Overview
Request 509751 accepted
- New LTS upstream version 4.8.4
* v8: disable V8 snapshots. The hashseed embedded in the snapshot
is currently the same for all runs of the binary. This opens
node up to collision attacks which could result in a Denial
of Service. We have temporarily disabled snapshots until a more
robust solution is found (bnc#1048299).
* http: fixes http.get with numeric authorization options that
created/used uninitialized buffers as the authentication string
* The c-ares function ares_parse_naptr_reply(), which is used for
parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response
packet was crafted in a particular way.
(CVE-2017-1000381, bnc#1044946)
- Depend on nodejs-common that is then used to pick correctly
versioned node or npm binary. This is required since 3rd party
modules use `/usr/bin/env node` which breaks if multiple versions
of NodeJS are installed at the same time and non-default version
is used (for example, to compile a native module)
- npm_search_paths.patch: Since concurrent installations are now
possible, node manual pages are moved once again back under npm
searcheable locations only.
- versioned.patch: All files are now under versioned directoies
and names. node and npm symlinks are now managed by
update-alternatives
- node-gyp-addon-gypi.patch: Reference versioned directories only
Request History
adamm created request
- New LTS upstream version 4.8.4
* v8: disable V8 snapshots. The hashseed embedded in the snapshot
is currently the same for all runs of the binary. This opens
node up to collision attacks which could result in a Denial
of Service. We have temporarily disabled snapshots until a more
robust solution is found (bnc#1048299).
* http: fixes http.get with numeric authorization options that
created/used uninitialized buffers as the authentication string
* The c-ares function ares_parse_naptr_reply(), which is used for
parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response
packet was crafted in a particular way.
(CVE-2017-1000381, bnc#1044946)
- Depend on nodejs-common that is then used to pick correctly
versioned node or npm binary. This is required since 3rd party
modules use `/usr/bin/env node` which breaks if multiple versions
of NodeJS are installed at the same time and non-default version
is used (for example, to compile a native module)
- npm_search_paths.patch: Since concurrent installations are now
possible, node manual pages are moved once again back under npm
searcheable locations only.
- versioned.patch: All files are now under versioned directoies
and names. node and npm symlinks are now managed by
update-alternatives
- node-gyp-addon-gypi.patch: Reference versioned directories only
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto added factory-repo-checker as a reviewer
Please review build success
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
staging-bot added as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:120"
staging-bot accepted review
Picked openSUSE:Factory:Staging:adi:120
jengelh accepted review
factory-repo-checker accepted review
Builds for repo openSUSE:Factory:Staging:adi:120/standard
staging-bot accepted review
ready to accept
staging-bot approved review
ready to accept
dimstar_suse accepted request
Accept to openSUSE:Factory