- Update to Nodejs 18.9.1:

* deps: llhttp updated to 6.0.10 + CVE-2022-32213 bypass via obs-fold mechanic + Incorrect Parsing of Multi-line Transfer-Encoding (CVE-2022-32215) + Incorrect Parsing of Header Fields (CVE-35256) * crypto: fix weak randomness in WebCrypto keygen (CVE-2022-35255) OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs18?expand=0&rev=16
2022-09-26 14:46:24 +00:00 · 2022-09-26 14:46:24 +00:00 · 0ef259aa25
commit 0ef259aa25
parent 30cc83a745
5 changed files with 70 additions and 69 deletions
--- a/SHASUMS256.txt
+++ b/SHASUMS256.txt
@ -1,34 +1,34 @@
-e4d8d6030efe1e0b103ba7a158996b2ff4ceef0f8fd05af9ea61eb4b17d6fa0c  node-v18.9.0-aix-ppc64.tar.gz
-60300b40f539fc93005859fcb7ea585bfd111800e90b6ee744a07f2380512bbb  node-v18.9.0-darwin-arm64.tar.gz
-d20ad4d52c0df79bc2296f78cb5cd7d0757e848263b30822538f31d695d3b0a4  node-v18.9.0-darwin-arm64.tar.xz
-dce1144cbfc01e03c2e84582461c3ce83541968b2b52a3d3a6f2bbfb09183fba  node-v18.9.0-darwin-x64.tar.gz
-aecd44f8799e31ed73fb746d00da28f0a32d0ec45079ee85545881e607ddd4d3  node-v18.9.0-darwin-x64.tar.xz
-e7ec2a64fc24cc5c790289df80e4788190ca6760a96b6947ef02452bb520cd00  node-v18.9.0-headers.tar.gz
-47ad304159c8c01271f166b8750d82d96b7d7e1586d9a9225fea0f50a5ce4224  node-v18.9.0-headers.tar.xz
-0d0e671158e072a63c24714bfc4c19a4bb0a70c89d219b1f23d67cbea9c5ffcf  node-v18.9.0-linux-arm64.tar.gz
-3ec898c66916ab7e245c34f402c091c50bcaa325617f692a6b62dc8d9c06baa0  node-v18.9.0-linux-arm64.tar.xz
-195bea2e5be6c791bc460fdc0939375f25b6246cbb57521374eddc9e77323829  node-v18.9.0-linux-armv7l.tar.gz
-730697bcfc5ba1538a3c8380edcf51cfa58c760804fb90bab6cfda34d30c55f8  node-v18.9.0-linux-armv7l.tar.xz
-794bb57444e14e3282f8f2416483c385e3ae1d66b8babb025ed2b78e22d8157d  node-v18.9.0-linux-ppc64le.tar.gz
-1b8fadd2d879d2a8b6ee97fcfc0caaa0e1190026e565c097c898824541cd2d86  node-v18.9.0-linux-ppc64le.tar.xz
-1061f5ed96290df7f3e5b1f183fdacfd82bba0d8c2dfb984505110f83e9ac215  node-v18.9.0-linux-s390x.tar.gz
-86d55c4f495e74e8a9d03e4e34ef4f2ee6ec6ab187ecedf3e430e93baf9faea0  node-v18.9.0-linux-s390x.tar.xz
-7fdbfdb985a48db3d22a2472330db05d94c9aff59192b09d8f9ab5fcedba76d5  node-v18.9.0-linux-x64.tar.gz
-0137e43f5492dd97b6ef1f39ea4581975016e5f1e70db461d7292c6853ace066  node-v18.9.0-linux-x64.tar.xz
-bae2d3417a9e1c4cc7145801e428c13e9fce006044258194d073207efd1b736b  node-v18.9.0-win-x64.7z
-d7a9c9e8a36259d1e15052c135fbd11937d0f0485360e402e833522076233a7a  node-v18.9.0-win-x64.zip
-7b2f1a76c4bbcc464f05b4895dbe5e48047d35cf88b210bdde71034f0aee3146  node-v18.9.0-win-x86.7z
