File nodejs6.changes of Package nodejs6.12088

-------------------------------------------------------------------
Mon Jul 29 09:01:36 UTC 2019 - Adam Majer <adam.majer@suse.de>

- CVE-2019-13173.patch: fix potential file overwrite via hardlink
  in fstream.DirWriter() function (bsc#1140290, CVE-2019-13173)

-------------------------------------------------------------------
Thu Feb 28 13:28:56 UTC 2019 - Adam Majer <adam.majer@suse.de>

- New upstream LTS release 6.17.0:
  * deps: OpenSSL has been upgraded to 1.0.2r. Under certain
    circumstances, a TLS server can be forced to respond differently
    to a client if a zero-byte record is received with an
    invalid padding compared to a zero-byte record with an
    invalid MAC. This can be used as the basis of a padding
    oracle attack to decrypt data.
    (CVE-2019-1559, bsc#1127080)

  * http:
    + Backport server.keepAliveTimeout to prevent keep-alive
      HTTP and HTTPS connections remaining open and inactive for
      an extended period of time, leading to a potential
      Denial of Service (DoS). (CVE-2019-5739, bsc#1127533)
    + Further prevention of "Slowloris" attacks on HTTP and HTTPS
      connections by consistently applying the receive timeout set
      by server.headersTimeout to connections in keep-alive mode.
      (CVE-2019-5737, bsc#1127532)

-------------------------------------------------------------------
Fri Feb  1 12:40:17 UTC 2019 - adam.majer@suse.de

- nodejs.keyring: update keyring to today's list as per
  https://github.com/nodejs/node

-------------------------------------------------------------------
Mon Jan  7 16:06:53 UTC 2019 - adam.majer@suse.de

- Update upstream LTS release 6.16.0:
  * cli: add --max-http-header-size flag
  * http: add maxHeaderSize property

- Changes in LTS release 6.15.0:
  * debugger: prevent the debugger from listening on 0.0.0.0.
    It now defaults to 127.0.0.1. (CVE-2018-12120, bsc#1117625)
  * deps: Upgrade to OpenSSL 1.0.2q, fixing 
    CVE-2018-0734 (bsc#1113652) and CVE-2018-5407 (bsc#1113534)
  * http:
    + Headers received by HTTP servers must not exceed 8192 bytes
      in total to prevent possible Denial of Service attacks.
      (CVE-2018-12121, bsc#1117626)
    + A timeout of 40 seconds now applies to servers receiving
      HTTP headers. This value can be adjusted with
      server.headersTimeout. Where headers are not completely
      received within this period, the socket is destroyed on
      the next received chunk. In conjunction with
      server.setTimeout(), this aids in protecting against
      excessive resource retention and possible Denial of Service.
      (CVE-2018-12122, bsc#1117627)
    + Two-byte characters are now strictly disallowed for the path
      option in HTTP client requests. Paths containing characters
      outside of the range \u0021 - \u00ff will now be rejected
      with a TypeError. This behavior can be reverted if necessary
      by supplying the --security-revert=CVE-2018-12116 command
      line argument (this is not recommended).
      (CVE-2018-12116, bsc#1117630)
  * util: Fix a bug that would allow a hostname being spoofed when
    parsing URLs with url.parse() with the 'javascript:' protocol.
    (CVE-2018-12123, bsc#1117629)

- skip_test_on_lowmem.patch: skip test on low-memory build machine

-------------------------------------------------------------------
Mon Nov 26 14:06:57 UTC 2018 - adam.majer@suse.de

- flaky_test_rerun.patch: Rerun failing tests in case of flakiness

-------------------------------------------------------------------
Mon Nov 12 12:26:46 UTC 2018 - adam.majer@suse.de

- env_shebang.patch: dropped in favour of programmatic update

-------------------------------------------------------------------
Mon Oct  1 14:47:48 UTC 2018 - adam.majer@suse.de

- fix_ci_tests.patch: Fix unit tests

-------------------------------------------------------------------
Mon Aug 20 08:44:21 UTC 2018 - adam.majer@suse.de

- New upstream LTS release 6.14.4:
  * buffer: Fix out-of-bounds (OOB) write in Buffer.write() for
    UCS-2 encoding (CVE-2018-12115, bsc#1105019)
  * deps: Upgrade to OpenSSL 1.0.2p, fixing:
    + Client DoS due to large DH parameter
      (CVE-2018-0732, bsc#1097158)
    + ECDSA key extraction via local side-channel

-------------------------------------------------------------------
Sun Jul 29 10:47:39 UTC 2018 - jengelh@inai.de

- Ensure neutrality of description.
- Use %make_install.

