Revisions of nodejs4
Adam Majer (adamm)
committed
(revision 109)
Adam Majer (adamm)
committed
(revision 108)
- CVE-2019-13173.patch: fix potential file overwrite via hardlink in fstream.DirWriter() function (bsc#1140290, CVE-2019-13173)
Adam Majer (adamm)
committed
(revision 106)
Adam Majer (adamm)
committed
(revision 105)
Backport security fixes from NodeJS 6.x:
* deps: upgrade OpenSSL source to 1.0.2r. Under certain
circumstances, a TLS server can be forced to respond differently
to a client if a zero-byte record is received with an
invalid padding compared to a zero-byte record with an
invalid MAC. This can be used as the basis of a padding
oracle attack to decrypt data.
(openssl_1_0_2q.patch - CVE-2019-1559, bsc#1127080)
* http: (http-keep-alive.patch)
+ Backport server.keepAliveTimeout to prevent keep-alive
HTTP and HTTPS connections remaining open and inactive for
an extended period of time, leading to a potential
Denial of Service (DoS).
(CVE-2019-5739, bsc#1127533)
+ Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set
by server.headersTimeout to connections in keep-alive mode.
(CVE-2019-5737, bsc#1127532)
- nodejs.keyring: update keyring to today's list as per
https://github.com/nodejs/node
Adam Majer (adamm)
committed
(revision 104)
- env_shebang.patch: dropped in favour of programmatic update
Adam Majer (adamm)
committed
(revision 103)
Adam Majer (adamm)
committed
(revision 102)
* deps: upgrade OpenSSL sources to 1.0.2q
(openssl_1_0_2q.patch - CVE-2018-0734, bsc#1113652,
CVE-2018-5407, bsc#1113534)
Adam Majer (adamm)
committed
(revision 101)
* cli: add --max-http-header-size flag (max_header_size.patch)
+ add maxHeaderSize property (max_header_size.patch)
(CVE-2018-12121.patch - CVE-2018-12121, bsc#1117626)
+ A timeout of 40 seconds now applies to servers receiving
HTTP headers. This value can be adjusted with
server.headersTimeout. Where headers are not completely
received within this period, the socket is destroyed on
the next received chunk. In conjunction with
server.setTimeout(), this aids in protecting against
excessive resource retention and possible Denial of Service.
(CVE-2018-12122.patch - CVE-2018-12122, bsc#1117627)
(CVE-2018-12116.patch - CVE-2018-12116, bsc#1117630)
(CVE-2018-12123.patch - CVE-2018-12123, bnc#1117629)
Adam Majer (adamm)
committed
(revision 100)
+ Headers received by HTTP servers must not exceed 8192 bytes
in total to prevent possible Denial of Service attacks.
CVE-2018-12121.patch - (CVE-2018-12121, bsc#1117626)
Adam Majer (adamm)
committed
(revision 99)
Backport security fixes from NodeJS 6.x:
* debugger: prevent the debugger from listening on 0.0.0.0.
It now defaults to 127.0.0.1.
CVE-2018-12120.patch - (CVE-2018-12120, bsc#1117625)
* http:
+ Two-byte characters are now strictly disallowed for the path
option in HTTP client requests. Paths containing characters
outside of the range \u0021 - \u00ff will now be rejected
with a TypeError. This behavior can be reverted if necessary
by supplying the --security-revert=CVE-2018-12116 command
line argument (this is not recommended).
CVE-2018-12116.patch - (CVE-2018-12116, bsc#1117630)
* util: Fix a bug that would allow a hostname being spoofed when
parsing URLs with url.parse() with the 'javascript:' protocol.
CVE-2018-12123.patch - (CVE-2018-12123, bnc#1117629)
Adam Majer (adamm)
committed
(revision 98)
- flaky_test_rerun.patch: Rerun failing tests in case of flakiness
Adam Majer (adamm)
committed
(revision 97)
Adam Majer (adamm)
committed
(revision 96)
Adam Majer (adamm)
committed
(revision 95)
Adam Majer (adamm)
committed
(revision 94)
- fix_ci_tests.patch: skip parallel/test-tick-processor on arm. Unreliable test in shared environment. - enable unit tests build failures
Adam Majer (adamm)
committed
(revision 93)
- test-ca-bumps.patch: update certificates used in unit tests
Adam Majer (adamm)
committed
(revision 92)
Adam Majer (adamm)
committed
(revision 91)
Displaying revisions 1 - 20 of 110