-6543f6e72a704bf56170dd874f9edc6ed9468d15008dbb214654d3681221c37e  node-v18.9.0-win-x86.zip
-38744484707594133d1b9e94d2575d403d132761241de2a6b5a4bf0648946ea0  node-v18.9.0-x64.msi
-4c4e9206f652e47371eb52753501280348bb8bfad827d1ac6f782152a00df31b  node-v18.9.0-x86.msi
-7b469adcc4863e53fdbeb66e0eff3316abdf40d80be51adc6b4c7fe1dd04348e  node-v18.9.0.pkg
-89af82a3f8df01a24bb61b69a4e9a0482bfa8793a7686c88227bce10ee0c72bc  node-v18.9.0.tar.gz
-c75cc89afead976791900accde02a7b1e7e762702f0f6fa68eaacb01984d9654  node-v18.9.0.tar.xz
-6f4da4ffa06afa4096acb5279e6875ccb5ffcd03a86fbbee382dde4bc96565f5  win-x64/node.exe
+6b602994ea7e22d49e1b2406d3d1119133d6bc89e52f70cd61090968b9e5ec93  node-v18.9.1-aix-ppc64.tar.gz
+289dca525c5535bddf389b69386ceb12d7c77eeae9aa2f666652877f982f9b5d  node-v18.9.1-darwin-arm64.tar.gz
+b80c029f945c522d553b70f4a8de14a077983dc36b4481a3051cd7103fb4a04c  node-v18.9.1-darwin-arm64.tar.xz
+ef7d92bb3b21b50242175483dca6ccd98052d6f4be3ce5b9ae55f0b95c0db25d  node-v18.9.1-darwin-x64.tar.gz
+dff4fe1259b7801121bf7335cddd742801c8b34a4aba9dc3eb5943c1edb163ee  node-v18.9.1-darwin-x64.tar.xz
+fb963b1e81110447f6c19dc5211c1bc2f44b53460d10daac8dd920ebff081ffc  node-v18.9.1-headers.tar.gz
+62f3863047d94f3ce1250f61be20fd697e47e972e636ff3385d469d55e8dd71a  node-v18.9.1-headers.tar.xz
+a1610d6f75f45fb0dc73164231c63308d653c09a57dd14a989cf4de9b96e965b  node-v18.9.1-linux-arm64.tar.gz
+d4edf28b695374faafc944f291151bf2fcfcf4b575207eadaee86a2c2aa1cbbe  node-v18.9.1-linux-arm64.tar.xz
+d488cd0cda2c71d397c69db4088d4bec631c1489e1d58afbf2ed6e7d0ccc2660  node-v18.9.1-linux-armv7l.tar.gz
+82502c7fb666b3842491d6244cd1eda72562ebe801dbe5c37bddab28acb91414  node-v18.9.1-linux-armv7l.tar.xz
+6a853f4702c41c0da9f625def2db01e24a91e89a2c8dbbeb7b79556572390aa6  node-v18.9.1-linux-ppc64le.tar.gz
+3b892a3f3f37d262f344b2cbf0a2aa1deb8534c3674d42a256f5153df409c087  node-v18.9.1-linux-ppc64le.tar.xz
+042b5069395cb1f377a6b25203afdb099187ca44c67f848f805ecc7f8d97f412  node-v18.9.1-linux-s390x.tar.gz
+eb0cc3db68e17faab8d60ad8e69f0a21eaf14dfd593c4f1b7117d49f51baaf43  node-v18.9.1-linux-s390x.tar.xz
+33ecf5f39618f4beb90a9be98880325cb4f06e33b52e315040a54fd0700f2434  node-v18.9.1-linux-x64.tar.gz
+0777cf4e281359061a6b5d0afe6750f5efd0e874f489a5ebb53ec8b8f77e8b82  node-v18.9.1-linux-x64.tar.xz
+60160570e4d22c1735e74c0e954bcd94621870871a170b6b2cb4089d91204053  node-v18.9.1-win-x64.7z
+763e691ed8f51b8664da4dcc5a0f5d428dbd69d4162630a6fcf366e5e9e25e81  node-v18.9.1-win-x64.zip
+c9a22fe916685f1178d3ff60bdfc49a0d8d0b17944c640d0a0bfc8e25317bdaf  node-v18.9.1-win-x86.7z
