a3999ac2a7Backport security fixes from NodeJS 6.x: * deps: upgrade OpenSSL source to 1.0.2r. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data. (openssl_1_0_2q.patch - CVE-2019-1559, bsc#1127080) * http: (http-keep-alive.patch) + Backport server.keepAliveTimeout to prevent keep-alive HTTP and HTTPS connections remaining open and inactive for an extended period of time, leading to a potential Denial of Service (DoS). (CVE-2019-5739, bsc#1127533) + Further prevention of "Slowloris" attacks on HTTP and HTTPS connections by consistently applying the receive timeout set by server.headersTimeout to connections in keep-alive mode. (CVE-2019-5737, bsc#1127532)Adam Majer2019-03-01 15:42:35 +00:00
a52fd358ee- env_shebang.patch: dropped in favour of programmatic updateAdam Majer2019-01-10 14:20:46 +00:00
57718cd79b* cli: add --max-http-header-size flag (max_header_size.patch) + add maxHeaderSize property (max_header_size.patch) (CVE-2018-12121.patch - CVE-2018-12121, bsc#1117626) + A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. (CVE-2018-12122.patch - CVE-2018-12122, bsc#1117627) (CVE-2018-12116.patch - CVE-2018-12116, bsc#1117630) (CVE-2018-12123.patch - CVE-2018-12123, bnc#1117629)Adam Majer2019-01-09 14:07:18 +00:00
e0342a286e+ Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. CVE-2018-12121.patch - (CVE-2018-12121, bsc#1117626)Adam Majer2019-01-09 11:22:02 +00:00
3f386ef218Backport security fixes from NodeJS 6.x: * debugger: prevent the debugger from listening on 0.0.0.0. It now defaults to 127.0.0.1. CVE-2018-12120.patch - (CVE-2018-12120, bsc#1117625) * http: + Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError. This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). CVE-2018-12116.patch - (CVE-2018-12116, bsc#1117630) * util: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. CVE-2018-12123.patch - (CVE-2018-12123, bnc#1117629)Adam Majer2019-01-08 16:04:58 +00:00
a84d0c769f- flaky_test_rerun.patch: Rerun failing tests in case of flakinessAdam Majer2018-11-26 15:38:06 +00:00
360fb6e8ed- fix_ci_tests.patch: skip parallel/test-tick-processor on arm. Unreliable test in shared environment. - enable unit tests build failuresAdam Majer2018-10-05 12:18:36 +00:00
421e392db5- test-ca-bumps.patch: update certificates used in unit testsAdam Majer2018-10-01 13:40:18 +00:00
b4fc86cf7f* Client DoS due to large DH parameter (CVE-2018-0732, bsc#1097158)Adam Majer2018-08-23 13:50:43 +00:00
78e90cf35f- openssl_1_0_2p.patch: deps: Upgrade to OpenSSL 1.0.2p, fixing: * Client DoS due to large DH parameter (CVE-2018-0732) * ECDSA key extraction via local side-channelAdam Majer2018-08-23 13:47:54 +00:00
d77a04dbdb- remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages.Adam Majer2018-03-22 13:26:54 +00:00
43f467e072- Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules.Adam Majer2018-02-13 08:45:48 +00:00
Adam Majer
Joachim Gleissner