From 3943f1898007e853f06c3de652df37269072c656 Mon Sep 17 00:00:00 2001 From: MSVSphere Packaging Team Date: Mon, 20 May 2024 20:44:04 +0300 Subject: [PATCH] import nodejs-20.12.2-2.module+el8.9.0+21743+0b3f1be2 --- .gitignore | 6 +- .nodejs.metadata | 8 +- ...1-Disable-running-gyp-on-shared-deps.patch | 10 +- SOURCES/0002-Disable-FIPS-options.patch | 85 ++++++++++++++ ...ON-frames-following-an-incoming-HEAD.patch | 107 ++++++++++++++++++ ...nghttp2_option_set_max_continuations.patch | 89 +++++++++++++++ SOURCES/nodejs-fips-disable-options.patch | 20 ---- SPECS/nodejs.spec | 50 +++++--- 8 files changed, 325 insertions(+), 50 deletions(-) create mode 100644 SOURCES/0002-Disable-FIPS-options.patch create mode 100644 SOURCES/0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch create mode 100644 SOURCES/0004-Add-nghttp2_option_set_max_continuations.patch delete mode 100644 SOURCES/nodejs-fips-disable-options.patch diff --git a/.gitignore b/.gitignore index 5593f7f..333279c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz -SOURCES/icu4c-73_2-src.tgz -SOURCES/node-v20.11.0-stripped.tar.gz -SOURCES/undici-5.27.2.tar.gz +SOURCES/icu4c-74_2-src.tgz +SOURCES/node-v20.12.2-stripped.tar.gz +SOURCES/undici-5.28.4.tar.gz SOURCES/wasi-sdk-wasi-sdk-11.tar.gz SOURCES/wasi-sdk-wasi-sdk-16.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index abe7b12..df487bb 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,6 +1,6 @@ -36854f5860acf4b3f8ef8a08cd4240c81c8ae013 SOURCES/cjs-module-lexer-1.2.2.tar.gz -3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz -77fb048d100d9663d417274bc38c3f53a9e58f9e SOURCES/node-v20.11.0-stripped.tar.gz -6ae4fbe44f94670fdd1c1f0072ac7d6ed106d402 SOURCES/undici-5.27.2.tar.gz +164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz +43a8d688a3a6bc8f0f8c5e699d0ef7a905d24314 SOURCES/icu4c-74_2-src.tgz +f25c352600b72849a7241017ffc64bb0fe339d4d SOURCES/node-v20.12.2-stripped.tar.gz +2be9cb115c2832e1fda9e730fa92e0bf725b6f3d SOURCES/undici-5.28.4.tar.gz 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-wasi-sdk-16.tar.gz diff --git a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch index 87acfb9..39eb75f 100644 --- a/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch +++ b/SOURCES/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,4 +1,4 @@ -From c73e0892eb1d0aa2df805618c019dc5c96b79705 Mon Sep 17 00:00:00 2001 +From 2da7f25d9311bdea702b4b435830c02ce78b3ab9 Mon Sep 17 00:00:00 2001 From: rpm-build Date: Tue, 30 May 2023 13:12:35 +0200 Subject: [PATCH] Disable running gyp on shared deps @@ -10,7 +10,7 @@ Signed-off-by: rpm-build 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/Makefile b/Makefile -index 0be0659..3c44201 100644 +index 7bd80d0..c43a50f 100644 --- a/Makefile +++ b/Makefile @@ -169,7 +169,7 @@ with-code-cache test-code-cache: @@ -23,10 +23,10 @@ index 0be0659..3c44201 100644 tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp diff --git a/node.gyp b/node.gyp -index cf52281..c33b57b 100644 +index 4aac640..aa0ba88 100644 --- a/node.gyp +++ b/node.gyp -@@ -430,23 +430,6 @@ +@@ -775,23 +775,6 @@ ], }, ], @@ -51,5 +51,5 @@ index cf52281..c33b57b 100644 ], }, # node_core_target_name -- -2.41.0 +2.44.0 diff --git a/SOURCES/0002-Disable-FIPS-options.patch b/SOURCES/0002-Disable-FIPS-options.patch new file mode 100644 index 0000000..49331ef --- /dev/null +++ b/SOURCES/0002-Disable-FIPS-options.patch @@ -0,0 +1,85 @@ +From 4caaf9c19d3c058f5b89ecd9fc721ee49370651a Mon Sep 17 00:00:00 2001 +From: Michael Dawson +Date: Fri, 23 Feb 2024 13:43:56 +0100 +Subject: [PATCH] Disable FIPS options + +On RHEL, FIPS should be configured only on system level. +Additionally, the related options may cause segfault when used on RHEL. + +This patch causes the option processing to end sooner +than the problematic code gets executed. +Additionally, the JS-level options to mess with FIPS settings +are similarly disabled. + +Upstream report: https://github.com/nodejs/node/pull/48950 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 +Customer case: https://access.redhat.com/support/cases/#/case/03711488 + +Signed-off-by: rpm-build +--- + lib/crypto.js | 10 ++++++++++ + lib/internal/errors.js | 6 ++++++ + src/crypto/crypto_util.cc | 2 ++ + 3 files changed, 18 insertions(+) + +diff --git a/lib/crypto.js b/lib/crypto.js +index 1216f3a..fbfcb26 100644 +--- a/lib/crypto.js ++++ b/lib/crypto.js +@@ -36,6 +36,9 @@ const { + assertCrypto(); + + const { ++ // RHEL specific error ++ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED, ++ + ERR_CRYPTO_FIPS_FORCED, + ERR_WORKER_UNSUPPORTED_OPERATION, + } = require('internal/errors').codes; +@@ -253,6 +256,13 @@ function