+860cd7354943eb137715c510b77a7e230666b47998edd6f5ea803db1aaf8999a  node-v18.9.1-win-x86.zip
+b2886faeaed5a1ddc03325e8c1fca143e0bbfa250ae7a69a8326be364ad28577  node-v18.9.1-x64.msi
+af847e88b3a3d0ceb63ffd572ff906d3a60b2a235334b7336f11904cbe7d35bb  node-v18.9.1-x86.msi
+a3219e92b15afd4baa6a3bc8e3ad25f3036cb07bea08d2622c9a59db8d0a24f9  node-v18.9.1.pkg
+50ae12386eb79058ad2d38335e41ca120904900a36b1bcfb10934be9373f737b  node-v18.9.1.tar.gz
+f381963d43568ba699915c88629dc6da4a1963804dcd37b2e6e1d10d923dd5d9  node-v18.9.1.tar.xz
+6d5094f77f1273b8127046d9c528bb800470b178a0b44d271907de5cf19b9dde  win-x64/node.exe
 3111a04d3ae94921ac20f2afc4e167c59e50c07609ee940d1a8eec46f08310ad  win-x64/node.lib
-7f5f093c1f612803629218793c5eb72719274faa078a4f63ecbe543b7a00e9e6  win-x64/node_pdb.7z
-e750259b9c628578fc2ae463d62fadf6c95c266e1c5f32f252d80c7e716c3418  win-x64/node_pdb.zip
-3452040fc8d9e8894e169229d30425f00dfbf0082e00081baa7d550e7b7321d8  win-x86/node.exe
+28b6e90a8880b076b46e3f4662d19ea3e020f7b06c12135de31a62a2015019fb  win-x64/node_pdb.7z
+464771c89a6bd4fd3684e172d2dbd510906c30c4273c6526d26ddc1f7e3bce78  win-x64/node_pdb.zip
+f93ea0dbeb0e5326f53c7f1258d5315542c045651e43dae5ce18f7f32977fa3d  win-x86/node.exe
 e0b45a34da85070b41e13169a6ed30ea782d400dd8e8597d665727bac8d621f0  win-x86/node.lib
-1bc12a2b9686a08a935fc6e78c9595e44d61df33a342bd98ad89088f75367a7b  win-x86/node_pdb.7z
-c52111fdd0180eb82d96b376c37ecf1160f57ccb0e12102a5183ece4708d8c70  win-x86/node_pdb.zip
+f0a4d77ebccca0909f5532d9c14ac140dbb003075397b086ad4c7ede0b803b7e  win-x86/node_pdb.7z
+a1b7b350faceec615894e3c1e4a812122ef6f1c652bc3e531a6ea07104cfb155  win-x86/node_pdb.zip
--- a/SHASUMS256.txt.sig
+++ b/SHASUMS256.txt.sig
--- a/node-v18.9.1.tar.xz
+++ b/node-v18.9.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:f381963d43568ba699915c88629dc6da4a1963804dcd37b2e6e1d10d923dd5d9
+size 38315220
--- a/nodejs18.changes
+++ b/nodejs18.changes
@ -1,3 +1,15 @@
+-------------------------------------------------------------------
+Mon Sep 26 13:13:39 UTC 2022 - Adam Majer <adam.majer@suse.de>
+
+- Update to Nodejs 18.9.1:
+  * deps: llhttp updated to 6.0.10
+    + CVE-2022-32213 bypass via obs-fold mechanic
+    + Incorrect Parsing of Multi-line Transfer-Encoding
+      (CVE-2022-32215)
+    + Incorrect Parsing of Header Fields (CVE-35256)
+  * crypto: fix weak randomness in WebCrypto keygen
+    (CVE-2022-35255)
+
 -------------------------------------------------------------------
 Thu Sep 15 15:00:25 UTC 2022 - Adam Majer <adam.majer@suse.de>

