File nodejs14.changes of Package nodejs14.23946
-------------------------------------------------------------------
Wed Apr 20 11:00:47 UTC 2022 - Adam Majer <adam.majer@suse.de>
Update to 14.19.1:
* deps: upgrade openssl sources to 1.1.1n (bsc#1196877, CVE-2022-0778)
Infinite loop in BN_mod_sqrt() reachable when parsing certificates
More details at https://www.openssl.org/news/secadv/20220315.txt
- CVE-2021-44906.patch: fix prototype pollution in npm dependency
(bsc#1198247, CVE-2021-44906)
- CVE-2021-44907.patch: fix insuficient sanitation in npm dependency
(bsc#1197283, CVE-2021-44907)
- CVE-2022-0235.patch: fix passing of cookie data and sensitive headers
to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235)
-------------------------------------------------------------------
Wed Feb 16 16:12:01 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to 14.19.0:
* crypto: make FIPS related options always available
* deps: deps: upgrade npm to 6.14.16
+ CVE-2021-23343 - ReDoS via splitDeviceRe, splitTailRe and
splitPathRe (bsc#1192153)
+ CVE-2021-32803 - node-tar: Insufficient symlink protection
allowing arbitrary file creation and overwrite (bsc#1191963)
+ CVE-2021-32804 - node-tar: Insufficient absolute path sanitization
allowing arbitrary file creation and overwrite (bsc#1191962)
+ CVE-2021-3918 - json-schema is vulnerable to Improperly
Controlled Modification of Object Prototype Attributes (bsc#1192696)
* module: support pattern trailers
* src: make napi_create_reference accept symbol
- CVE-2021-3807.patch: node-ansi-regex: Regular expression
denial of service (ReDoS) matching ANSI escape codes
(bsc#1192154, CVE-2021-3807)
- versioned.patch, nodejs-libpath.patch: refreshed
-------------------------------------------------------------------
Wed Jan 12 10:25:55 UTC 2022 - Adam Majer <adam.majer@suse.de>
- z15-test-skip.patch: dropped, no longer required
- fix_ci_tests.patch: update tests for z15
-------------------------------------------------------------------
Tue Jan 11 18:50:33 UTC 2022 - Adam Majer <adam.majer@suse.de>
- update to 14.18.3:
Security update fixing the following issues:
* Improper handling of URI Subject Alternative Names (Medium)
(CVE-2021-44531, bsc#1194511)
* Certificate Verification Bypass via String Injection (Medium)
(CVE-2021-44532, bsc#1194512)
* Incorrect handling of certificate subject and issuer fields (Medium)
(CVE-2021-44533, bsc#1194513)
* Prototype pollution via console.table properties (Low)
(CVE-2022-21824, bsc#1194514)
-------------------------------------------------------------------
Thu Dec 16 19:32:37 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 14.18.2:
* lib: fix regular expression to detect `/` and `\`
* worker: avoid potential deadlock on NearHeapLimit
- sle12_python3_compat.patch: refreshed
-------------------------------------------------------------------
Thu Nov 25 12:21:25 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org>
- Fix CXXFLAGS in Tumbleweed - boo#1192824
-------------------------------------------------------------------
Tue Nov 9 15:56:53 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 14.18.1:
* deps: update llhttp to 2.1.4
- HTTP Request Smuggling due to spaced in headers
(bsc#1191601, CVE-2021-22959)
- HTTP Request Smuggling when parsing the body
(bsc#1191602, CVE-2021-22960)
- changes in 14.18.0:
* buffer:
+ introduce Blob
+ add base64url encoding option
* child_process:
+ allow options.cwd receive a URL
+ add timeout to spawn and fork
+ allow promisified exec to be cancel
+ add 'overlapped' stdio flag
* dns: add "tries" option to Resolve options
* fs:
+ allow empty string for temp directory prefix
+ allow no-params fsPromises fileHandle read
+ add support for async iterators to fsPromises.writeFile
* http2: add support for sensitive headers
* process: add 'worker' event
* tls: allow reading data into a static buffer
* worker: add setEnvironmentData/getEnvironmentData
- changes in 14.17.6:
* deps: upgrade npm to 6.14.15 which fixes a number of
security issues
(bsc#1190057, CVE-2021-37701, bsc#1190056, CVE-2021-37712,
bsc#1190055, CVE-2021-37713, bsc#1190054, CVE-2021-39134,
