Revisions of nodejs16
Adam Majer (adamm)
committed
(revision 102)
- CVE-2024-27983.patch - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983) - CVE-2024-27982.patch - HTTP Request Smuggling via Content Length Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982) - updated dependencies: + llhttp version 6.1.1 - CVE-2024-22025.patch - test timeout adjustment
Adam Majer (adamm)
committed
(revision 101)
* sle12-node-gyp-addon-gypi.patch - GYP patches for SLE12
Adam Majer (adamm)
committed
(revision 100)
* CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997) * CVE-2024-22019.patch: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) (CVE-2024-22019, bsc#1219993) * CVE-2024-22025.patch: fix Denial of Service by resource exhaustion in fetch() brotli decoding (CVE-2024-22025, bsc#1220014) * CVE-2024-24758.patch: ignore proxy-authorization headers (CVE-2024-24758, bsc#1220017) * CVE-2024-24806.patch: fix improper domain lookup that potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053) - CVE-2023-38552.patch: Integrity checks according to policies can be circumvented (CVE-2023-38552, bsc#1216272) - CVE-2023-39333.patch, wasm-fixture.tar.gz: Code injection via WebAssembly export names (CVE-2023-39333, bsc#1216273) - CVE-2023-45143.patch: undici Security Release (CVE-2023-45143, bsc#1216205) - nodejs.keyring: include new releaser keys
Adam Majer (adamm)
committed
(revision 99)
- CVE-2023-38552.patch: Integrity checks according to policies can be circumvented (CVE-2023-38552, bsc#1216272) - CVE-2023-39333.patch: Code injection via WebAssembly export names (CVE-2023-39333, bsc#1216273) - CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190) - CVE-2023-45143.patch: undici Security Release (CVE-2023-39333, bsc#1216273)
Adam Majer (adamm)
committed
(revision 98)
- Update to LTS version 16.20.2 (security fixes). The following CVE were fixed: * (CVE-2023-32002, bsc#1214150): Policies can be bypassed via Module._load (High) * (CVE-2023-32006, bsc#1214156): Policies can be bypassed by module.constructor.createRequire (Medium) * (CVE-2023-32559, bsc#1214154): Policies can be bypassed via process.binding (Medium)
Adam Majer (adamm)
committed
(revision 97)
Adam Majer (adamm)
committed
(revision 96)
- Update to version 16.20.1 (security fixes only). The following CVEs are fixed in this release: * (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass Experimental Policy Mechanism (High) * (CVE-2023-30585, bsc#1212579): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) * (CVE-2023-30588, bsc#1212581): Process interuption due to invalid Public Key information in x509 certificates (Medium) * (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via Empty headers separated by CR (Medium) * (CVE-2023-30590, bsc#1212583): DiffieHellman does not generate keys after setting a private key (Medium) * deps: update c-ares to 1.19.1: c-ares security issues fixed: + CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service (bsc#1211604) + CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs (bsc#1211605) + CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() (bsc#1211606) + CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607) - fix_ci_tests.patch: increase default timeout on unit tests to 20min from 2min. This seems to have lead to build failures on some platforms, like s390x in Factory. (bsc#1211407)
Adam Majer (adamm)
committed
(revision 95)
- Update to NodeJS 18.16.0 LTS version * Add initial support for single executable applications * Replace url parser with Ada * buffer: add Buffer.copyBytesFrom - refreshed patches: versioned.patch linker_lto_jobs.patch
Adam Majer (adamm)
committed
(revision 94)
- Update to LTS version 16.20.0 * deps: + update undici to 5.20.0 + update c-ares to 1.19.0 + upgrade npm to 8.19.4 - legacy_python.patch, versioned.patch: refreshed
Adam Majer (adamm)
committed
(revision 93)
* updates undici to v5.19.1 + Fetch API in Node.js did not protect against CRLF injection in host headers + Regular Expression Denial of Service in Headers in Node.js fetch API (bsc#1208413, bsc#1208485, CVE-2023-24807, CVE-2023-23936)
Adam Majer (adamm)
committed
(revision 92)
- Update to LTS version 16.19.1: * fixes permissions policies can be bypassed via process.mainModule (bsc#1208481, CVE-2023-23918) * fixes insecure loading of ICU data through ICU_DATA environment variable (bsc#1208487, CVE-2023-23920) * fixes OpenSSL error handling issues in nodejs crypto library (bsc#1208483, CVE-2023-23919) * updates undici to v5.19.1 (bsc#1208413, CVE-2023-24807) - versioned.patch: refreshed - Update _constraints: * Less RAM for aarch64 and 32-bit arm * Use 'asimdrdm' cpu flag to use aarch64 workers where tests are more stable
Adam Majer (adamm)
committed
(revision 91)
- Update to LTS version 16.19.0: * dgram: add dgram send queue info * cli: add --watch - systemtap.patch: upstreamed, removed
Adam Majer (adamm)
committed
(revision 90)
- sle12_python3_compat.patch: only apply for older SLE12 codestreams where Python 3.6 is not available. Still worlaround for bsc#1205568
Adam Majer (adamm)
committed
(revision 89)
- Workaround bug on SLE12SP5 during source unpack (bsc#1205568)
Adam Majer (adamm)
committed
(revision 88)
Adam Majer (adamm)
committed
(revision 87)
Adam Majer (adamm)
committed
(revision 86)
- Replace node-gyp for SLE12 with python 3.4 compatible gyp
Adam Majer (adamm)
committed
(revision 85)
Fix build with python 3.6 in SLE12 SP5
Adam Majer (adamm)
committed
(revision 84)
Fix build on SLES12
Adam Majer (adamm)
committed
(revision 83)
- Update to LTS versino 16.18.1: * inspector: DNS rebinding in --inspect via invalid octal IP (bsc#1205119, CVE-2022-43548)
Displaying revisions 1 - 20 of 102