--- a/nodejs18.spec
+++ b/nodejs18.spec
@ -15,23 +15,13 @@
 # Please submit bugfixes or comments via https://bugs.opensuse.org/
 #

-###########################################################
-#
-#   WARNING! WARNING! WARNING! WARNING! WARNING! WARNING!
-#
-# This spec file is generated from a template hosted at
-# https://github.com/AdamMajer/nodejs-packaging
-#
-###########################################################

-# Fedora doesn't have rpm-config-SUSE which provides
-# ext_man in /usr/lib/rpm/macros.d/macros.obs
 %if 0%{?fedora_version}
 %define ext_man .gz
 %endif

 Name:           nodejs18
-Version:        18.9.0
+Version:        18.9.1
 Release:        0

 # Double DWZ memory limits
@ -129,12 +119,12 @@ Source1:        https://nodejs.org/dist/v%{version}/SHASUMS256.txt
 Source2:        https://nodejs.org/dist/v%{version}/SHASUMS256.txt.sig
 Source3:        nodejs.keyring

-# Python 3.4 compatible node-gyp 
-### https://github.com/nodejs/node-gyp.git 
-### git archive v7.1.2 gyp/ | xz > node-gyp_7.1.2.tar.xz 
-Source5:        node-gyp_7.1.2.tar.xz 
-# Only required to run unit tests in NodeJS 10+ 
-Source10:       update_npm_tarball.sh 
+# Python 3.4 compatible node-gyp
+### https://github.com/nodejs/node-gyp.git
+### git archive v7.1.2 gyp/ | xz > node-gyp_7.1.2.tar.xz
+Source5:        node-gyp_7.1.2.tar.xz
+# Only required to run unit tests in NodeJS 10+
+Source10:       update_npm_tarball.sh
 Source11:       node_modules.tar.xz
 Source20:       bash_output_helper.bash

@ -145,8 +135,6 @@ Patch5:         sle12_python3_compat.patch
 Patch7:         manual_configure.patch
 Patch13:        openssl_binary_detection.patch

-
-
 ## Patches specific to SUSE and openSUSE
 Patch100:       linker_lto_jobs.patch
 # PATCH-FIX-OPENSUSE -- set correct path for dtrace if it is built
@ -173,8 +161,8 @@ Patch200:       versioned.patch
 Patch303:       openssl3_fixups.patch
 Patch304:       new_python3.patch

-BuildRequires:  pkg-config
 BuildRequires:  fdupes
+BuildRequires:  pkg-config
 BuildRequires:  procps
 BuildRequires:  xz
 BuildRequires:  zlib-devel
@ -194,10 +182,10 @@ BuildRequires:  config(netcfg)
 %if 0%{?suse_version} == 1110
 # GCC 5 is only available in the SUSE:SLE-11:SP4:Update repository (SDK).
 %if %node_version_number >= 8
-BuildRequires:   gcc5-c++
+BuildRequires:  gcc5-c++
 %define forced_gcc_version 5
 %else
-BuildRequires:   gcc48-c++
+BuildRequires:  gcc48-c++
 %define forced_gcc_version 4.8
 %endif
 %endif
@ -207,15 +195,15 @@ BuildRequires:   gcc48-c++
 # for SLE-12:Update targets
 %if 0%{?suse_version} == 1315
 %if %node_version_number >= 17
-BuildRequires:   gcc12-c++
+BuildRequires:  gcc12-c++
 %define forced_gcc_version 12
 %else
 %if %node_version_number >= 14
-BuildRequires:   gcc9-c++
+BuildRequires:  gcc9-c++
 %define forced_gcc_version 9
 %else
 %if %node_version_number >= 8
-BuildRequires:   gcc7-c++
+BuildRequires:  gcc7-c++
 %define forced_gcc_version 7
 %endif
 %endif
@ -224,7 +212,7 @@ BuildRequires:   gcc7-c++

 %if 0%{?suse_version} == 1500
 %if %node_version_number >= 17
-BuildRequires:   gcc12-c++
+BuildRequires:  gcc12-c++
 %define forced_gcc_version 12
 %endif
 %endif
@ -235,7 +223,6 @@ BuildRequires:   gcc12-c++
 BuildRequires:  gcc-c++
 %endif

