- Update to 21.7.2:
* Assertion failed in node::http2::Http2Session::~Http2Session()
leads to HTTP/2 server crash (High) (bsc#1222244, CVE-2024-27983)
* HTTP Request Smuggling via Content Length Obfuscation
(Medium) (bsc#1222384, CVE-2024-27982)
* updated dependencies:
+ llhttp version 9.2.1
+ undici version 6.11.1 (bsc#1222530, bsc#1222603,
CVE-2024-30260, CVE-2024-30261)
- node-gyp-addon-gypi.patch: adapted for new unit test layouts
- Update to 21.7.1
* revert "test_runner: do not invoke after hook when test is empty"
* lib: return directly if udp socket close before lookup
- Changes in 21.7.0
* util.styleText(format, text): This function returns a
formatted text considering the format passed.
* support for multi-line values for .env file
* sea: support embedding assets
* vm: support using the default loader to handle dynamic import()
* crypto: implement crypto.hash()
* http2: add h2 compat support for appendHeader
- versioned.patch, nodejs-libpath.patch: refreshed
- c-ares-fixes.patch: upstreamed, removed
- Add libalternative config for corepack
OBS-URL: https://build.opensuse.org/request/show/1166607
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nodejs21?expand=0&rev=8
* CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session()
leads to HTTP/2 server crash- (High) (bsc#1222244)
* CVE-2024-27982 - HTTP Request Smuggling via Content Length
Obfuscation- (Medium) (bsc#1222384)
* updated dependencies:
+ llhttp version 9.2.1
+ undici version 6.11.1 (bsc#1222530, CVE-2024-30260)
- node-gyp-addon-gypi.patch: adapted for new unit test layouts
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs21?expand=0&rev=26
* revert "test_runner: do not invoke after hook when test is empty"
* lib: return directly if udp socket close before lookup
- Changes in 21.7.0
* util.styleText(format, text): This function returns a
formatted text considering the format passed.
* support for multi-line values for .env file
* sea: support embedding assets
* vm: support using the default loader to handle dynamic import()
* crypto: implement crypto.hash()
* http2: add h2 compat support for appendHeader
- versioned.patch, nodejs-libpath.patch: refreshed
- c-ares-fixes.patch: upstreamed, removed
- Add libalternative config for corepack
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs21?expand=0&rev=21
- Update to 21.6.2: (security updates)
* (CVE-2024-21892, bsc#1219992) - Code injection and privilege escalation through Linux capabilities- (High)
* (CVE-2024-22019, bsc#1219993) - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
* (CVE-2024-21896, bsc#1219994) - Path traversal by monkey-patching Buffer internals- (High)
* (CVE-2024-22017, bsc#1219995) - setuid() does not drop all privileges due to io_uring - (High)
* (CVE-2023-46809, bsc#1219997) - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
* (CVE-2024-21891, bsc#1219998) - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
* (CVE-2024-21890, bsc#1219999) - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
* (CVE-2024-22025, bsc#1220014) - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
* undici version 5.28.3 (CVE-2024-24758, bsc#1220017)
* libuv version 1.48.0
OBS-URL: https://build.opensuse.org/request/show/1147153
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nodejs21?expand=0&rev=7
* (CVE-2024-21892, bsc#1219992) - Code injection and privilege escalation through Linux capabilities- (High)
* (CVE-2024-22019, bsc#1219993) - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
* (CVE-2024-21896, bsc#1219994) - Path traversal by monkey-patching Buffer internals- (High)
* (CVE-2024-22017, bsc#1219995) - setuid() does not drop all privileges due to io_uring - (High)
* (CVE-2023-46809, bsc#1219997) - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
* (CVE-2024-21891, bsc#1219998) - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
* (CVE-2024-21890, bsc#1219999) - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
* (CVE-2024-22025, bsc#1220014) - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
* undici version 5.28.3 (CVE-2024-24758, bsc#1220017)
* libuv version 1.48.0
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs21?expand=0&rev=19
* Revert "stream: fix cloned webstreams not being unref'd"
- Changes in 21.6.0:
* New connection attempt events
* --allow-addons to enable addon usage when using the Permission Model.
* Support configurable snapshot through --build-snapshot-config flag
- fix_ci_tests.patch: refreshed
OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs21?expand=0&rev=16
