From 1a21f8a11e510c066fd2f7f079a3f2eaf915e857 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 20 May 2024 20:00:15 +0300 Subject: [PATCH] import nodejs-18.20.2-2.module+el9.4.0+21742+692df1ea --- .gitignore | 6 +- .nodejs.metadata | 8 +- SOURCES/CVE-2024-28182.patch | 157 ++++++++++++++++++++++ SOURCES/nodejs-fips-disable-options.patch | 2 +- SOURCES/nodejs-tarball.sh | 92 +++++++++---- SPECS/nodejs.spec | 51 +++---- 6 files changed, 260 insertions(+), 56 deletions(-) create mode 100644 SOURCES/CVE-2024-28182.patch diff --git a/.gitignore b/.gitignore index 5654dce..b9a9bff 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz -SOURCES/icu4c-73_2-src.tgz -SOURCES/node-v18.19.1-stripped.tar.gz -SOURCES/undici-5.28.3.tar.gz +SOURCES/icu4c-74_2-src.tgz +SOURCES/node-v18.20.2-stripped.tar.gz +SOURCES/undici-5.28.4.tar.gz SOURCES/wasi-sdk-11.0-linux.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index ba50b7a..f278be9 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,5 +1,5 @@ -b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz -3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz -7962d96e7c1517cf7b34395fc582b32b8acebe3a SOURCES/node-v18.19.1-stripped.tar.gz -b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz +164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz +43a8d688a3a6bc8f0f8c5e699d0ef7a905d24314 SOURCES/icu4c-74_2-src.tgz +09d2d4e4e9984ddb4d89df02465a8fde1917a2a7 SOURCES/node-v18.20.2-stripped.tar.gz +d38d72bec82e3c41a4de73d6ee56d9c9eff5f403 SOURCES/undici-5.28.4.tar.gz ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz diff --git a/SOURCES/CVE-2024-28182.patch b/SOURCES/CVE-2024-28182.patch new file mode 100644 index 0000000..5eca31e --- /dev/null +++ b/SOURCES/CVE-2024-28182.patch @@ -0,0 +1,157 @@ +Backport from upstream commits. +https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0 +https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9 + + +diff -ur node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h +--- node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h 2024-04-15 14:38:00.000000000 +0200 ++++ node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h 2024-04-15 14:43:36.000000000 +0200 +@@ -440,7 +440,12 @@ + * exhaustion on server side to send these frames forever and does + * not read network. + */ +- NGHTTP2_ERR_FLOODED = -904 ++ NGHTTP2_ERR_FLOODED = -904, ++ /** ++ * When a local endpoint receives too many CONTINUATION frames ++ * following a HEADER frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, + } nghttp2_error; + + /** +@@ -2775,6 +2780,17 @@ + + /** + * @function ++ * ++ * This function sets the maximum number of CONTINUATION frames ++ * following an incoming HEADER frame. If more than those frames are ++ * received, the remote endpoint is considered to be misbehaving and ++ * session will be closed. The default value is 8. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option, ++ size_t val); ++ ++/** ++ * @function + * + * Initializes |*session_ptr| for client use. The all members of + * |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr| +Only in node-v18.19.1/deps/nghttp2/lib/includes/nghttp2: nghttp2.h.orig +diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c +--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c 2024-04-15 14:38:00.000000000 +0200 ++++ node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c 2024-04-15 14:41:10.000000000 +0200 +@@ -336,6 +336,8 @@ + "closed"; + case NGHTTP2_ERR_TOO_MANY_SETTINGS: + return "SETTINGS frame contained more than the maximum allowed entries"; ++ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: ++ return "Too many CONTINUATION frames following a HEADER frame"; + default: + return "Unknown error code"; + } +diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c +--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c 2024-04-15 14:38:00.000000000 +0200 ++++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c 2024-04-15 14:43:36.000000000 +0200 +@@ -150,3 +150,8 @@ + option->stream_reset_burst = burst; + option->stream_reset_rate = rate; + } ++ ++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS; ++ option->max_continuations = val; ++} +diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h +--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h 2024-04-15 14:38:00.000000000 +0200 ++++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h 2024-04-15 14:43:36.000000000 +0200 +@@ -71,6 +71,7 @@ + NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13, + NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14, + NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, ++ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16, + } nghttp2_option_flag; + + /** +@@ -99,6 +100,10 @@ + */ + size_t max_settings; + /** ++ * NGHTTP2_OPT_MAX_CONTINUATIONS ++ */ ++ size_t max_continuations; ++ /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. + */ +diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c +--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c 2024-04-15 14:38:00.000000000 +0200 ++++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c 2024-04-15 14:43:36.000000000 +0200 +@@ -496,6 +496,7 @@ + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; + (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; ++ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -584,6 +585,10 @@ + option->stream_reset_burst, + option->stream_reset_rate); + } ++ ++ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) { ++ (*session_ptr)->max_continuations = option->max_continuations; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +@@ -6778,6 +6783,8 @@ + } + } + session_inbound_frame_reset(session); ++ ++ session->num_continuations = 0; + } + break; + } +@@ -6899,6 +6906,10 @@ + } + #endif /* DEBUGBUILD */ + ++ if (++session->num_continuations > session->max_continuations) { ++ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; ++ } ++ + readlen = inbound_frame_buf_read(iframe, in, last); + in += readlen; + +Only in node-v18.19.1/deps/nghttp2/lib: nghttp2_session.c.orig +diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h +--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h 2024-04-15 14:38:00.000000000 +0200 ++++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h 2024-04-15 14:41:10.000000000 +0200 +@@ -110,6 +110,10 @@ + #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 + #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 + ++/* The default max number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -290,6 +294,12 @@ + size_t max_send_header_block_length; + /* The maximum number of settings accepted per SETTINGS frame. */ + size_t max_settings; ++ /* The maximum number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++ size_t max_continuations; ++ /* The number of CONTINUATION frames following an incoming HEADER ++ frame. This variable is reset when END_HEADERS flag is seen. */ ++ size_t num_continuations; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, diff --git a/SOURCES/nodejs-fips-disable-options.patch b/SOURCES/nodejs-fips-disable-options.patch index 7c4df01..63653e8 100644 --- a/SOURCES/nodejs-fips-disable-options.patch +++ b/SOURCES/nodejs-fips-disable-options.patch @@ -13,7 +13,6 @@ are similarly disabled. Upstream report: https://github.com/nodejs/node/pull/48950 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 -Customer case: https://access.redhat.com/support/cases/#/case/03711488 --- lib/crypto.js | 10 ++++++++++ lib/internal/errors.js | 6 ++++++ @@ -80,3 +79,4 @@ index 5734d8f..ef9d1b1 100644 if (fips_provider == nullptr) -- 2.43.2 + diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh index f59d5c2..66f5ca2 100755 --- a/SOURCES/nodejs-tarball.sh +++ b/SOURCES/nodejs-tarball.sh @@ -135,67 +135,109 @@ rm -f node-v${version}.tar.gz set +e # Determine the bundled versions of the various packages +echo "Included software versions" +echo "-------------------------" +echo +echo "Node.js version" +echo "=========================" +echo "${version}" +echo echo "Bundled software versions" echo "-------------------------" echo -echo "libnode shared object version" +echo "libnode shared object version (nodejs_soversion)" echo "=========================" -grep "define NODE_MODULE_VERSION" node-v${version}/src/node_version.h +NODE_SOVERSION=$(grep -oP '(?<=#define NODE_MODULE_VERSION )\d+' node-v${version}/src/node_version.h) +echo "${NODE_SOVERSION}" echo echo "V8" echo "=========================" -grep "define V8_MAJOR_VERSION" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_MINOR_VERSION" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_BUILD_NUMBER" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_PATCH_LEVEL" node-v${version}/deps/v8/include/v8-version.h +V8_MAJOR=$(grep -oP '(?