-------------------------------------------------------------------
Fri Jun 15 12:03:47 UTC 2018 - adam.majer@suse.de

- Recommend same major version npm package (bsc#1097748)

-------------------------------------------------------------------
Thu Jun 14 09:20:15 UTC 2018 - adam.majer@suse.de

- New upstream LTS release 6.14.3:
  * buffer: Fixes Denial of Service vulnerability where calling
    Buffer.fill() could hang (CVE-2018-7167, bsc#1097375)

-------------------------------------------------------------------
Thu May 24 14:17:25 UTC 2018 - adam.majer@suse.de

- env_shebang.patch: use absolute paths in executable shebang lines
- versioned.patch: updated to move shebang modifications to above
  patch.

-------------------------------------------------------------------
Fri May 11 12:36:46 UTC 2018 - adam.majer@suse.de

- New upstream LTS release 6.14.2:
  * n-api: n-api has been backported to v6.x.
- icu_61_namespacefix.patch: Fix building with ICU61.1 (bsc#1091764)
- versioned.patch: rebased

-------------------------------------------------------------------
Thu Apr  5 07:18:42 UTC 2018 - adam.majer@suse.de

- Install license with %license, not %doc (bsc#1082318)

-------------------------------------------------------------------
Wed Apr  4 13:29:24 UTC 2018 - adam.majer@suse.de

- Fix some node-gyp permissions

-------------------------------------------------------------------
Tue Apr  3 11:02:56 UTC 2018 - adam.majer@suse.de

- New upstream LTS release 6.14.1:
  * Security fixes:
    + Fix for inspector DNS rebinding vulnerability
      (bsc#1087463, CVE-2018-7160)
    + Fix for 'path' module regular expression denial of service
      (bsc#1087459, CVE-2018-7158)
    + Reject spaces in HTTP Content-Length header values
      (bsc#1087453, CVE-2018-7159)
  * Upgrade to OpenSSL 1.0.2o
  * deps: upgrade http-parser to v2.8.0

-------------------------------------------------------------------
Thu Mar 22 10:52:48 UTC 2018 - adam.majer@suse.de

- New upstream LTS release 6.13.1:
  * http,tls: better support for IPv6 addresses
  * console: added console.count() and console.clear()
  * crypto:
    + expose ECDH class
    + added cypto.randomFill() and crypto.randomFillSync()
    + warn on invalid authentication tag length
  * deps: upgrade libuv to 1.16.1
  * dgram: added socket.setMulticastInterface()
  * http: add agent.keepSocketAlive and agent.reuseSocket as to
    allow overridable keep-alive behavior of Agent
  * lib: return this from net.Socket.end()
  * module: add builtinModules api that provides list of all
    builtin modules in Node
  * net: return this from getConnections()
  * promises: more robust stringification for unhandled rejections
  * repl: improve require() autocompletion
  * src:
    + add openssl-system-ca-path configure option
    + add --use-bundled-ca --use-openssl-ca check
    + add process.ppid
  * tls: accept lookup option for tls.connect()
  * tools,build: a new macOS installer!
  * url: WHATWG URL api support
  * util: add %i and %f formatting specifiers
- remove any old manpage files in %pre from before update-alternatives
  were used to manage symlinks to these manpages.

-------------------------------------------------------------------
Tue Feb 13 08:40:52 UTC 2018 - adam.majer@suse.de

- Add Recommends and BuildRequire on python2 for npm. node-gyp
  requires this old version of python for now. This is only needed
  for binary modules.

-------------------------------------------------------------------
Tue Jan 30 18:10:06 CET 2018 - ro@suse.de

- even on recent codestreams there is no binutils gold on s390
  only on s390x

-------------------------------------------------------------------
Tue Jan  9 10:54:48 UTC 2018 - adam.majer@suse.de

- New upstream LTS release 6.12.3:
  * v8: profiler-related fixes
  * mostly documentation and test related changes
- nodejs-sle11-python26-check_output.patch: refreshed

-------------------------------------------------------------------
Fri Dec 22 14:28:07 UTC 2017 - adam.majer@suse.de

- Enable CI tests in %check target
  + fix_ci_tests.patch:
    - DNS queries in buildroots are failing with EAI_AGAIN
    - disable test-module-loading-globalpaths.js - we have
      hardcoded global paths
  + versioned.patch: call versioned node binary for tests

-------------------------------------------------------------------
Thu Dec 14 09:45:50 UTC 2017 - adam.majer@suse.de

