Revisions of nodejs14
Adam Majer (adamm)
committed
(revision 112)
- CVE-2024-27983.patch - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983) - CVE-2024-27982.patch - HTTP Request Smuggling via Content Length Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982) - updated dependencies: + llhttp version 6.1.1 - CVE-2024-22025.patch - test timeout adjustment
Adam Majer (adamm)
committed
(revision 111)
* CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997) * CVE-2024-22019.patch: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) (CVE-2024-22019, bsc#1219993) * CVE-2024-22025.patch: fix Denial of Service by resource exhaustion in fetch() brotli decoding (CVE-2024-22025, bsc#1220014) * CVE-2024-24806.patch: fix improper domain lookup that potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053)
Adam Majer (adamm)
committed
(revision 110)
Adam Majer (adamm)
committed
(revision 109)
- CVE-2023-38552.patch: Integrity checks according to policies can be circumvented (CVE-2023-38552, bsc#1216272) - CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190) - nodejs.keyring: include new releaser keys - newicu_test_fixup.patch: workaround whitespaces funnies in some icu versions
Adam Majer (adamm)
committed
(revision 108)
* CVE-2023-32002.patch: + fixes policies can be bypassed via Module._load + fixes policies can be bypassed by module.constructor.createRequire (CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156) * CVE-2023-32559.patch: Policies can be bypassed via process.binding (CVE-2023-32559, bsc#1214154)
Adam Majer (adamm)
committed
(revision 107)
- CVE-2023-30581.patch: fixes mainModule.__proto__ Bypass Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574) - CVE-2023-30589.patch: HTTP Request Smuggling via empty headers separated by CR (CVE-2023-30589, bsc#1212582) - CVE-2023-30590.patch: DiffieHellman does not generate keys after setting a private key (CVE-2023-30590, bsc#1212583)
Adam Majer (adamm)
committed
(revision 106)
Adam Majer (adamm)
committed
(revision 105)
- CVE-2022-25881.patch: http-cache-semantics(npm): Don't use regex to trim whitespace (bsc#1208744, CVE-2022-25881)
Adam Majer (adamm)
committed
(revision 104)
- BR: python 3.6
Adam Majer (adamm)
committed
(revision 103)
- Update to 14.21.3: * fixes permissions policies can be bypassed via process.mainModule (bsc#1208481, CVE-2023-23918) * fixes insecure loading of ICU data through ICU_DATA environment variable (bsc#1208487, CVE-2023-23920) * deps: update npm to 6.14.18 + CVE-2021-44907.patch: upstreamed and removed - Update _constraints: * Less RAM for aarch64 and 32-bit arm * Use 'asimdrdm' cpu flag to use aarch64 workers where tests are more stable
Adam Majer (adamm)
committed
(revision 102)
- Update to 14.21.2: * http2: fix memory leak when nghttp2 hd threshold is reached
Adam Majer (adamm)
committed
(revision 101)
- Update to 14.21.1: * inspector: DNS rebinding in --inspect via invalid octal IP (bsc#1205119, CVE-2022-43548)
Adam Majer (adamm)
committed
(revision 100)
- Update to 14.21.0: * src: add --openssl-shared-config option
Adam Majer (adamm)
committed
(revision 99)
Adam Majer (adamm)
committed
(revision 98)
Removed CVE that does not apply here anymore
Adam Majer (adamm)
committed
(revision 97)
+ CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325) + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832) + fixes HTTP Request Smuggling Due to Incorrect Parsing of Multi-line Transfer-Encoding (bsc#1201327, CVE-2022-32215) - Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl.
Adam Majer (adamm)
committed
(revision 96)
- Update to 14.20.1: * deps: update llhttp to 2.1.6: + CVE-2022-32213 bypass via obs-fold mechanic + Incorrect Parsing of Header Fields (CVE-2022-35256)
Adam Majer (adamm)
committed
(revision 95)
- Update to 14.20.0: * http: stricter Transfer-Encoding and header separator parsing (bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215) * src: fix IPv4 validation in inspector_socket (bsc#1201328, CVE-2022-32212)
Adam Majer (adamm)
committed
(revision 94)
- Update to 14.19.3: * Upgrade npm to v6.14.17 - obsoleted and removed: CVE-2021-3807.patch, CVE-2021-44906.patch - refreshed: versioned.patch
Adam Majer (adamm)
committed
(revision 93)
Update to 14.19.1: * deps: upgrade openssl sources to 1.1.1n (bsc#1196877, CVE-2022-0778) Infinite loop in BN_mod_sqrt() reachable when parsing certificates More details at https://www.openssl.org/news/secadv/20220315.txt
Displaying revisions 1 - 20 of 112