bsc#1190053, CVE-2021-39135)
- test-skip-y2038-on-32bit-time_t.patch: fix test failure when
64-bit time_t is used on 32-bit arches
- refreshed patches: versioned.patch, flaky_test_rerun.patch
- PR39011.patch: upstreamed
-------------------------------------------------------------------
Thu Aug 12 13:50:24 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 14.17.5:
* CVE-2021-3672/CVE-2021-22931: Improper handling of untypical
characters in domain names (bsc#1189370, bsc#1188881)
* CVE-2021-22940: Use after free on close http2 on stream canceling
(bsc#1189368)
* CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter
(bsc#1189369)
- cares_public_headers.patch: don't use private headers
-------------------------------------------------------------------
Mon Aug 9 12:54:40 UTC 2021 - Adam Majer <adam.majer@suse.de>
- z15-test-skip.patch: skip problematic test on s390x
-------------------------------------------------------------------
Mon Aug 2 12:15:43 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 14.17.4:
http2: fixes use after free on close http2 on stream canceling
(bsc#1188917, CVE-2021-22930)
- old_icu.patch: merged, removed
- versioned.patch: updated
- node_modules.tar.xz: refreshed
- PR39011.patch: use localhost instead of remote for unit test
-------------------------------------------------------------------
Fri Jul 2 15:27:59 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 14.17.2:
deps: libuv upgrade - Out of bounds read (Medium)
(bsc#1187973, CVE-2021-22918)
- old_icu.patch: update with upstream's patch from
https://github.com/nodejs/node/pull/39068
- specfile cleanup
-------------------------------------------------------------------
Thu Jun 17 09:48:02 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 14.17.1:
* deps: update ICU to 69.1
* errors: align source-map stacks with spec
- Fix-build-with-icu-69.patch: upstreamed
-------------------------------------------------------------------
Fri Jun 4 22:12:29 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 14.17.0:
* Experimental support for AbortController and AbortSignal
* Diagnostics channel (experimental module)
* UUID support in the crypto module
* update ICU to 68.1
* upgrade to libuv 1.41.0
* deps: npm update to 6.14.13
ssri Regular Expression Denial of Service and hosted-git-info
Regular Expression Denial of Service
(bsc#1187976, bsc#1187977, CVE-2021-27290, CVE-2021-23362)
- add Fix-build-with-icu-69.patch: fix build with icu 69
-------------------------------------------------------------------
Mon May 31 16:27:44 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Use libalternatives instead of update-alternatives
-------------------------------------------------------------------
Wed Apr 7 12:35:34 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.16.1:
* CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be
exploited by prototype pollution. You can read more about it in
https://github.com/advisories/GHSA-c4w7-xm78-47vh
(bsc#1184450)
* deps: upgrade npm to 6.14.12
- versioned.patch: refreshed
-------------------------------------------------------------------
Tue Feb 23 14:46:06 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.16.0:
* CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service
by resource exhaustion (bsc#1182619)
* CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
-------------------------------------------------------------------
Wed Feb 17 17:33:25 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.15.5:
* deps:
+ upgrade npm to 6.14.11
+ V8: backport dfcf1e86fac0 #37245
Note: Node.js is not believed to be vulnerable to CVE-2021-21148
* stream,zlib: do not use _stream_* anymore
- relax OpenSSL cipher suite policies for unit tests
-------------------------------------------------------------------
Mon Jan 4 19:27:41 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.15.4:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with
a freshly allocated WriteWrap object as first argument.
If the DoWrite method does not return an error, this object is
passed back to the caller as part of a StreamWriteResult structure.