- Dropped 8334.diff - no longer needed

-------------------------------------------------------------------
Sat Dec  9 03:22:01 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 6.12.2:
  * deps/openssl: updated to 1.0.2n (only applies to SLE 12 SP1
    and lower) (bsc#1072322)
    [ CVE-2017-3738 CVE-2017-15896 ]

- Changes in 6.12.1:
  * build: fix npm install with --shared
    [ gh#nodejs/node#16438 ]
  * build: building on systems with default Python 3 is now
    supported
    [ gh#nodejs/node#16058 ]
  * src: v8 options can be specified with either '_' or '-' in
    NODE_OPTIONS
    [ gh#nodejs/node#14093 ]

- Remove unnecessary curl BuildRequires
- Enable gold linker on s390x (TW and SLE/Leap 15)
- Build with bundled ICU if system ICU not available (only applies
  to SLE 11)

-------------------------------------------------------------------
Wed Nov 29 01:41:56 UTC 2017 - qantas94heavy@gmail.com

- Change BuildRequires from openssl-devel to libopenssl-1_0_0-devel
  due to Tumbleweed/Leap 15 change to OpenSSL 1.1.0 as default

-------------------------------------------------------------------
Thu Nov 16 13:16:25 UTC 2017 - adam.majer@suse.de

- Update nodejs.keyring based on current Release Team as found on
  https://github.com/nodejs/node#release-team

-------------------------------------------------------------------
Mon Nov 13 14:29:47 UTC 2017 - adam.majer@suse.de

- Fix permissions of node-gyp. This should be executable to allow
  building of binary node modules.

-------------------------------------------------------------------
Mon Nov 13 10:08:04 UTC 2017 - adam.majer@suse.de

- New upstream LTS release 6.12.0:
  * assert: assert.fail() can now take one or two arguments
  * crypto: add sign/verify support for RSASSA-PSS
  * deps:
    + upgrade openssl sources to 1.0.2m
      [OpenSSL Security Advisory (bsc#1066242, bsc#1056058)
       CVE-2017-3735 CVE-2017-3736]
    + upgrade libuv to 1.15.0
  * fs: Add support for fs.write/fs.writeSync(fd, buffer, cb) and
    fs.write/fs.writeSync(fd, buffer, offset, cb) as documented
  * inspector: enable --inspect-brk
  * process: add --redirect-warnings command line argument
  * src:
    + allow CLI args in env with NODE_OPTIONS
    + --abort-on-uncaught-exception in NODE_OPTIONS
    + allow --tls-cipher-list in NODE_OPTIONS
    + use SafeGetenv() for NODE_REDIRECT_WARNINGS
  * test: remove common.fail()
- 0f3e69db.patch, icu59.patch: removed empty patches
- nodejs-libpath.patch: refreshed

-------------------------------------------------------------------
Wed Oct 25 05:19:03 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 6.11.5:
  * zlib: (CVE-2017-14919: only affects TW) In zlib v1.2.9, a
    change was made that causes an exception to be thrown when a
    raw deflate stream is initialized with windowBits set to 8.
    Node.js will now gracefully set windowBits to 9 (replicating
    the legacy behavior) to avoid a DOS vector.

-------------------------------------------------------------------
Thu Oct 19 08:07:05 UTC 2017 - adam.majer@suse.de

- Replace {{node_version_major}} with RPM define %node_version_number
  for simpler spec file review.
- Make sure npm program remains executable

-------------------------------------------------------------------
Wed Oct  4 16:38:26 UTC 2017 - adam.majer@suse.de

- New upstream LTS release 6.11.4:
  * net: support passing undefined to listen() to match behavior in
  v4.x and v8.x

-------------------------------------------------------------------
Mon Sep 11 13:58:26 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 6.11.3:
  * deps: Snapshots are turned back on!!! (#14385)
  * path: win32 volume-relative paths are working again! (#14440)
  * tools: v6.x can now build with ICU 59 (#12078)
- Drop icu59.patch: merged upstream.
- Refresh versioned.patch

-------------------------------------------------------------------
Thu Aug 17 08:57:20 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 6.11.2
  * configure: add mips64el to valid_arch (#13620)
  * crypto: updated root certificates based on NSS 3.30
    (#13279, #12402)
  * deps: upgrade OpenSSL to version 1.0.2.l (#12913)
  * http:
    + parse errors are now reported when NODE_DEBUG=http (#13206)
    + Agent constructor can now be invoked without new (#12927)
  * zlib: node will now throw an Error when zlib rejects the value
    of windowBits, instead of crashing (#13098)
- Drop 0f3e69db.patch: fixed upstream

-------------------------------------------------------------------
Wed Aug  2 15:16:57 UTC 2017 - adam.majer@suse.de

- Fix update-alternative handling in %postun - don't remove
  links on upgrades.

