Revisions of nodejs12
Adam Majer (adamm)
committed
(revision 157)
Adam Majer (adamm)
committed
(revision 156)
- CVE-2024-27983.patch - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983) - CVE-2024-27982.patch - HTTP Request Smuggling via Content Length Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982) - updated dependencies: + llhttp version 6.1.1
Adam Majer (adamm)
committed
(revision 155)
Adam Majer (adamm)
committed
(revision 154)
* CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997) * CVE-2024-22019.patch: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) (CVE-2024-22019, bsc#1219993) * CVE-2024-22025.patch: fix Denial of Service by resource exhaustion in fetch() brotli decoding (CVE-2024-22025, bsc#1220014) * CVE-2024-24806.patch: fix improper domain lookup that potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053)
Adam Majer (adamm)
committed
(revision 153)
- CVE-2023-38552.patch: Integrity checks according to policies can be circumvented (CVE-2023-38552, bsc#1216272) - CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190) - nodejs.keyring: include new releaser keys - newicu_test_fixup.patch: workaround whitespaces funnies in some icu versions
Adam Majer (adamm)
committed
(revision 152)
Adam Majer (adamm)
committed
(revision 151)
Adam Majer (adamm)
committed
(revision 150)
- CVE-2023-30581.patch: fixes mainModule.__proto__ Bypass
Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574)
- CVE-2023-30589.patch: HTTP Request Smuggling via empty headers
separated by CR (CVE-2023-30589, bsc#1212582)
- CVE-2023-30590.patch: DiffieHellman does not generate keys
after setting a private key (CVE-2023-30590, bsc#1212583)
- CVE-2023-23918.patch: fixes permissions policies can be
bypassed via process.mainModule (bsc#1208481, CVE-2023-23918)
- CVE-2023-32002.patch:
+ fixes policies can be bypassed via Module._load
+ fixes policies can be bypassed by module.constructor.createRequire
(CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156)
- CVE-2023-32559.patch: Policies can be bypassed via
process.binding (CVE-2023-32559, bsc#1214154)
Adam Majer (adamm)
committed
(revision 149)
Adam Majer (adamm)
committed
(revision 148)
- CVE-2022-25881.patch: http-cache-semantics(npm): Don't use regex to trim whitespace (bsc#1208744, CVE-2022-25881)
Adam Majer (adamm)
committed
(revision 147)
- CVE-2023-23920.patch: fixes insecure loading of ICU data
through ICU_DATA environment variable (bsc#1208487, CVE-2023-23920)
- Update _constraints:
* Less RAM for aarch64 and 32-bit arm
* Use 'asimdrdm' cpu flag to use aarch64 workers where tests
are more stable
Adam Majer (adamm)
committed
(revision 146)
- CVE-2022-43548.patch:
* inspector: DNS rebinding in --inspect via invalid octal IP
(bsc#1205119, CVE-2022-43548)
Adam Majer (adamm)
committed
(revision 145)
- CVE-2022-35256.patch: update llhttp to 2.1.6
+ fixes CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325)
+ fixes incorrect parsing of header fields (CVE-2022-35256, bsc#1203832)
Adam Majer (adamm)
committed
(revision 144)
- openssl_update.patch: deps: update openssl to 1.1.1q affecting SLE-12 codestream only (bsc#1201099, CVE-2022-2097)
Adam Majer (adamm)
committed
(revision 143)
Adam Majer (adamm)
committed
(revision 142)
- CVE-2022-32213.patch: http: stricter Transfer-Encoding and header separator parsing (bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215) - CVE-2022-32212.patch: fix IPv4 validation in inspector_socket (bsc#1201328, CVE-2022-32212)
Adam Majer (adamm)
committed
(revision 141)
- CVE-2021-44906.patch: fix prototype pollution in npm dependency (bsc#1198247, CVE-2021-44906) - CVE-2021-44907.patch: fix insuficient sanitation in npm dependency (bsc#1197283, CVE-2021-44907) - CVE-2022-0235.patch: fix passing of cookie data and sensitive headers to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235)
Adam Majer (adamm)
committed
(revision 140)
- update to 12.22.12
* node-api: avoid SecondPassCallback crash
+ fix shutdown crashes
+ make reference weak parameter an indirect link to references
+ fix crash in finalization
+ stop ref gc during environment teardown
+ force env shutdown deferring behavior
* src: fix finalization crash
Adam Majer (adamm)
committed
(revision 139)
- update to 12.22.11
* deps: upgrade openssl sources to 1.1.1n (bsc#1196877, CVE-2022-0778)
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
More details at https://www.openssl.org/news/secadv/20220315.txt
+ CVE-2021-32803 - node-tar: Insufficient symlink protection
Adam Majer (adamm)
committed
(revision 138)
- update to 12.22.10
* Upgrade npm to 6.14.16
+ CVE-2021-23343 - ReDoS via splitDeviceRe, splitTailRe and
splitPathRe (bsc#1192153)
+ CVE-2021-23343 - node-tar: Insufficient symlink protection
allowing arbitrary file creation and overwrite (bsc#1191963)
+ CVE-2021-32804 - node-tar: Insufficient absolute path sanitization
allowing arbitrary file creation and overwrite (bsc#1191962)
+ CVE-2021-3918 - json-schema is vulnerable to Improperly
Controlled Modification of Object Prototype Attributes (bsc#1192696)
* Updated ICU time zone data
- CVE-2021-3807.patch: node-ansi-regex: Regular expression
denial of service (ReDoS) matching ANSI escape codes
(bsc#1192154, CVE-2021-3807)
- versioned.patch: refreshed
- z15-test-skip.patch: dropped
- fix_ci_tests.patch: fix tests on z15
Displaying revisions 1 - 20 of 157