<=#define V8_MAJOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_MINOR=$(grep -oP '(?<=#define V8_MINOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_BUILD=$(grep -oP '(?<=#define V8_BUILD_NUMBER )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_PATCH=$(grep -oP '(?<=#define V8_PATCH_LEVEL )\d+' node-v${version}/deps/v8/include/v8-version.h) +echo "${V8_MAJOR}.${V8_MINOR}.${V8_BUILD}.${V8_PATCH}" echo echo "c-ares" echo "=========================" -grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_version.h -grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h -grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h +C_ARES_VERSION=$(grep -oP '(?<=#define ARES_VERSION_STR ).*\"' node-v${version}/deps/cares/include/ares_version.h |sed -e 's/^"//' -e 's/"$//') +echo $C_ARES_VERSION echo echo "llhttp" echo "=========================" -grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h -grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h -grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h +LLHTTP_MAJOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MAJOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_MINOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MINOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_PATCH=$(grep -oP '(?<=#define LLHTTP_VERSION_PATCH )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_VERSION="${LLHTTP_MAJOR}.${LLHTTP_MINOR}.${LLHTTP_PATCH}" +echo $LLHTTP_VERSION echo echo "libuv" echo "=========================" -grep "define UV_VERSION_MAJOR" node-v${version}/deps/uv/include/uv/version.h -grep "define UV_VERSION_MINOR" node-v${version}/deps/uv/include/uv/version.h -grep "define UV_VERSION_PATCH" node-v${version}/deps/uv/include/uv/version.h +UV_MAJOR=$(grep -oP '(?<=#define UV_VERSION_MAJOR )\d+' node-v${version}/deps/uv/include/uv/version.h) +UV_MINOR=$(grep -oP '(?<=#define UV_VERSION_MINOR )\d+' node-v${version}/deps/uv/include/uv/version.h) +UV_PATCH=$(grep -oP '(?<=#define UV_VERSION_PATCH )\d+' node-v${version}/deps/uv/include/uv/version.h) +LIBUV_VERSION="${UV_MAJOR}.${UV_MINOR}.${UV_PATCH}" +echo $LIBUV_VERSION echo echo "nghttp2" echo "=========================" -grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h +NGHTTP2_VERSION=$(grep -oP '(?<=#define NGHTTP2_VERSION ).*\"' node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h |sed -e 's/^"//' -e 's/"$//') +echo $NGHTTP2_VERSION echo echo "nghttp3" echo "=========================" -grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h +NGHTTP3_VERSION=$(grep -oP '(?<=#define NGHTTP3_VERSION ).*\"' node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h |sed -e 's/^"//' -e 's/"$//') +echo $NGHTTP3_VERSION echo echo "ngtcp2" echo "=========================" -grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h +NGTCP2_VERSION=$(grep -oP '(?<=#define NGTCP2_VERSION ).*\"' node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h |sed -e 's/^"//' -e 's/"$//') +echo $NGTCP2_VERSION echo echo "ICU" echo "=========================" -grep "url" node-v${version}/tools/icu/current_ver.dep +ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g') +ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g') +echo "${ICU_MAJOR}.${ICU_MINOR}" +echo +echo "simdutf" +echo "=========================" +SIMDUTF_VERSION=$(grep -oP '(?<=#define SIMDUTF_VERSION ).*\"' node-v${version}/deps/simdutf/simdutf.h |sed -e 's/^"//' -e 's/"$//') +echo $SIMDUTF_VERSION +echo +echo "ada" +echo "=========================" +ADA_VERSION=$(grep -osP '(?<=#define ADA_VERSION ).*\"' node-v${version}/deps/ada/ada.h |sed -e 's/^"//' -e 's/"$//') +ADA_VERSION=${ADA_VERSION:-0} +echo "${ADA_VERSION}" echo echo "punycode" echo "=========================" -grep "'version'" node-v${version}/lib/punycode.js +PUNYCODE_VERSION=$(grep -oP "'version': '\K[^']+" ./node-v${version}/lib/punycode.js) +echo $PUNYCODE_VERSION +echo +echo "npm" +echo "=========================" +NPM_VERSION=$(jq -r .version ./node-v${version}/deps/npm/package.json) +echo $NPM_VERSION +echo +echo "corepack" +echo "=========================" +COREPACK_VERSION=$(jq -r .version ./node-v${version}/deps/corepack/package.json) +echo $COREPACK_VERSION echo echo "uvwasi" echo "=========================" -grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h -grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h -grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h +UVWASI_MAJOR=$(grep -oP '(?