openSUSE Build Service

Adam Majer (adamm) committed about 2 months ago (revision 112)

- CVE-2024-27983.patch - Assertion failed in
  node::http2::Http2Session::~Http2Session() leads to
  HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983)
- CVE-2024-27982.patch - HTTP Request Smuggling via Content Length
  Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982)
- updated dependencies:
  + llhttp version 6.1.1
- CVE-2024-22025.patch - test timeout adjustment

Adam Majer (adamm) committed 3 months ago (revision 111)

 * CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack
   (timing variant of the Bleichenbacher attack against
   PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997)
 * CVE-2024-22019.patch: http: Reading unprocessed HTTP request with
   unbounded chunk extension allows DoS attacks- (High)
   (CVE-2024-22019, bsc#1219993)
 * CVE-2024-22025.patch: fix Denial of Service by resource exhaustion
   in fetch() brotli decoding (CVE-2024-22025, bsc#1220014)
 * CVE-2024-24806.patch: fix improper domain lookup that
   potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053)

Adam Majer (adamm) committed 7 months ago (revision 110)

Adam Majer (adamm) committed 7 months ago (revision 109)

- CVE-2023-38552.patch: Integrity checks according to policies
  can be circumvented (CVE-2023-38552, bsc#1216272)
- CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190)
- nodejs.keyring: include new releaser keys
- newicu_test_fixup.patch: workaround whitespaces funnies in
  some icu versions

Adam Majer (adamm) committed 10 months ago (revision 108)

  * CVE-2023-32002.patch:
    + fixes policies can be bypassed via Module._load
    + fixes policies can be bypassed by module.constructor.createRequire
      (CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156)
  * CVE-2023-32559.patch: Policies can be bypassed via
    process.binding (CVE-2023-32559, bsc#1214154)

Adam Majer (adamm) committed 10 months ago (revision 107)

- CVE-2023-30581.patch: fixes mainModule.__proto__ Bypass
  Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574)
- CVE-2023-30589.patch: HTTP Request Smuggling via empty headers
  separated by CR (CVE-2023-30589, bsc#1212582)
- CVE-2023-30590.patch: DiffieHellman does not generate keys
   after setting a private key (CVE-2023-30590, bsc#1212583)

Adam Majer (adamm) committed about 1 year ago (revision 106)

Adam Majer (adamm) committed about 1 year ago (revision 105)

- CVE-2022-25881.patch: http-cache-semantics(npm): Don't use regex
  to trim whitespace (bsc#1208744, CVE-2022-25881)

Adam Majer (adamm) committed over 1 year ago (revision 104)

- BR: python 3.6

Adam Majer (adamm) committed over 1 year ago (revision 103)

- Update to 14.21.3:
  * fixes permissions policies can be bypassed via process.mainModule
    (bsc#1208481, CVE-2023-23918)
  * fixes insecure loading of ICU data through ICU_DATA environment
    variable (bsc#1208487, CVE-2023-23920)
  * deps: update npm to 6.14.18
    + CVE-2021-44907.patch: upstreamed and removed

- Update _constraints:
  * Less RAM for aarch64 and 32-bit arm
  * Use 'asimdrdm' cpu flag to use aarch64 workers where tests
    are more stable

Adam Majer (adamm) committed over 1 year ago (revision 102)

- Update to 14.21.2:
  * http2: fix memory leak when nghttp2 hd threshold is reached

Adam Majer (adamm) committed over 1 year ago (revision 101)

- Update to 14.21.1:
  * inspector: DNS rebinding in --inspect via invalid octal IP
    (bsc#1205119, CVE-2022-43548)

Adam Majer (adamm) committed over 1 year ago (revision 100)

- Update to 14.21.0:
  * src: add --openssl-shared-config option

Adam Majer (adamm) committed over 1 year ago (revision 99)

Adam Majer (adamm) committed over 1 year ago (revision 98)

Removed CVE that does not apply here anymore

Adam Majer (adamm) committed over 1 year ago (revision 97)

    + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325)
    + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)
    + fixes HTTP Request Smuggling Due to Incorrect Parsing
      of Multi-line Transfer-Encoding (bsc#1201327, CVE-2022-32215)

- Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl.

Adam Majer (adamm) committed over 1 year ago (revision 96)

- Update to 14.20.1:
  * deps: update llhttp to 2.1.6:
    + CVE-2022-32213 bypass via obs-fold mechanic
    + Incorrect Parsing of Header Fields (CVE-2022-35256)

Adam Majer (adamm) committed almost 2 years ago (revision 95)

- Update to 14.20.0:
  * http: stricter Transfer-Encoding and header separator parsing
    (bsc#1201325, bsc#1201326, bsc#1201327,
     CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
  * src: fix IPv4 validation in inspector_socket
    (bsc#1201328, CVE-2022-32212)

Adam Majer (adamm) committed almost 2 years ago (revision 94)

- Update to 14.19.3:
  * Upgrade npm to v6.14.17
- obsoleted and removed: CVE-2021-3807.patch, CVE-2021-44906.patch
- refreshed: versioned.patch

Adam Majer (adamm) committed about 2 years ago (revision 93)

Update to 14.19.1:
  * deps: upgrade openssl sources to 1.1.1n (bsc#1196877,  CVE-2022-0778)
    Infinite loop in BN_mod_sqrt() reachable when parsing certificates
    More details at https://www.openssl.org/news/secadv/20220315.txt

Places

Revisions of nodejs14

Places