------------------------------------------------------------------- Tue Jan 11 18:50:33 UTC 2022 - Adam Majer - update to 14.18.3: Security update fixing the following issues: * Improper handling of URI Subject Alternative Names (Medium) (CVE-2021-44531, bsc#1194511) * Certificate Verification Bypass via String Injection (Medium) (CVE-2021-44532, bsc#1194512) * Incorrect handling of certificate subject and issuer fields (Medium) (CVE-2021-44533, bsc#1194513) * Prototype pollution via console.table properties (Low) (CVE-2022-21824, bsc#1194514) ------------------------------------------------------------------- Thu Dec 16 19:32:37 UTC 2021 - Adam Majer - update to 14.18.2: * lib: fix regular expression to detect `/` and `\` * worker: avoid potential deadlock on NearHeapLimit - sle12_python3_compat.patch: refreshed ------------------------------------------------------------------- Thu Nov 25 12:21:25 UTC 2021 - Guillaume GARDET - Fix CXXFLAGS in Tumbleweed - boo#1192824 ------------------------------------------------------------------- Tue Nov 9 15:56:53 UTC 2021 - Adam Majer - update to 14.18.1: * deps: update llhttp to 2.1.4 - HTTP Request Smuggling due to spaced in headers (bsc#1191601, CVE-2021-22959) - HTTP Request Smuggling when parsing the body (bsc#1191602, CVE-2021-22960) - changes in 14.18.0: * buffer: + introduce Blob + add base64url encoding option * child_process: + allow options.cwd receive a URL + add timeout to spawn and fork + allow promisified exec to be cancel + add 'overlapped' stdio flag * dns: add "tries" option to Resolve options * fs: + allow empty string for temp directory prefix + allow no-params fsPromises fileHandle read + add support for async iterators to fsPromises.writeFile * http2: add support for sensitive headers * process: add 'worker' event * tls: allow reading data into a static buffer * worker: add setEnvironmentData/getEnvironmentData - changes in 14.17.6: * deps: upgrade npm to 6.14.15 which fixes a number of security issues (bsc#1190057, CVE-2021-37701, bsc#1190056, CVE-2021-37712, bsc#1190055, CVE-2021-37713, bsc#1190054, CVE-2021-39134, bsc#1190053, CVE-2021-39135) - test-skip-y2038-on-32bit-time_t.patch: fix test failure when 64-bit time_t is used on 32-bit arches - refreshed patches: versioned.patch, flaky_test_rerun.patch - PR39011.patch: upstreamed ------------------------------------------------------------------- Thu Aug 12 13:50:24 UTC 2021 - Adam Majer - update to 14.17.5: * CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (bsc#1189370, bsc#1188881) * CVE-2021-22940: Use after free on close http2 on stream canceling (bsc#1189368) * CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (bsc#1189369) - cares_public_headers.patch: don't use private headers ------------------------------------------------------------------- Mon Aug 9 12:54:40 UTC 2021 - Adam Majer - z15-test-skip.patch: skip problematic test on s390x ------------------------------------------------------------------- Mon Aug 2 12:15:43 UTC 2021 - Adam Majer - update to 14.17.4: http2: fixes use after free on close http2 on stream canceling (bsc#1188917, CVE-2021-22930) - old_icu.patch: merged, removed - versioned.patch: updated - node_modules.tar.xz: refreshed - PR39011.patch: use localhost instead of remote for unit test ------------------------------------------------------------------- Fri Jul 2 15:27:59 UTC 2021 - Adam Majer - update to 14.17.2: deps: libuv upgrade - Out of bounds read (Medium) (bsc#1187973, CVE-2021-22918) - old_icu.patch: update with upstream's patch from https://github.com/nodejs/node/pull/39068 - specfile cleanup ------------------------------------------------------------------- Thu Jun 17 09:48:02 UTC 2021 - Adam Majer - update to 14.17.1: * deps: update ICU to 69.1 * errors: align source-map stacks with spec - Fix-build-with-icu-69.patch: upstreamed ------------------------------------------------------------------- Fri Jun 4 22:12:29 UTC 2021 - Dirk Müller - update to 14.17.0: * Experimental support for AbortController and AbortSignal * Diagnostics channel (experimental module) * UUID support in the crypto module * update ICU to 68.1 * upgrade to libuv 1.41.0 * deps: npm update to 6.14.13 ssri Regular Expression Denial of Service and hosted-git-info Regular Expression Denial of Service (bsc#1187976, bsc#1187977, CVE-2021-27290, CVE-2021-23362) - add Fix-build-with-icu-69.patch: fix build with icu 69 ------------------------------------------------------------------- Mon May 31 16:27:44 UTC 2021 - Adam Majer - Use libalternatives instead of update-alternatives ------------------------------------------------------------------- Wed Apr 7 12:35:34 UTC 2021 - Adam Majer - New upstream LTS version 14.16.1: * CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High) This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh (bsc#1184450) * deps: upgrade npm to 6.14.12 - versioned.patch: refreshed ------------------------------------------------------------------- Tue Feb 23 14:46:06 UTC 2021 - Adam Majer - New upstream LTS version 14.16.0: * CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (bsc#1182619) * CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620) ------------------------------------------------------------------- Wed Feb 17 17:33:25 UTC 2021 - Adam Majer - New upstream LTS version 14.15.5: * deps: + upgrade npm to 6.14.11 + V8: backport dfcf1e86fac0 #37245 Note: Node.js is not believed to be vulnerable to CVE-2021-21148 * stream,zlib: do not use _stream_* anymore - relax OpenSSL cipher suite policies for unit tests ------------------------------------------------------------------- Mon Jan 4 19:27:41 UTC 2021 - Adam Majer - New upstream LTS version 14.15.4: * CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits (bsc#1180553) * CVE-2020-8287: HTTP Request Smuggling allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554) ------------------------------------------------------------------- Mon Dec 21 12:37:16 UTC 2020 - Adam Majer - New upstream LTS version 14.15.3: * deps: + upgrade npm to 6.14.9 + update acorn to v8.0.4 * http2: check write not scheduled in scope destructor * stream: fix regression on duplex end - versioned.patch, sle12_python3_compat.patch: refreshed ------------------------------------------------------------------- Mon Nov 30 19:44:30 UTC 2020 - Adam Majer - openssl_binary_detection.patch: fixes unit tests on SLE12 ------------------------------------------------------------------- Mon Nov 23 16:06:15 UTC 2020 - Adam Majer - Update Requires: so -devel requires npm - Rely on rpmbuild to define necessary python dependencies ------------------------------------------------------------------- Thu Nov 19 11:42:09 UTC 2020 - Adam Majer - New upstream LTS version 14.15.1: * deps: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses (bsc#1178882, CVE-2020-8277) ------------------------------------------------------------------- Thu Oct 29 10:12:54 UTC 2020 - Adam Majer - Update to LTS version 14.15.0: (jsc#SLE-15774) * no major changes * test: reverts marking test-webcrypto-encrypt-decrypt-aes flaky ------------------------------------------------------------------- Tue Oct 20 14:23:42 UTC 2020 - Adam Majer - Use SLE OpenSSL version with 12-SP4+, and not just 12-SP5+ - Bump mininum ICU version to 65 ------------------------------------------------------------------- Fri Oct 16 11:54:33 UTC 2020 - Adam Majer - Update to version 14.14.0: * fs: add rm method * http: allow passing array of key/val into writeHead * src: expose v8::Isolate setup callbacks - sle12_python3_compat.patch: refreshed ------------------------------------------------------------------- Thu Oct 8 15:12:05 UTC 2020 - Adam Majer - Update to version 14.13.1: * fs: rmdir recursive is no longer considered experimental - fix_ci_tests.patch: add support to SUSE's ECDH backport errors in SLE's openssl ------------------------------------------------------------------- Tue Oct 6 11:30:37 UTC 2020 - Adam Majer - Update to version 14.13.0: * deps: upgrade to libuv 1.40.0 #35333 * module: named exports for CJS via static analysis #35249 * module: exports pattern support #34718 * src: allow N-API addon in AddLinkedBinding() ------------------------------------------------------------------- Thu Sep 24 19:04:31 UTC 2020 - Adam Majer - Update to version 14.12.0: * n-api: + create N-API version 7 + add more property defaults - Changes since version 14.9.0 * deps: + update llhttp to 2.1.2 (bsc#1176605, CVE-2020-8201) + http: add requestTimeout. Fixes Denial of Service by resource exhaustion due to unfinished HTTP/1.1 requests (bsc#1176604, CVE-2020-8251) + buffer: also alias BigUInt methods + crypto: add randomInt function + perf_hooks: add idleTime and event loop util + stream: simpler and faster Readable async iterator + stream: save error in state ------------------------------------------------------------------- Wed Sep 2 10:44:47 UTC 2020 - Adam Majer - old_icu.patch: re-add support for ICU 65 from SLE15 SP2 - fix_ci_tests.patch: move debug symbol strip for testing to the Makefile ------------------------------------------------------------------- Fri Aug 28 10:39:52 UTC 2020 - Adam Majer - Update to version 14.9.0: * build: set --v8-enable-object-print by default (Mary Marchini) #34705 * deps: + upgrade to libuv 1.39.0 (cjihrig) #34915 + upgrade npm to 6.14.8 (Ruy Adorno) #34834 + V8: cherry-pick e06ace6b5cdb (Anna Henningsen) #34673 * n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) #34839 * tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) #34378 - Changes in version 14.8.0: * async_hooks: add AsyncResource.bind utility (James M Snell) #34574 * deps: update to uvwasi 0.0.10 (Colin Ihrig) #34623 * module: unflag Top-Level Await (Myles Borins) #34558 * n-api: support type-tagging objects (Gabriel Schulhof) #28237 * n-api,src: provide asynchronous cleanup hooks (Anna Henningsen) #34572 - versioned.patch: refreshed - linker_lto_jobs.patch: refreshed ------------------------------------------------------------------- Mon Aug 10 16:38:15 UTC 2020 - Adam Majer - Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686) ------------------------------------------------------------------- Mon Aug 3 12:20:57 UTC 2020 - Adam Majer - Update to version 14.7.0: * deps: upgrade npm to 6.14.7 * dgram: add IPv6 scope id suffix to received udp6 dgrams * src: + allow preventing SetPromiseRejectCallback #34387 + allow setting a dir for all diagnostic output #33584 * worker: make MessagePort inherit from EventTarget #34057 * zlib: switch to lazy init for zlib streams (Andrey Pechkurov) #34048 ------------------------------------------------------------------- Tue Jul 28 07:13:57 UTC 2020 - Dirk Mueller - avoid rpmbuild warnings on if/else/endif constructs ------------------------------------------------------------------- Wed Jul 22 12:52:50 UTC 2020 - Adam Majer - Update to version 14.6.0: * deps: + upgrade to libuv 1.38.1 + upgrade npm to 6.14.6 fixing information leak through log files (bsc#1173937, CVE-2020-15095) + update V8 to 8.4.371.19 * module: + doc only deprecation of module.parent + package "imports" field * src: allow embedders to disable esm loader * tls: make 'createSecureContext' honor more options * vm: add run-after-evaluate microtask mode * worker: add option to track unmanaged file descriptors - versioned.patch - refreshed ------------------------------------------------------------------- Thu Jul 2 20:51:30 UTC 2020 - Adam Majer - Update to version 14.5.0: * deps: V8 engine is updated to version 8.3. For details, see https://v8.dev/blog/v8-release-83 * events: experimental implementation of EventTarget For details, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.5.0 - sle12_python3_compat.patch: refreshed - fix_ci_tests.patch: refreshed ------------------------------------------------------------------- Tue Jun 9 11:45:55 UTC 2020 - Adam Majer - Add Require for nodejs14 when intalling npm14. (bsc#1172728) ------------------------------------------------------------------- Thu Jun 4 12:03:49 UTC 2020 - Adam Majer - Update to version 14.4.0: * napi: fix various types of memory corruption in napi_get_value_string_*() (CVE-2020-8174, bsc#1172443) * http2: fix HTTP/2 Large Settings Frame DoS (CVE-2020-11080, bsc#1172442) * TLS session reuse can lead to host certificate verification bypass (CVE-2020-8172, bsc#1172441) ------------------------------------------------------------------- Fri May 29 10:46:58 UTC 2020 - Adam Majer - Update to version 14.3.0: * repl: previews improvements with autocompletion * it's now possible to use the await keyword outside of async functions, with the --experimental-top-level-await flag - Changes in version 14.2.0: * console: Support for console constructor groupIndentation options - skip_no_console.patch: refreshed - versioned.patch, fix_ci_tests.patch: refreshed ------------------------------------------------------------------- Thu Apr 30 11:22:45 UTC 2020 - Adam Majer - Update to version 14.1.0: * deps: upgrade openssl sources to 1.1.1g (SLE-12 only) * http: doc deprecate abort and improve docs * module: do not warn when accessing __esModule of unfinished exports * n-api: detect deadlocks in thread-safe function * src: deprecate embedder APIs with replacements * stream: + don't emit end after close + don't wait for close on legacy streams + pipeline should only destroy un-finished streams * vm: add importModuleDynamically option to compileFunction skip_no_console.patch: add more unit tests that fail on dumb terminals ------------------------------------------------------------------- Mon Apr 27 13:35:05 UTC 2020 - Adam Majer - Initial version 14.0.0 Deprecations * crypto: move pbkdf2 without digest to EOL * fs: deprecate closing FileHandle on garbage collection * http: move OutboundMessage.prototype.flush to EOL * lib: move GLOBAL and root aliases to EOL * os: move tmpDir() to EOL * src: remove deprecated wasm type check * stream: move _writableState.buffer to EOL * doc: deprecate process.mainModule * doc: deprecate process.umask() with no arguments For a detailed list of changes, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.0.0