- CVE-2024-27983.patch - Assertion failed in
  node::http2::Http2Session::~Http2Session() leads to
  HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983)
- CVE-2024-27982.patch - HTTP Request Smuggling via Content Length
  Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982)
- updated dependencies:
  + llhttp version 6.1.1
- CVE-2024-22025.patch - test timeout adjustment

• Files Changed
• Browse Source

 * sle12-node-gyp-addon-gypi.patch - GYP patches for SLE12

• Files Changed
• Browse Source

 * CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack
   (timing variant of the Bleichenbacher attack against
   PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997)
 * CVE-2024-22019.patch: http: Reading unprocessed HTTP request with
   unbounded chunk extension allows DoS attacks- (High)
   (CVE-2024-22019, bsc#1219993)
 * CVE-2024-22025.patch: fix Denial of Service by resource exhaustion
   in fetch() brotli decoding (CVE-2024-22025, bsc#1220014)
 * CVE-2024-24758.patch: ignore proxy-authorization headers
   (CVE-2024-24758, bsc#1220017)
 * CVE-2024-24806.patch: fix improper domain lookup that
   potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053)
- CVE-2023-38552.patch: Integrity checks according to policies
  can be circumvented (CVE-2023-38552, bsc#1216272)
- CVE-2023-39333.patch, wasm-fixture.tar.gz: Code injection via
  WebAssembly export names (CVE-2023-39333, bsc#1216273)
- CVE-2023-45143.patch: undici Security Release (CVE-2023-45143, bsc#1216205)
- nodejs.keyring: include new releaser keys

• Files Changed
• Browse Source

- CVE-2023-38552.patch: Integrity checks according to policies can be circumvented (CVE-2023-38552, bsc#1216272)
- CVE-2023-39333.patch: Code injection via WebAssembly export names (CVE-2023-39333, bsc#1216273)
- CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190)
- CVE-2023-45143.patch: undici Security Release (CVE-2023-39333, bsc#1216273)

• Files Changed
• Browse Source

- Update to LTS version 16.20.2 (security fixes). The following CVE
  were fixed:
  * (CVE-2023-32002, bsc#1214150): Policies can be bypassed
     via Module._load (High)
  * (CVE-2023-32006, bsc#1214156): Policies can be bypassed by
     module.constructor.createRequire (Medium)
  * (CVE-2023-32559, bsc#1214154): Policies can be bypassed via
     process.binding (Medium)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Update to version 16.20.1 (security fixes only). The following
  CVEs are fixed in this release:
  * (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass
    Experimental Policy Mechanism (High)
  * (CVE-2023-30585, bsc#1212579): Privilege escalation via
    Malicious Registry Key manipulation during Node.js
    installer repair process (Medium)
  * (CVE-2023-30588, bsc#1212581): Process interuption due to invalid
    Public Key information in x509 certificates (Medium)
  * (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via
    Empty headers separated by CR (Medium)
  * (CVE-2023-30590, bsc#1212583): DiffieHellman does not
    generate keys after setting a private key (Medium)
  * deps: update c-ares to 1.19.1: c-ares security issues fixed:
    + CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service
      (bsc#1211604)
    + CVE-2023-31147 Moderate. Insufficient randomness in generation
      of DNS query IDs (bsc#1211605)
    + CVE-2023-31130. Moderate. Buffer Underwrite in
      ares_inet_net_pton() (bsc#1211606)
    + CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE
      during cross compilation (bsc#1211607)
- fix_ci_tests.patch: increase default timeout on unit tests
  to 20min from 2min. This seems to have lead to build failures
  on some platforms, like s390x in Factory. (bsc#1211407)

• Files Changed
• Browse Source

- Update to NodeJS 18.16.0 LTS version
  * Add initial support for single executable applications
  * Replace url parser with Ada
  * buffer: add Buffer.copyBytesFrom
- refreshed patches: versioned.patch linker_lto_jobs.patch

• Files Changed
• Browse Source

- Update to LTS version 16.20.0
  * deps:
    + update undici to 5.20.0
    + update c-ares to 1.19.0
    + upgrade npm to 8.19.4
- legacy_python.patch, versioned.patch: refreshed

• Files Changed
• Browse Source

  * updates undici to v5.19.1
    + Fetch API in Node.js did not protect against CRLF injection in host headers
    + Regular Expression Denial of Service in Headers in Node.js fetch API
    (bsc#1208413, bsc#1208485, CVE-2023-24807, CVE-2023-23936)

• Files Changed
• Browse Source

- Update to LTS version 16.19.1:
  * fixes permissions policies can be bypassed via process.mainModule
    (bsc#1208481, CVE-2023-23918)
  * fixes insecure loading of ICU data through ICU_DATA environment
    variable (bsc#1208487, CVE-2023-23920)
  * fixes OpenSSL error handling issues in nodejs crypto library
    (bsc#1208483, CVE-2023-23919)
  * updates undici to v5.19.1 (bsc#1208413, CVE-2023-24807)
- versioned.patch: refreshed

- Update _constraints:
  * Less RAM for aarch64 and 32-bit arm
  * Use 'asimdrdm' cpu flag to use aarch64 workers where tests
    are more stable

• Files Changed
• Browse Source

- Update to LTS version 16.19.0:
  * dgram: add dgram send queue info
  * cli: add --watch
- systemtap.patch: upstreamed, removed

• Files Changed
• Browse Source

- sle12_python3_compat.patch: only apply for older SLE12 codestreams
  where Python 3.6 is not available. Still worlaround for bsc#1205568

• Files Changed
• Browse Source

- Workaround bug on SLE12SP5 during source unpack (bsc#1205568)

• Files Changed
• Browse Source

• Files Changed
• Browse Source

• Files Changed
• Browse Source

- Replace node-gyp for SLE12 with python 3.4 compatible gyp

• Files Changed
• Browse Source

Fix build with python 3.6 in SLE12 SP5

• Files Changed
• Browse Source

Fix build on SLES12

• Files Changed
• Browse Source

- Update to LTS versino 16.18.1:
  * inspector: DNS rebinding in --inspect via invalid octal IP
    (bsc#1205119, CVE-2022-43548)

• Files Changed
• Browse Source