nodejs/nodejs16
SHA256
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
36 Commits 1 Branch 0 Tags
main
Commit Graph

23 Commits

Author SHA256 Message Date
Adam Majer
c820e0ef39 OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=109 2024-11-04 16:18:55 +00:00
Adam Majer
b470756e75 - CVE-2024-22020.patch: Bypass network import restriction via data URL 
(bsc#1227554, CVE-2024-22020)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=108
 2024-11-04 15:32:04 +00:00
Adam Majer
651524bb7e - openssl31.patch: fix unit tests with OpenSSL 3.1 (bsc#1232756) 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=107
 2024-11-04 14:52:58 +00:00
Adam Majer
52a49964bb - openssl31.patch: fix unit tests with OpenSSL 3.1 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=105
 2024-10-29 13:15:03 +00:00
Adam Majer
6f62c07753 - CVE-2024-30261.patch: update undici to v5.28.4 (bsc#1222530, bsc#1222603, 
CVE-2024-30260, CVE-2024-30261)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=103
 2024-05-27 12:00:52 +00:00
Adam Majer
ebfbc55105 - CVE-2024-27983.patch - Assertion failed in 
node::http2::Http2Session::~Http2Session() leads to
  HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983)
- CVE-2024-27982.patch - HTTP Request Smuggling via Content Length
  Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982)
- updated dependencies:
  + llhttp version 6.1.1
- CVE-2024-22025.patch - test timeout adjustment

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=102
 2024-04-11 10:57:54 +00:00
Adam Majer
8d996190a8 * sle12-node-gyp-addon-gypi.patch - GYP patches for SLE12 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=101
 2024-02-21 13:47:52 +00:00
Adam Majer
1272fd04b8 * CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack 
(timing variant of the Bleichenbacher attack against
   PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997)
 * CVE-2024-22019.patch: http: Reading unprocessed HTTP request with
   unbounded chunk extension allows DoS attacks- (High)
   (CVE-2024-22019, bsc#1219993)
 * CVE-2024-22025.patch: fix Denial of Service by resource exhaustion
   in fetch() brotli decoding (CVE-2024-22025, bsc#1220014)
 * CVE-2024-24758.patch: ignore proxy-authorization headers
   (CVE-2024-24758, bsc#1220017)
 * CVE-2024-24806.patch: fix improper domain lookup that
   potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053)
- CVE-2023-38552.patch: Integrity checks according to policies
  can be circumvented (CVE-2023-38552, bsc#1216272)
- CVE-2023-39333.patch, wasm-fixture.tar.gz: Code injection via
  WebAssembly export names (CVE-2023-39333, bsc#1216273)
- CVE-2023-45143.patch: undici Security Release (CVE-2023-45143, bsc#1216205)
- nodejs.keyring: include new releaser keys

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=100
 2024-02-20 16:34:06 +00:00
Adam Majer
00455b1bee - CVE-2023-38552.patch: Integrity checks according to policies can be circumvented (CVE-2023-38552, bsc#1216272) 
- CVE-2023-39333.patch: Code injection via WebAssembly export names (CVE-2023-39333, bsc#1216273)
- CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190)
- CVE-2023-45143.patch: undici Security Release (CVE-2023-39333, bsc#1216273)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=99
 2023-10-17 12:06:45 +00:00
Adam Majer
740b330d60 - Update to LTS version 16.20.2 (security fixes). The following CVE 
were fixed:
  * (CVE-2023-32002, bsc#1214150): Policies can be bypassed
     via Module._load (High)
  * (CVE-2023-32006, bsc#1214156): Policies can be bypassed by
     module.constructor.createRequire (Medium)
  * (CVE-2023-32559, bsc#1214154): Policies can be bypassed via
     process.binding (Medium)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=98
 2023-08-10 14:37:41 +00:00
Adam Majer
1a094d51e7 - Update to version 16.20.1 (security fixes only). The following 
CVEs are fixed in this release:
  * (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass
    Experimental Policy Mechanism (High)
  * (CVE-2023-30585, bsc#1212579): Privilege escalation via
    Malicious Registry Key manipulation during Node.js
    installer repair process (Medium)
  * (CVE-2023-30588, bsc#1212581): Process interuption due to invalid
    Public Key information in x509 certificates (Medium)
  * (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via
    Empty headers separated by CR (Medium)
  * (CVE-2023-30590, bsc#1212583): DiffieHellman does not
    generate keys after setting a private key (Medium)
  * deps: update c-ares to 1.19.1: c-ares security issues fixed:
    + CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
      (bsc#1211604)
    + CVE-2023-31147 Moderate. Insufficient randomness in generation
      of DNS query IDs (bsc#1211605)
    + CVE-2023-31130. Moderate. Buffer Underwrite in
      ares_inet_net_pton() (bsc#1211606)
    + CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
      during cross compilation (bsc#1211607)
- fix_ci_tests.patch: increase default timeout on unit tests
  to 20min from 2min. This seems to have lead to build failures
  on some platforms, like s390x in Factory. (bsc#1211407)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=96
 2023-06-21 12:37:39 +00:00
Adam Majer
8f4cbfb6a0 - Update to NodeJS 18.16.0 LTS version 
* Add initial support for single executable applications
  * Replace url parser with Ada
  * buffer: add Buffer.copyBytesFrom
- refreshed patches: versioned.patch linker_lto_jobs.patch

