate() now returns a promise
- refreshed patches: dont_return_garbage.patch, fix_ci_tests.patch,
nodejs-libpath.patch, versioned.patch
-------------------------------------------------------------------
Tue Jun 11 12:38:25 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.4.0:
* esm: JSON module support is always enabled under
--experimental-modules. The --experimental-json-modules flag
has been removed
* http, http2: A new flag has been added for overriding
the default HTTP server socket timeout (which is two minutes).
Pass --http-server-default-timeout=milliseconds or
--http-server-default-timeout=0 to respectively change or
disable the timeout. Starting with Node.js 13.0.0,
the timeout will be disabled by default
* inspector: Added an experimental --heap-prof flag to start
the V8 heap profiler on startup and write the heap
profile to disk before exit
* stream: The readable.unshift() method now correctly converts
strings to buffers. Additionally, a new optional argument is
accepted to specify the string's encoding, such as 'utf8' or 'ascii'
* v8: The object returned by v8.getHeapStatistics() has two
new properties: number_of_native_contexts and number_of_detached_contexts
- nodejs-libpath.patch: install npx into proper directory
- versioned.patch, fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Wed May 29 15:23:37 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.3.1:
* deps:
+ Fix handling of +0/-0 when constant field tracking is enabled
+ Fix os.freemem() and os.totalmem correctness
- changes in 12.3.0:
* esm: Added the --experimental-wasm-modules flag to support
WebAssembly modules
* process: Log errors using util.inspect in case of fatal exceptions
* repl: Add process.on('uncaughtException') support
* stream: Implemented Readable.from async iterator utility
* tls:
+ Expose built-in root certificates
+ Support net.Server options
+ Expose keylog event on TLSSocket
* worker: Added the ability to unshift messages from the MessagePort
- changes in 12.2.0:
* deps: Updated llhttp to 1.1.3. This fixes a bug that made
Node.js' HTTP parser refuse any request URL that contained
the "|" (vertical bar) character
* tls: Added an enableTrace() method to TLSSocket and an enableTrace
option to tls.createServer(). When enabled, TSL packet trace
information is written to stderr. This can be used to debug
TLS connection problems
* cli:
+ Added --trace-tls enables tracing of TLS connections
+ Added --cpu-prof-interval
* module:
+ Added the createRequire() method. The existing
createRequireFromPath() method is now deprecated
+ Throw on require('./path.mjs')
* repl:
+ The REPL now supports multi-line statements using BigInt literals
- enable LTO
- fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Fri May 3 11:35:05 UTC 2019 - Adam Majer <adam.majer@suse.de>
- Update to 12.1.0:
* intl: Update ICU to 64.2.
* c++ API: Added an overload EmitAsyncDestroy that can be used
during garbage collection
- Notable changes in 12.0.0:
* assert:
+ validate required arguments
+ adjust loose assertions
* async_hooks:
+ remove deprecated emitBefore and emitAfter
+ remove promise object from resource
* bootstrap: make Buffer and process non-enumerable
* buffer:
+ use stricter range checks
+ harden SlowBuffer creation
+ harden validation of buffer allocation size
+ do proper error propagation in addon methods
* child_process:
+ remove options.customFds
+ harden fork arguments validation
+ use non-infinite maxBuffer defaults
* console: don't use ANSI escape codes when TERM=dumb
* crypto:
+ remove legacy native handles
+ decode missing passphrase errors
+ remove Cipher.setAuthTag() and Decipher.getAuthTag()
+ remove deprecated crypto._toBuf()
+ set DEFAULT_ENCODING property to non-enumerable
* deps:
+ update V8 to 7.4.288.13
+ bump minimum icu version to 63
+ update bundled OpenSSL to 1.1.1b and bump minimum OpenSSL
requirements to 1.1.1
* errors: update error name
* fs:
+ use proper .destroy() implementation for SyncWriteStream
+ improve mode validation
+ harden validation of start option in createWriteStream()
+ make writeFile consistent with readFile wrt fd
* http:
+ validate timeout in ClientRequest()
+ return HTTP 431 on HPE_HEADER_OVERFLOW error
+ switch default parser to llhttp
+ Runtime-deprecate outgoingMessage._headers and
outgoingMessage._headerNames
* lib:
+ remove Atomics.wake()
+ move DTRACE_* probes out of global scope
+ deprecate _stream_wrap
+ use ES6 class inheritance style
* module:
+ remove unintended access to deps
+ improve error message for MODULE_NOT_FOUND
+ requireStack property for MODULE_NOT_FOUND
+ make require('.') never resolve outside the current directory
+ throw an error for invalid package.json main entries
+ don't search in require.resolve.paths
* net:
+ remove Server.listenFD()
+ do not add .host and .port properties to DNS error
+ emit "write after end" errors in the next tick
+ deprecate _setSimultaneousAccepts() undocumented function
* os:
+ implement os.type() using uv_os_uname()
+ remove os.getNetworkInterfaces()
* process:
+ make global.process, global.Buffer getters
+ DEP0062 (node --debug) to end-of-life
+ exit on --debug and --debug-brk after option parsing
+ improve --redirect-warnings handling
* readline: support TERM=dumb
* repl:
+ add welcome message
+ fix terminal default setting
+ check colors with .getColorDepth()
+ deprecate REPLServer.rli
* src:
+ update NODE_MODULE_VERSION to 72
+ remove AddPromiseHook()
+ remove icuDataDir from node config
+ clean up MultiIsolatePlatform interface
* tls:
+ support TLSv1.3
+ return correct version from getCipher()
+ check arg types of renegotiate()
+ add code for ERR_TLS_INVALID_PROTOCOL_METHOD
+ emit a warning when servername is an IP address
+ disable TLS v1.0 and v1.1 by default
+ remove unused arg to createSecureContext()
+ deprecate Server.prototype.setOptions()
+ load NODE_EXTRA_CA_CERTS at startup
* util:
+ remove util.print(), util.puts(), util.debug() and util.error()
+ change inspect compact and breakLength default
+ improve inspect edge cases
+ only the first line of the error message
+ don't set the prototype of callbackified functions
+ rename callbackified function
+ increase function length when using callbackify()
+ prevent tampering with internals in inspect()
+ prevent Proxy traps being triggered by .inspect()
+ prevent leaking internal properties
+ protect against monkeypatched Object prototype for inspect()
+ treat format arguments equally
* zlib:
+ throw TypeError if callback is missing
+ make “bare” constants un-enumerable
For detailed changelog, see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md
-------------------------------------------------------------------
Sun Apr 7 18:16:21 UTC 2019 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Add _constraints file to avoid OOM errors
-------------------------------------------------------------------
Wed Feb 13 11:34:12 UTC 2019 - adam.majer@suse.de
- NodeJS 12.x branch created
Reference in New Issue View Git Blame Copy Permalink