<=#define UVWASI_VERSION_MAJOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_MINOR=$(grep -oP '(?<=#define UVWASI_VERSION_MINOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_PATCH=$(grep -oP '(?<=#define UVWASI_VERSION_PATCH )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_VERSION="${UVWASI_MAJOR}.${UVWASI_MINOR}.${UVWASI_PATCH}" +echo $UVWASI_VERSION echo -echo "npm" +echo "histogram_c" echo "=========================" -grep "\"version\":" node-v${version}/deps/npm/package.json +HISTOGRAM_VERSION=$(grep -oP '(?<=#define HDR_HISTOGRAM_VERSION ).*\"' node-v${version}/deps/histogram/include/hdr/hdr_histogram_version.h|sed -e 's/^"//' -e 's/"$//') +echo $HISTOGRAM_VERSION echo echo "Make sure these versions match what is in the RPM spec file" diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 402c0eb..be44eb8 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -29,7 +29,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -40,8 +40,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 18 -%global nodejs_minor 19 -%global nodejs_patch 1 +%global nodejs_minor 20 +%global nodejs_patch 2 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 108 @@ -65,10 +65,10 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 -%global c_ares_version 1.20.1 +%global c_ares_version 1.27.0 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 6.1.0 +%global llhttp_version 6.1.1 # libuv - from deps/uv/include/uv/version.h %global libuv_version 1.44.2 @@ -89,7 +89,7 @@ %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 73 +%global icu_major 74 %global icu_minor 2 %global icu_version %{icu_major}.%{icu_minor} @@ -108,13 +108,13 @@ %endif # simduft from deps/simdutf/simdutf.h -%global simduft_major 3 -%global simduft_minor 2 -%global simduft_patch 14 +%global simduft_major 4 +%global simduft_minor 0 +%global simduft_patch 8 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch} # ada from deps/ada/ada.h -%global ada_version 2.6.0 +%global ada_version 2.7.6 # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -126,7 +126,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 10.2.4 +%global npm_version 10.5.0 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -181,14 +181,15 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz -# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.4.tar.gz +# Adjustments: rm -f undici-5.28.4/lib/llhttp/llhttp*.wasm # Build uses alpine image, see alpine for sources for wasi-sdk -Source102: undici-5.28.3.tar.gz +Source102: undici-5.28.4.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch3: nodejs-fips-disable-options.patch +Patch4: CVE-2024-28182.patch BuildRequires: make BuildRequires: python3-devel @@ -530,6 +531,11 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \ -executable -type f \ -exec chmod -x {} \; +# Remove powwershell files form npm +# it isn't useful for linux systems +# is caused problems - it creates /usr/bin/pwsh requirement +find %{buildroot}%{_prefix}/lib/node_modules/npm/bin/*.ps1 -executable -type f -exec rm {} \; + # The above command is a little overzealous. Add a few permissions back. chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js @@ -628,19 +634,18 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %changelog -* Thu Feb 29 2024 Lukas Javorsky - 1:18.19.1-1 +* Mon Apr 15 2024 Filip Janus - 1:18.20.2-2 +- Rebase to 18.20.2 +- Fixes: CVE-2024-27983, CVE-2024-28182, CVE-2024-27982, CVE-2024-25629 + +* Tue Mar 05 2024 Lukas Javorsky - 1:18.19.1-1 - Rebase to version 18.19.1 -- Fix FIPS handling of the cmd-line options (RHBZ#2226726) -- Resolves: RHEL-26695 RHEL-26009 RHEL-26690 +- Fixes: CVE-2024-21892 CVE-2024-22019 (high) +- Fixes: CVE-2023-46809 (medium) * Thu Jan 18 2024 Jan Staněk - 1:18.19.0-1 - Rebase to version 18.19.0 - Resolves: RHEL-21438 - -* Sat Oct 14 2023 Zuzana Svetlikova - 1:18.18.2-1 -- Rebase to 18.18.2 (Security release) -- Switch icu from zip to tgz -- Fixes #2228925, CVE-2023-45143, CVE-2023-44487, CVE-2023-38552, CVE-2023-39333 + Resolves: RHEL-21436 * Wed Aug 23 2023 Jan Staněk - 1:18.17.1-1 - Rebase to version 18.17.1