-
 # Python dependencies
 %if %node_version_number >= 16

@ -260,8 +247,8 @@ BuildRequires:  python
 %endif

 %if 0%{?suse_version} >= 1500 && %{node_version_number} >= 10
-BuildRequires:  user(nobody)
 BuildRequires:  group(nobody)
+BuildRequires:  user(nobody)
 %endif

 %if ! 0%{with intree_openssl}
@ -324,7 +311,7 @@ BuildRequires:  valgrind
 %if %{with libalternatives}
 Requires:       alts
 %else
-Requires(postun): %{_sbindir}/update-alternatives
+Requires(postun):%{_sbindir}/update-alternatives
 %endif
 # either for update-alternatives, or their removal
 Requires(post): %{_sbindir}/update-alternatives
@ -363,8 +350,8 @@ ExclusiveArch:  not_buildable
 %endif
 %endif

-Provides:       bundled(uvwasi) = 0.0.12
 Provides:       bundled(libuv) = 1.43.0
+Provides:       bundled(uvwasi) = 0.0.12
 Provides:       bundled(v8) = 10.2.154.15
 %if %{with intree_brotli}
 Provides:       bundled(brotli) = 1.0.9
@ -372,8 +359,7 @@ Provides:       bundled(brotli) = 1.0.9
 BuildRequires:  pkgconfig(libbrotlidec)
 %endif

-
-Provides:       bundled(llhttp) = 6.0.9
+Provides:       bundled(llhttp) = 6.0.10
 Provides:       bundled(ngtcp2) = 0.1.0-DEV

 Provides:       bundled(node-acorn) = 8.8.0
@ -391,8 +377,8 @@ provided by npm.
 Summary:        Development headers for NodeJS 18.x
 Group:          Development/Languages/NodeJS
 Provides:       nodejs-devel = %{version}
-Requires:       npm18 = %{version}
 Requires:       %{name} = %{version}
+Requires:       npm18 = %{version}

 %description devel
 This package provides development headers for Node.js needed for creation
@ -409,12 +395,12 @@ Requires:       nodejs-common
 Requires:       nodejs18 = %{version}
 Provides:       nodejs-npm = %{version}
 Obsoletes:      nodejs-npm < 4.0.0
-Provides:       npm(npm) = 8.19.1
 Provides:       npm = %{version}
+Provides:       npm(npm) = 8.19.1
 %if 0%{?suse_version} >= 1500
 %if %{node_version_number} >= 10
-Requires:       user(nobody)
 Requires:       group(nobody)
+Requires:       user(nobody)
 %endif
 %endif
 Provides:       bundled(node-abbrev) = 1.1.1
@ -580,8 +566,8 @@ Provides:       bundled(node-spdx-exceptions) = 2.3.0
 Provides:       bundled(node-spdx-expression-parse) = 3.0.1
 Provides:       bundled(node-spdx-license-ids) = 3.0.11
 Provides:       bundled(node-ssri) = 9.0.1
-Provides:       bundled(node-string_decoder) = 1.3.0
 Provides:       bundled(node-string-width) = 4.2.3
+Provides:       bundled(node-string_decoder) = 1.3.0
 Provides:       bundled(node-strip-ansi) = 6.0.1
 Provides:       bundled(node-supports-color) = 7.2.0
 Provides:       bundled(node-tar) = 6.1.11
@ -688,7 +674,6 @@ mkdir deps/npm/node_modules/node-gyp
 tar -C deps/npm/node_modules/node-gyp Jxf %{SOURCE5}
 %endif

-
 %build
 # normalize shebang
 %if %{node_version_number} >= 12
@ -1016,6 +1001,7 @@ update-alternatives --remove npm-default %{_bindir}/npm%{node_version_number}
 update-alternatives --remove npx-default %{_bindir}/npx%{node_version_number}

 %else
+
 %pre
 # remove files that are no longer owned but provided by update-alternatives
 if ! [ -L %{_mandir}/man1/node.1%{ext_man} ]; then