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=95
 2023-04-13 14:08:11 +00:00
Adam Majer
a7b7bf64b6 - Update to LTS version 16.20.0 
* deps:
    + update undici to 5.20.0
    + update c-ares to 1.19.0
    + upgrade npm to 8.19.4
- legacy_python.patch, versioned.patch: refreshed

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=94
 2023-04-13 13:49:22 +00:00
Adam Majer
9f0c761182 * updates undici to v5.19.1 
+ Fetch API in Node.js did not protect against CRLF injection in host headers
    + Regular Expression Denial of Service in Headers in Node.js fetch API
    (bsc#1208413, bsc#1208485, CVE-2023-24807, CVE-2023-23936)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=93
 2023-02-22 14:12:46 +00:00
Adam Majer
5c4c5f2f40 - Update to LTS version 16.19.1: 
* fixes permissions policies can be bypassed via process.mainModule
    (bsc#1208481, CVE-2023-23918)
  * fixes insecure loading of ICU data through ICU_DATA environment
    variable (bsc#1208487, CVE-2023-23920)
  * fixes OpenSSL error handling issues in nodejs crypto library
    (bsc#1208483, CVE-2023-23919)
  * updates undici to v5.19.1 (bsc#1208413, CVE-2023-24807)
- versioned.patch: refreshed

- Update _constraints:
  * Less RAM for aarch64 and 32-bit arm
  * Use 'asimdrdm' cpu flag to use aarch64 workers where tests
    are more stable

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=92
 2023-02-22 13:59:20 +00:00
Adam Majer
3f759d9aeb - Update to LTS version 16.19.0: 
* dgram: add dgram send queue info
  * cli: add --watch
- systemtap.patch: upstreamed, removed

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=91
 2022-12-31 21:35:35 +00:00
Adam Majer
40c8bce4e8 - sle12_python3_compat.patch: only apply for older SLE12 codestreams 
where Python 3.6 is not available. Still worlaround for bsc#1205568

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=90
 2022-11-29 16:37:59 +00:00
Adam Majer
aeec8a58fa - Workaround bug on SLE12SP5 during source unpack (bsc#1205568) 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=89
 2022-11-23 16:53:41 +00:00
Adam Majer
d8d44c7572 - Replace node-gyp for SLE12 with python 3.4 compatible gyp 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=86
 2022-11-10 08:55:10 +00:00
Adam Majer
7e14133156 - Update to LTS versino 16.18.1: 
* inspector: DNS rebinding in --inspect via invalid octal IP
    (bsc#1205119, CVE-2022-43548)

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=83
 2022-11-07 10:03:42 +00:00
Marcus Rueckert
d2ec1e97a9 removed _link 
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=82
 2022-10-24 09:45:09 +00:00
Adam Majer
701d785fd9 - New upstream version 16.1.0 
fs: allow no-params fsPromises fileHandle read

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=4
 2021-05-05 11:23:38 +00:00
Adam Majer
803129316b - New upstrean version 16.0.0: 
For complete list of changes since 15.x, please see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.0.0

- Import staging 16.x

OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs16?expand=0&rev=1
 2021-05-04 12:31:34 +00:00