This may be exploited to corrupt memory leading to a
Denial of Service or potentially other exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a
header field in a http request. For example, two Transfer-Encoding
header fields. In this case Node.js identifies the first header
field and ignores the second. This can lead to HTTP Request
Smuggling (https://cwe.mitre.org/data/definitions/444.html).
(bsc#1180554)
-------------------------------------------------------------------
Mon Dec 21 12:37:16 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.15.3:
* deps:
+ upgrade npm to 6.14.9
+ update acorn to v8.0.4
* http2: check write not scheduled in scope destructor
* stream: fix regression on duplex end
- versioned.patch, sle12_python3_compat.patch: refreshed
-------------------------------------------------------------------
Mon Nov 30 19:44:30 UTC 2020 - Adam Majer <adam.majer@suse.de>
- openssl_binary_detection.patch: fixes unit tests on SLE12
-------------------------------------------------------------------
Mon Nov 23 16:06:15 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update Requires: so -devel requires npm
- Rely on rpmbuild to define necessary python dependencies
-------------------------------------------------------------------
Thu Nov 19 11:42:09 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.15.1:
* deps: Denial of Service through DNS request (High).
A Node.js application that allows an attacker to trigger a DNS
request for a host of their choice could trigger a Denial of Service
by getting the application to resolve a DNS record with
a larger number of responses (bsc#1178882, CVE-2020-8277)
-------------------------------------------------------------------
Thu Oct 29 10:12:54 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS version 14.15.0: (jsc#SLE-15774)
* no major changes
* test: reverts marking test-webcrypto-encrypt-decrypt-aes flaky
-------------------------------------------------------------------
Tue Oct 20 14:23:42 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Use SLE OpenSSL version with 12-SP4+, and not just 12-SP5+
- Bump mininum ICU version to 65
-------------------------------------------------------------------
Fri Oct 16 11:54:33 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.14.0:
* fs: add rm method
* http: allow passing array of key/val into writeHead
* src: expose v8::Isolate setup callbacks
- sle12_python3_compat.patch: refreshed
-------------------------------------------------------------------
Thu Oct 8 15:12:05 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.13.1:
* fs: rmdir recursive is no longer considered experimental
- fix_ci_tests.patch: add support to SUSE's ECDH backport errors
in SLE's openssl
-------------------------------------------------------------------
Tue Oct 6 11:30:37 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.13.0:
* deps: upgrade to libuv 1.40.0 #35333
* module: named exports for CJS via static analysis #35249
* module: exports pattern support #34718
* src: allow N-API addon in AddLinkedBinding()
-------------------------------------------------------------------
Thu Sep 24 19:04:31 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.12.0:
* n-api:
+ create N-API version 7
+ add more property defaults
- Changes since version 14.9.0
* deps:
+ update llhttp to 2.1.2 (bsc#1176605, CVE-2020-8201)
+ http: add requestTimeout. Fixes Denial of Service by
resource exhaustion due to unfinished HTTP/1.1 requests
(bsc#1176604, CVE-2020-8251)
+ buffer: also alias BigUInt methods
+ crypto: add randomInt function
+ perf_hooks: add idleTime and event loop util
+ stream: simpler and faster Readable async iterator
+ stream: save error in state
-------------------------------------------------------------------
Wed Sep 2 10:44:47 UTC 2020 - Adam Majer <adam.majer@suse.de>
- old_icu.patch: re-add support for ICU 65 from SLE15 SP2
- fix_ci_tests.patch: move debug symbol strip for testing to the Makefile
-------------------------------------------------------------------
Fri Aug 28 10:39:52 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.9.0:
* build: set --v8-enable-object-print by default (Mary Marchini) #34705
* deps:
+ upgrade to libuv 1.39.0 (cjihrig) #34915
+ upgrade npm to 6.14.8 (Ruy Adorno) #34834
+ V8: cherry-pick e06ace6b5cdb (Anna Henningsen) #34673
* n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) #34839
* tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) #34378
- Changes in version 14.8.0:
* async_hooks: add AsyncResource.bind utility (James M Snell) #34574