-------------------------------------------------------------------
Wed Jul 12 08:24:32 UTC 2017 - adam.majer@suse.de

- New upstream LTS release 6.11.1
  * v8: disable V8 snapshots. The hashseed embedded in the snapshot
    is currently the same for all runs of the binary. This opens
    node up to collision attacks which could result in a Denial
    of Service. We have temporarily disabled snapshots until a more
    robust solution is found. (bnc#1048299, CVE-2017-11499)
  * The c-ares function ares_parse_naptr_reply(), which is used for
    parsing NAPTR responses, could be triggered to read memory
    outside of the given input buffer if the passed in DNS response
    packet was crafted in a particular way.
    (CVE-2017-1000381, bnc#1044946)

-------------------------------------------------------------------
Fri Jul  7 14:05:05 UTC 2017 - adam.majer@suse.de

- Depend on nodejs-common that is then used to pick correctly
  versioned node or npm binary. This is required since 3rd party
  modules use `/usr/bin/env node` which breaks if multiple versions
  of NodeJS are installed at the same time and non-default version
  is used (for example, to compile a native module)
 
-------------------------------------------------------------------
Thu Jul  6 12:08:26 UTC 2017 - adam.majer@suse.de

- npm_search_paths.patch: Since concurrent installations are now
  possible, node manual pages are moved once again back under npm
  searcheable locations only.
- versioned.patch: All files are now under versioned directoies
  and names. node and npm symlinks are now managed by
  update-alternatives
- node-gyp-addon-gypi.patch: Reference versioned directories only

-------------------------------------------------------------------
Tue Jun 13 09:13:23 UTC 2017 - adam.majer@suse.de

- New upstream LTS release 6.11.0
  * added support for building mips64el
  * cluster:
    + disconnect() now returns a reference to the disconnected
      worker.
  * crypto:
    + ability to select cert store at runtime
    + Use system CAs instead of using bundled ones
      (obsoletes 8334.diff)
    + The Decipher methods setAuthTag() and setAAD now return this
    + adding support for OPENSSL_CONF again
    + make LazyTransform compabile with Streams1
  * deps:
    + upgrade libuv to 1.11.0
  * dns:
    + Implemented {ttl: true} for resolve4() and resolve6().
  * process:
    + add NODE_NO_WARNINGS environment variable
  * readline:
    + add option to stop duplicates in history
  * src:
    + support "--" after "-e" as end-of-options
  * tls:
    + new tls.TLSSocket() supports sec ctx options
    + Allow obvious key/passphrase combinations.
- Fix typo in node-gyp-addon-gypi.patch patch
- Refresh icu59.patch

-------------------------------------------------------------------
Tue May 30 12:45:42 UTC 2017 - adam.majer@suse.de

- 0f3e69db.patch, icu59.patch: backported GCC 7 compilation fixes
  for v8 backported and add missing ICU59 includes (bnc#1041282)

-------------------------------------------------------------------
Tue May 23 09:52:00 UTC 2017 - adam.majer@suse.de

- New upstream LTS release 6.10.3
  * b8:
    + Trigger OOM crash on memory allcation errors
    + Don't treat catch scopes as possibly-shadowing for sloppy eval
  * lib: fix event race condition with -e
  * src: fix base64 decoding in rare edgecase
  * tls:
    + fix segfault on destroy after partial read
    + keep track of stream that is closed
    + fix macro to check NPN feature
- nodejs-libpath.patch: updated

-------------------------------------------------------------------
Wed Apr  5 01:30:39 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 6.10.2
  * crypto: fix memory leak if certificate is revoked (#12089)
  * deps: backport V8 fixes for spread syntax regression
    causing segfaults (#12037)
    
- Changes not applicable to openSUSE in 6.10.2:
  * deps: upgrade zlib to 1.2.11 (#10980)
  * repl: revert commit that broke REPL display on Windows (#12123)
  
- Changes in LTS release 6.10.1
  * performance: The performance of several APIs has been improved.
    + Buffer.compare() is up to 35% faster on average.
    + buffer.toJSON() is up to 2859% faster on average.
    + fs.*statSync() functions are now up to 9% faster on average.
    + os.loadavg is up to 151% faster.
    + process.memoryUsage() is up to 34% faster.
    + querystring.unescape() for Buffers is 15% faster on average.
    + querystring.stringify() is up to 7.8% faster on average.
    + querystring.parse() is up to 21% faster on average.
  * IPC: Batched writes have been enabled for process IPC on
    platforms that support Unix Domain Sockets. Performance gains
    may be up to 40% for some workloads.
  * child_process: spawnSync now returns a null status when child
    is terminated by a signal. This fixes the behavior to act like
    spawn() does.
  * http: Control characters are now always rejected when using
    http.request(). Debug messages have been added for cases when
    headers contain invalid values.
  * node: Heap statistics now support values larger than 4GB.
  * timers: Timer callbacks now always maintain order when
    interacting with domain error handling.

