nodejs/nodejs14
SHA256
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
41 Commits 1 Branch 0 Tags
main
Commit Graph

29 Commits

Author SHA256 Message Date
Adam Majer
41b5165b76 - openssl31.patch: fix unit tests with OpenSSL 3.1 (bsc#1232756) 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=114
 2024-11-04 14:52:50 +00:00
Adam Majer
14afe8561b - openssl31.patch: fix unit tests with OpenSSL 3.1 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=113
 2024-10-29 13:16:26 +00:00
Adam Majer
26e986c7a5 - CVE-2024-27983.patch - Assertion failed in 
node::http2::Http2Session::~Http2Session() leads to
  HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983)
- CVE-2024-27982.patch - HTTP Request Smuggling via Content Length
  Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982)
- updated dependencies:
  + llhttp version 6.1.1
- CVE-2024-22025.patch - test timeout adjustment

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=112
 2024-04-12 14:11:00 +00:00
Adam Majer
1d51fd3bc7 * CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack 
(timing variant of the Bleichenbacher attack against
   PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997)
 * CVE-2024-22019.patch: http: Reading unprocessed HTTP request with
   unbounded chunk extension allows DoS attacks- (High)
   (CVE-2024-22019, bsc#1219993)
 * CVE-2024-22025.patch: fix Denial of Service by resource exhaustion
   in fetch() brotli decoding (CVE-2024-22025, bsc#1220014)
 * CVE-2024-24806.patch: fix improper domain lookup that
   potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=111
 2024-02-22 12:05:45 +00:00
Adam Majer
d3dec2361e - CVE-2023-38552.patch: Integrity checks according to policies 
can be circumvented (CVE-2023-38552, bsc#1216272)
- CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190)
- nodejs.keyring: include new releaser keys
- newicu_test_fixup.patch: workaround whitespaces funnies in
  some icu versions

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=109
 2023-10-24 15:44:19 +00:00
Adam Majer
9061f7712c * CVE-2023-32002.patch: 
+ fixes policies can be bypassed via Module._load
    + fixes policies can be bypassed by module.constructor.createRequire
      (CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156)
  * CVE-2023-32559.patch: Policies can be bypassed via
    process.binding (CVE-2023-32559, bsc#1214154)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=108
 2023-08-11 13:04:35 +00:00
Adam Majer
9b56d5b8bf - CVE-2023-30581.patch: fixes mainModule.__proto__ Bypass 
Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574)
- CVE-2023-30589.patch: HTTP Request Smuggling via empty headers
  separated by CR (CVE-2023-30589, bsc#1212582)
- CVE-2023-30590.patch: DiffieHellman does not generate keys
   after setting a private key (CVE-2023-30590, bsc#1212583)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=107
 2023-08-04 16:06:06 +00:00
Adam Majer
3a6764d3d4 - CVE-2022-25881.patch: http-cache-semantics(npm): Don't use regex 
to trim whitespace (bsc#1208744, CVE-2022-25881)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=105
 2023-04-13 14:30:44 +00:00
Adam Majer
3818eb1d5d - BR: python 3.6 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=104
 2023-02-21 17:02:45 +00:00
Adam Majer
fc4e0256da - Update to 14.21.3: 
* fixes permissions policies can be bypassed via process.mainModule
    (bsc#1208481, CVE-2023-23918)
  * fixes insecure loading of ICU data through ICU_DATA environment
    variable (bsc#1208487, CVE-2023-23920)
  * deps: update npm to 6.14.18
    + CVE-2021-44907.patch: upstreamed and removed

- Update _constraints:
  * Less RAM for aarch64 and 32-bit arm
  * Use 'asimdrdm' cpu flag to use aarch64 workers where tests
    are more stable

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=103
 2023-02-21 16:50:51 +00:00
Adam Majer
5e4a79275f - Update to 14.21.2: 
* http2: fix memory leak when nghttp2 hd threshold is reached

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=102
 2022-12-31 21:36:04 +00:00
Adam Majer
6a3accb781 - Update to 14.21.1: 
* inspector: DNS rebinding in --inspect via invalid octal IP
    (bsc#1205119, CVE-2022-43548)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=101
 2022-11-07 10:04:13 +00:00
Adam Majer
5301aeab42 - Update to 14.21.0: 
* src: add --openssl-shared-config option

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=100
 2022-11-02 10:40:45 +00:00
Adam Majer
178c374d87 Removed CVE that does not apply here anymore 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=98
 2022-09-28 12:19:54 +00:00
Adam Majer
486ad62e98 + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325) 
+ Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)
    + fixes HTTP Request Smuggling Due to Incorrect Parsing
      of Multi-line Transfer-Encoding (bsc#1201327, CVE-2022-32215)

- Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl.

