CVEs are fixed in this release:
* (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass
Experimental Policy Mechanism (High)
* (CVE-2023-30585, bsc#1212579): Privilege escalation via
Malicious Registry Key manipulation during Node.js
installer repair process (Medium)
* (CVE-2023-30588, bsc#1212581): Process interuption due to invalid
Public Key information in x509 certificates (Medium)
* (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via
Empty headers separated by CR (Medium)
* (CVE-2023-30590, bsc#1212583): DiffieHellman does not
generate keys after setting a private key (Medium)
* deps: update c-ares to 1.19.1: c-ares security issues fixed:
+ CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
(bsc#1211604)
+ CVE-2023-31147 Moderate. Insufficient randomness in generation
of DNS query IDs (bsc#1211605)
+ CVE-2023-31130. Moderate. Buffer Underwrite in
ares_inet_net_pton() (bsc#1211606)
+ CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
during cross compilation (bsc#1211607)
- fix_ci_tests.patch: increase default timeout on unit tests
to 20min from 2min. This seems to have lead to build failures
on some platforms, like s390x in Factory. (bsc#1211407)
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=96