-------------------------------------------------------------------
Sun Feb 26 03:01:09 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 6.10.0
 * crypto: allow adding extra certs to well-known CAs
 * deps: upgrade INTL ICU to version 58
 * fs: cache non-symlinks in realpathSync
 * process: add process.memoryUsage().external
 * repl: allow autocompletion for scoped packages
 * src: add wrapper for process.emitWarning()
- Modify 8334.diff:
  * Remove merged reference counting code (#9409)
  * Bring patch in line with upstream changes (#8334)

-------------------------------------------------------------------
Fri Feb  3 12:21:10 UTC 2017 - adam.majer@suse.de

- New upstream LTS release 6.9.5
  * deps: upgrade openssl sources to 1.0.2k
    (CVE-2017-3731, CVE-2017-3732, CVE-2016-7055,
     bnc#1022085, bnc#1022086, bnc#1009528)
- No changes in LTS release 6.9.4
- Adjusted 8334.diff to be inline with accepted changes

-------------------------------------------------------------------
Fri Jan  6 08:25:14 UTC 2017 - qantas94heavy@gmail.com

- Add basic check that Node.js loads successfully to spec file

-------------------------------------------------------------------
Wed Jan  4 02:56:09 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 6.9.3
  * build: shared library support is now working for AIX builds
  * deps/npm: upgrade npm to 3.10.10
  * deps/V8: destructuring of arrow function arguments via computed
             property no longer throws
  * inspector: /json/version returns object, not an object wrapped
               in an array
  * module: using --debug-brk and --eval together now works
            as expected
  * process: improve performance of nextTick up to 20%
  * repl: the division operator will no longer be accidentally
          parsed as regex
  * repl: improved support for generator functions
  * timers: recanceling a cancelled timers will no longer throw

-------------------------------------------------------------------
Fri Dec  9 04:22:27 UTC 2016 - qantas94heavy@gmail.com

- New upstream LTS version 6.9.2
  * buffer: coerce slice parameters consistently
  * deps/npm: upgrade npm to 3.10.9
  * deps/V8: Various fixes to destructuring edge cases
    + cherry-pick 3c39bac from V8 upstream
    + cherry pick 7166503 from upstream v8
  * gtest: the test reporter now outputs tap comments as yamlish
  * inspector: inspector now prompts user to use 127.0.0.1 rather
               than localhost
  * tls: fix memory leak when writing data to TLSWrap instance
         during handshake
- Modify 8334.diff:
  * ported and updated system CA store for the new node crypto code

-------------------------------------------------------------------
Wed Nov 23 09:00:40 UTC 2016 - adam.majer@suse.de

- Add missing conflicts to base package. It's not possible to have
  concurrent nodejs installations.

-------------------------------------------------------------------
Fri Nov 18 11:59:06 UTC 2016 - adam.majer@suse.de

- Package unification across various branches of NodeJS. Package
  for 4.x, 6.x and current (7.x) branches of NodeJS are now
  handled via GitHub repository.
- NodeJS 6.x LTS package, based on NodeJS 4.x LTS layout. All
  NodeJS packages are interchangeable. (FATE #321373)

-------------------------------------------------------------------
Mon Nov  7 13:15:21 UTC 2016 - adam.majer@suse.de

- Add versioned dependencies for unbundling of c-ares and icu
  libraries
- SLE12 can have unbundled libicu

-------------------------------------------------------------------
Wed Nov  2 04:13:20 UTC 2016 - qantas94heavy@gmail.com

- Fork package devel:languages:nodejs/nodejs
- Remove support-arm64-build.patch (not necessary for aarch64 build)
- Use system library versions of c-ares and ICU where supported
- Remove /usr/{lib,lib64}/node_modules from global module paths
  * This is deprecated behaviour that was caused by an incorrect patch
    in devel:languages:nodejs/nodejs almost 6 months ago (boo#985350)
- Modify nodejs-libpath.patch
  * Move /usr/lib64/node_modules to %{_libexecpath} as npm isn't
    architecture dependent (only npm itself is stored there)
- Remove nodejs-libpath64.patch
- Use separate .sig file instead of .asc file for source verification
- Use exec instead of xargs to remove files in install script