* deps: update to uvwasi 0.0.10 (Colin Ihrig) #34623
* module: unflag Top-Level Await (Myles Borins) #34558
* n-api: support type-tagging objects (Gabriel Schulhof) #28237
* n-api,src: provide asynchronous cleanup hooks (Anna Henningsen) #34572
- versioned.patch: refreshed
- linker_lto_jobs.patch: refreshed
-------------------------------------------------------------------
Mon Aug 10 16:38:15 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation
on Aarch64 with gcc10 (bsc#1172686)
-------------------------------------------------------------------
Mon Aug 3 12:20:57 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.7.0:
* deps: upgrade npm to 6.14.7
* dgram: add IPv6 scope id suffix to received udp6 dgrams
* src:
+ allow preventing SetPromiseRejectCallback #34387
+ allow setting a dir for all diagnostic output #33584
* worker: make MessagePort inherit from EventTarget #34057
* zlib: switch to lazy init for zlib streams (Andrey Pechkurov) #34048
-------------------------------------------------------------------
Tue Jul 28 07:13:57 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- avoid rpmbuild warnings on if/else/endif constructs
-------------------------------------------------------------------
Wed Jul 22 12:52:50 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.6.0:
* deps:
+ upgrade to libuv 1.38.1
+ upgrade npm to 6.14.6 fixing information leak through
log files (bsc#1173937, CVE-2020-15095)
+ update V8 to 8.4.371.19
* module:
+ doc only deprecation of module.parent
+ package "imports" field
* src: allow embedders to disable esm loader
* tls: make 'createSecureContext' honor more options
* vm: add run-after-evaluate microtask mode
* worker: add option to track unmanaged file descriptors
- versioned.patch - refreshed
-------------------------------------------------------------------
Thu Jul 2 20:51:30 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.5.0:
* deps: V8 engine is updated to version 8.3. For details, see
https://v8.dev/blog/v8-release-83
* events: experimental implementation of EventTarget
For details, see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.5.0
- sle12_python3_compat.patch: refreshed
- fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Tue Jun 9 11:45:55 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Add Require for nodejs14 when intalling npm14. (bsc#1172728)
-------------------------------------------------------------------
Thu Jun 4 12:03:49 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.4.0:
* napi: fix various types of memory corruption in napi_get_value_string_*()
(CVE-2020-8174, bsc#1172443)
* http2: fix HTTP/2 Large Settings Frame DoS
(CVE-2020-11080, bsc#1172442)
* TLS session reuse can lead to host certificate verification bypass
(CVE-2020-8172, bsc#1172441)
-------------------------------------------------------------------
Fri May 29 10:46:58 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.3.0:
* repl: previews improvements with autocompletion
* it's now possible to use the await keyword outside of async functions,
with the --experimental-top-level-await flag
- Changes in version 14.2.0:
* console: Support for console constructor groupIndentation options
- skip_no_console.patch: refreshed
- versioned.patch, fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Thu Apr 30 11:22:45 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.1.0:
* deps: upgrade openssl sources to 1.1.1g (SLE-12 only)
* http: doc deprecate abort and improve docs
* module: do not warn when accessing __esModule of unfinished exports
* n-api: detect deadlocks in thread-safe function
* src: deprecate embedder APIs with replacements
* stream:
+ don't emit end after close
+ don't wait for close on legacy streams
+ pipeline should only destroy un-finished streams
* vm: add importModuleDynamically option to compileFunction
skip_no_console.patch: add more unit tests that fail on dumb terminals
-------------------------------------------------------------------
Mon Apr 27 13:35:05 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Initial version 14.0.0
Deprecations
* crypto: move pbkdf2 without digest to EOL
* fs: deprecate closing FileHandle on garbage collection
* http: move OutboundMessage.prototype.flush to EOL
* lib: move GLOBAL and root aliases to EOL
* os: move tmpDir() to EOL
* src: remove deprecated wasm type check
* stream: move _writableState.buffer to EOL
* doc: deprecate process.mainModule
* doc: deprecate process.umask() with no arguments
For a detailed list of changes, see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.0.0