getFips() { + } + + function setFips(val) { ++ // in RHEL FIPS enable/disable should only be done at system level ++ if (getFips() != val) { ++ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED(); ++ } else { ++ return; ++ } ++ + if (getOptionValue('--force-fips')) { + if (val) return; + throw new ERR_CRYPTO_FIPS_FORCED(); +diff --git a/lib/internal/errors.js b/lib/internal/errors.js +index def4949..580ca7a 100644 +--- a/lib/internal/errors.js ++++ b/lib/internal/errors.js +@@ -1112,6 +1112,12 @@ module.exports = { + // + // Note: Node.js specific errors must begin with the prefix ERR_ + ++// insert RHEL specific erro ++E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED', ++ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' + ++ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n', ++ Error); ++ + E('ERR_ACCESS_DENIED', + 'Access to this API has been restricted. Permission: %s', + Error); +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc +index 5734d8f..ef9d1b1 100644 +--- a/src/crypto/crypto_util.cc ++++ b/src/crypto/crypto_util.cc +@@ -121,6 +121,8 @@ bool ProcessFipsOptions() { + /* Override FIPS settings in configuration file, if needed. */ + if (per_process::cli_options->enable_fips_crypto || + per_process::cli_options->force_fips_crypto) { ++ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n"); ++ return false; + #if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); + if (fips_provider == nullptr) +-- +2.44.0 + diff --git a/SOURCES/0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch b/SOURCES/0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch new file mode 100644 index 0000000..257705d --- /dev/null +++ b/SOURCES/0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch @@ -0,0 +1,107 @@ +From d9a06fe94439d9f103aeffe597441c0a2c0a4eb3 Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 9 Mar 2024 16:26:42 +0900 +Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame + +Signed-off-by: rpm-build +--- + deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++- + deps/nghttp2/lib/nghttp2_helper.c | 2 ++ + deps/nghttp2/lib/nghttp2_session.c | 7 +++++++ + deps/nghttp2/lib/nghttp2_session.h | 10 ++++++++++ + 4 files changed, 25 insertions(+), 1 deletion(-) + +diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h +index 8891760..a9629c7 100644 +--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h ++++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h +@@ -466,7 +466,12 @@ typedef enum { + * exhaustion on server side to send these frames forever and does + * not read network. + */ +- NGHTTP2_ERR_FLOODED = -904 ++ NGHTTP2_ERR_FLOODED = -904, ++ /** ++ * When a local endpoint receives too many CONTINUATION frames ++ * following a HEADER frame. ++ */ ++ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, + } nghttp2_error; + + /** +diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c +index 93dd475..b3563d9 100644 +--- a/deps/nghttp2/lib/nghttp2_helper.c ++++ b/deps/nghttp2/lib/nghttp2_helper.c +@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) { + "closed"; + case NGHTTP2_ERR_TOO_MANY_SETTINGS: + return "SETTINGS frame contained more than the maximum allowed entries"; ++ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: ++ return "Too many CONTINUATION frames following a HEADER frame"; + default: + return "Unknown error code"; + } +diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c +index 226cdd5..e343365 100644 +--- a/deps/nghttp2/lib/nghttp2_session.c ++++ b/deps/nghttp2/lib/nghttp2_session.c +@@ -497,6 +497,7 @@ static int session_new(nghttp2_session **session_ptr, + (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; + (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; + (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; ++ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; + + if (option) { + if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && +@@ -6812,6 +6813,8 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + } + } + session_inbound_frame_reset(session); ++ ++ session->num_continuations = 0; + } + break; + } +@@ -6933,6 +6936,10 @@ nghttp2_ssize nghttp2_session_mem_recv2(nghttp2_session *session, + } + #endif /* DEBUGBUILD */ + ++ if (++session->num_continuations > session->max_continuations) { ++ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; ++ } ++ + readlen = inbound_frame_buf_read(iframe, in, last); + in += readlen; + +diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h +index b119329..ef8f7b2 100644 +--- a/deps/nghttp2/lib/nghttp2_session.h ++++ b/deps/nghttp2/lib/nghttp2_session.h +@@ -110,6 +110,10 @@ typedef struct { + #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 + #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 + ++/* The default max number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 ++ + /* Internal state when receiving incoming frame */ + typedef enum { + /* Receiving frame header */ +@@ -290,6 +294,12 @@ struct nghttp2_session { + size_t max_send_header_block_length; + /* The maximum number of settings accepted per SETTINGS frame. */ + size_t max_settings; ++ /* The maximum number of CONTINUATION frames following an incoming ++ HEADER frame. */ ++ size_t max_continuations; ++ /* The number of CONTINUATION frames following an incoming HEADER ++ frame. This variable is reset when END_HEADERS flag is seen. */ ++ size_t num_continuations; + /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ + uint32_t next_stream_id; + /* The last stream ID this session initiated. For client session, +-- +2.44.0 + diff --git a/SOURCES/0004-Add-nghttp2_option_set_max_continuations.patch b/SOURCES/0004-Add-nghttp2_option_set_max_continuations.patch new file mode 100644 index 0000000..87b490f --- /dev/null +++ b/SOURCES/0004-Add-nghttp2_option_set_max_continuations.patch @@ -0,0 +1,89 @@ +From ca0a0b02da4db1d65eca8169c6e27bb635924dfb Mon Sep 17 00:00:00 2001 +From: Tatsuhiro Tsujikawa +Date: Sat, 9 Mar 2024 16:48:10 +0900 +Subject: [PATCH] Add nghttp2_option_set_max_continuations + +Signed-off-by: rpm-build +--- + deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++ + deps/nghttp2/lib/nghttp2_option.c | 5 +++++ + deps/nghttp2/lib/nghttp2_option.h | 5 +++++ + deps/nghttp2/lib/nghttp2_session.c | 4 ++++ + 4 files changed, 25 insertions(+) + +diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h +index a9629c7..92c3ccc 100644 +--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h ++++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h +@@ -3210,6 +3210,17 @@ NGHTTP2_EXTERN void + nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, + uint64_t burst, uint64_t rate); + ++/** ++ * @function ++ * ++ * This function sets the maximum number of CONTINUATION frames ++ * following an incoming HEADER frame. If more than those frames are ++ * received, the remote endpoint is considered to be misbehaving and ++ * session will be closed. The default value is 8. ++ */ ++NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option, ++ size_t val); ++ + /** + * @function + * +diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c +index 43d4e95..53144b9 100644 +--- a/deps/nghttp2/lib/nghttp2_option.c ++++ b/deps/nghttp2/lib/nghttp2_option.c +@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option, + option->stream_reset_burst = burst; + option->stream_reset_rate = rate; + } ++ ++void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) { ++ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS; ++ option->max_continuations = val; ++} +diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h +index 2259e18..c89cb97 100644 +--- a/deps/nghttp2/lib/nghttp2_option.h ++++ b/deps/nghttp2/lib/nghttp2_option.h +@@ -71,6 +71,7 @@ typedef enum { + NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13, + NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14, + NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, ++ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16, + } nghttp2_option_flag; + + /** +@@ -98,6 +99,10 @@ struct nghttp2_option { + * NGHTTP2_OPT_MAX_SETTINGS + */ + size_t max_settings; ++ /** ++ * NGHTTP2_OPT_MAX_CONTINUATIONS ++ */ ++ size_t max_continuations; + /** + * Bitwise OR of nghttp2_option_flag to determine that which fields + * are specified. +diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c +index e343365..555032d 100644 +--- a/deps/nghttp2/lib/nghttp2_session.c ++++ b/deps/nghttp2/lib/nghttp2_session.c +@@ -586,6 +586,10 @@ static int session_new(nghttp2_session **session_ptr, + option->stream_reset_burst, + option->stream_reset_rate); + } ++ ++ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) { ++ (*session_ptr)->max_continuations = option->max_continuations; ++ } + } + + rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, +-- +2.44.0 + diff --git a/SOURCES/nodejs-fips-disable-options.patch b/SOURCES/nodejs-fips-disable-options.patch deleted file mode 100644 index 998fb91..0000000 --- a/SOURCES/nodejs-fips-disable-options.patch +++ /dev/null @@ -1,20 +0,0 @@ -FIPS related options cause a segfault, let's end sooner - -Upstream report: https://github.com/nodejs/node/pull/48950 -RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 - -This patch makes the part of the code that processes cmd-line options for -FIPS to end sooner before the code gets to the problematic part of the code. - -diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc ---- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200 -+++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200 -@@ -111,6 +111,8 @@ bool ProcessFipsOptions() { - /* Override FIPS settings in configuration file, if needed. */ - if (per_process::cli_options->enable_fips_crypto || - per_process::cli_options->force_fips_crypto) { -+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n"); -+ return false; - #if OPENSSL_VERSION_MAJOR >= 3 - OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); - if (fips_provider == nullptr) diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index c7ac8bd..f0fd8d1 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -33,7 +33,7 @@ # This is used by both the nodejs package and the npm subpackage that # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 1 +%global baserelease 2 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -44,8 +44,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 20 -%global nodejs_minor 11 -%global nodejs_patch 0 +%global nodejs_minor 12 +%global nodejs_patch 2 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 115 @@ -69,16 +69,16 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 -%global c_ares_version 1.20.1 +%global c_ares_version 1.27.0 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 8.1.1 +%global llhttp_version 8.1.2 # libuv - from deps/uv/include/uv/version.h %global libuv_version 1.46.0 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_version 1.58.0 +%global nghttp2_version 1.60.0 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_version 0.7.0 @@ -87,7 +87,7 @@ %global ngtcp2_version 0.8.1 # ICU - from tools/icu/current_ver.dep -%global icu_major 73 +%global icu_major 74 %global icu_minor 2 %global icu_version %{icu_major}.%{icu_minor} @@ -106,10 +106,10 @@ %endif # simduft from deps/simdutf/simdutf.h -%global simduft_version 4.0.4 +%global simduft_version 4.0.8 # ada from deps/ada/ada.h -%global ada_version 2.7.4 +%global ada_version 2.7.6 # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -122,7 +122,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 10.2.4 +%global npm_version 10.5.0 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -132,10 +132,10 @@ # Node.js 16.9.1 and later comes with an experimental package management tool # corepack - from deps/corepack/package.json -%global corepack_version 0.23.0 +%global corepack_version 0.25.2 # uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_version 0.0.19 +%global uvwasi_version 0.0.20 # histogram_c - from deps/histogram/include/hdr/hdr_histogram_version.h %global histogram_version 0.11.8 @@ -181,9 +181,9 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.27.2.tar.gz -# Adjustments: rm -f undici-5.27.2/lib/llhttp/llhttp*.wasm* -Source111: undici-5.27.2.tar.gz +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz +# Adjustments: rm -f undici-5.28.4/lib/llhttp/llhttp*.wasm* +Source111: undici-5.28.4.tar.gz # The WASM blob was made using wasi-sdk v16; compiler libraries are linked in. # Version source: deps/undici/src/lib/llhttp/wasm_build_env.txt # Also check (undici tarball): lib/llhttp/wasm_build_env.txt @@ -191,7 +191,9 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk- # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch -Patch3: nodejs-fips-disable-options.patch +Patch2: 0002-Disable-FIPS-options.patch +Patch3: 0003-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch +Patch4: 0004-Add-nghttp2_option_set_max_continuations.patch BuildRequires: make BuildRequires: python3-devel @@ -434,7 +436,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl export LDFLAGS="%{build_ldflags}" %{__python3} configure.py --prefix=%{_prefix} --verbose \ - --shared-openssl \ + --shared-openssl --openssl-conf-name=openssl_conf \ --shared-zlib \ --shared-brotli \ %{!?with_bundled:--shared-libuv} \ @@ -485,7 +487,7 @@ popd # deps %install rm -rf %{buildroot} -./tools/install.py install %{buildroot} %{_prefix} +./tools/install.py install --dest-dir=%{buildroot} --prefix=%{_prefix} # Set the binary permissions properly chmod 0755 %{buildroot}/%{_bindir}/node @@ -722,6 +724,18 @@ end %changelog +* Tue Apr 16 2024 Jan Staněk - 1:20.12.2-2 +- Backport nghttp2 patch for CVE-2024-28182 + +* Tue Apr 16 2024 Jan Staněk - 1:20.12.2-1 +- Rebase to version 20.12.0 + Fixes: CVE-2024-27983 CVE-2024-27982 CVE-2024-22025 (node) + Fixes: CVE-2024-25629 (c-ares) + +* Wed Feb 21 2024 Lukas Javorsky - 1:20.11.1-1 +- Rebase to version 20.11.1 +- Resolves: RHEL-26017 RHEL-26266 RHEL-26685 RHEL-26686 RHEL-26004 RHEL-26596 RHEL-26688 + * Fri Jan 19 2024 Lukas Javorsky - 1:20.11.0-1 - Rebase to version 20.11.0 - Resolves: RHEL-21435