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=97
 2022-09-28 12:10:28 +00:00
Adam Majer
2176ed8e70 - Update to 14.20.1: 
* deps: update llhttp to 2.1.6:
    + CVE-2022-32213 bypass via obs-fold mechanic
    + Incorrect Parsing of Header Fields (CVE-2022-35256)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=96
 2022-09-26 14:44:32 +00:00
Adam Majer
f58f4024c1 - Update to 14.20.0: 
* http: stricter Transfer-Encoding and header separator parsing
    (bsc#1201325, bsc#1201326, bsc#1201327,
     CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
  * src: fix IPv4 validation in inspector_socket
    (bsc#1201328, CVE-2022-32212)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=95
 2022-07-11 12:14:56 +00:00
Adam Majer
d4f8503add - Update to 14.19.3: 
* Upgrade npm to v6.14.17
- obsoleted and removed: CVE-2021-3807.patch, CVE-2021-44906.patch
- refreshed: versioned.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=94
 2022-06-28 14:21:13 +00:00
Adam Majer
53ae15bb24 Update to 14.19.1: 
* deps: upgrade openssl sources to 1.1.1n (bsc#1196877,  CVE-2022-0778)
    Infinite loop in BN_mod_sqrt() reachable when parsing certificates
    More details at https://www.openssl.org/news/secadv/20220315.txt

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=93
 2022-04-26 14:28:45 +00:00
Adam Majer
5593c05939 - CVE-2021-44906.patch: fix prototype pollution in npm dependency 
(bsc#1198247, CVE-2021-44906)
- CVE-2021-44907.patch: fix insuficient sanitation in npm dependency
  (bsc#1197283, CVE-2021-44907)
- CVE-2022-0235.patch: fix passing of cookie data and sensitive headers
  to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=92
 2022-04-22 12:10:10 +00:00
Adam Majer
b04606cc9a + CVE-2021-32803 - node-tar: Insufficient symlink protection 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=91
 2022-02-17 12:23:34 +00:00
Adam Majer
e682f4f498 - update to 14.19.0: 
* crypto: make FIPS related options always available
  * deps: deps: upgrade npm to 6.14.16
    + CVE-2021-23343 - ReDoS via splitDeviceRe, splitTailRe and
      splitPathRe (bsc#1192153)
    + CVE-2021-23343 - node-tar: Insufficient symlink protection
      allowing arbitrary file creation and overwrite (bsc#1191963)
    + CVE-2021-32804 - node-tar: Insufficient absolute path sanitization
      allowing arbitrary file creation and overwrite (bsc#1191962)
    + CVE-2021-3918 - json-schema is vulnerable to Improperly
      Controlled Modification of Object Prototype Attributes (bsc#1192696)
  * module: support pattern trailers
  * src: make napi_create_reference accept symbol
- CVE-2021-3807.patch: node-ansi-regex: Regular expression
  denial of service (ReDoS) matching ANSI escape codes
  (bsc#1192154, CVE-2021-3807)
- versioned.patch, nodejs-libpath.patch: refreshed

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=89
 2022-02-16 16:28:10 +00:00
Adam Majer
606b01b84f OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=88 2022-01-12 23:29:57 +00:00
Adam Majer
ded46b03e4 - update to 14.17.0: 
* Experimental support for AbortController and AbortSignal
  * Diagnostics channel (experimental module)
  * UUID support in the crypto module
  * update ICU to 68.1 
  * upgrade to libuv 1.41.0
- add Fix-build-with-icu-69.patch: fix build with icu 69

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=61
 2021-06-10 14:10:48 +00:00
Adam Majer
c4e8e243ba - Use libalternatives instead of update-alternatives 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=59
 2021-05-31 16:35:26 +00:00
Adam Majer
5fd71ef2af - New upstream LTS version 14.16.1: 
* CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
    This is a vulnerability in the y18n npm module which may be
    exploited by prototype pollution. You can read more about it in
    https://github.com/advisories/GHSA-c4w7-xm78-47vh
    (bsc#1184450)
  * deps: upgrade npm to 6.14.12
- versioned.patch: refreshed

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=58
 2021-04-07 15:44:10 +00:00
Adam Majer
954436a1a1 OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=57 2021-02-23 17:32:24 +00:00
Adam Majer
e5790a9e86 - Update to version 14.1.0: 
* deps: upgrade openssl sources to 1.1.1g (SLE-12 only)
  * http: doc deprecate abort and improve docs
  * module: do not warn when accessing __esModule of unfinished exports
  * n-api: detect deadlocks in thread-safe function
  * src: deprecate embedder APIs with replacements
  * stream:
    + don't emit end after close
    + don't wait for close on legacy streams
    + pipeline should only destroy un-finished streams
  * vm: add importModuleDynamically option to compileFunction
skip_no_console.patch: add more unit tests that fail on dumb terminals

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=5
 2020-04-30 11:26:42 +00:00
Adam Majer
7445d9ec01 - Initial version 14.0.0 
Deprecations
 * crypto: move pbkdf2 without digest to EOL
 * fs: deprecate closing FileHandle on garbage collection
 * http: move OutboundMessage.prototype.flush to EOL
 * lib: move GLOBAL and root aliases to EOL
 * os: move tmpDir() to EOL
 * src: remove deprecated wasm type check
 * stream: move _writableState.buffer to EOL
 * doc: deprecate process.mainModule
 * doc: deprecate process.umask() with no arguments
For a detailed list of changes, see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.0.0

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs14?expand=0&rev=1
 2020-04-27 13:51:48 +00:00