import nodejs-20.8.1-1.module+el8.9.0+20473+c4e3d824

9 months ago · 5c85737b79
parent e640e39eb6
commit 5c85737b79
4 changed files with 39 additions and 12 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,6 +1,6 @@
 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 SOURCES/icu4c-73_2-src.tgz
-SOURCES/node-v20.5.1-stripped.tar.gz
-SOURCES/undici-5.22.1.tar.gz
+SOURCES/node-v20.8.1-stripped.tar.gz
+SOURCES/undici-5.26.3.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,6 +1,6 @@
 d879d8062a018d91b007ef6b36f7dd026654b982 SOURCES/cjs-module-lexer-1.2.2.tar.gz
 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
-1ecddb27a2e04a7829870f11ffcb6dbd3e859f43 SOURCES/node-v20.5.1-stripped.tar.gz
-616384b209d651b7cb7b41a8a7752eb2e923806a SOURCES/undici-5.22.1.tar.gz
+b3edea244cd33d60c4a632020fc059062c075cb0 SOURCES/node-v20.8.1-stripped.tar.gz
+edb9aa7012424bfe24514b5ea5b99ef3733651ab SOURCES/undici-5.26.3.tar.gz
 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
 900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz
--- a/SOURCES/nodejs-fips-disable-options.patch
+++ b/SOURCES/nodejs-fips-disable-options.patch
@ -0,0 +1,20 @@
+FIPS related options cause a segfault, let's end sooner
+
+Upstream report: https://github.com/nodejs/node/pull/48950
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
+
+This patch makes the part of the code that processes cmd-line options for
+FIPS to end sooner before the code gets to the problematic part of the code.
+
+diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc
+--- node-v18.16.1/src/crypto/crypto_util.cc.origfips	2023-07-31 12:09:46.603683081 +0200
+++ node-v18.16.1/src/crypto/crypto_util.cc	2023-07-31 12:16:16.906617914 +0200
+@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
+   /* Override FIPS settings in configuration file, if needed. */
+   if (per_process::cli_options->enable_fips_crypto ||
+       per_process::cli_options->force_fips_crypto) {
+      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+      return false;
+ #if OPENSSL_VERSION_MAJOR >= 3
+     OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
+     if (fips_provider == nullptr)
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -44,7 +44,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 20
-%global nodejs_minor 5
+%global nodejs_minor 8
 %global nodejs_patch 1
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -78,7 +78,7 @@
 %global libuv_version 1.46.0

 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
-%global nghttp2_version 1.55.1
+%global nghttp2_version 1.57.0

 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_version 0.7.0
@ -106,10 +106,10 @@
 %endif

 # simduft from deps/simdutf/simdutf.h
-%global simduft_version 3.2.14
+%global simduft_version 3.2.17

 # ada from deps/ada/ada.h
-%global ada_version 2.5.1
+%global ada_version 2.6.0

 # OpenSSL minimum version
 %global openssl_minimum 1:1.1.1
@ -122,7 +122,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 9.8.0
+%global npm_version 10.1.0

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -132,7 +132,7 @@

 # Node.js 16.9.1 and later comes with an experimental package management tool
 # corepack - from deps/corepack/package.json
-%global corepack_version 0.19.0
+%global corepack_version 0.20.0

 # uvwasi - from deps/uvwasi/include/uvwasi.h
 %global uvwasi_version 0.0.18
@ -183,13 +183,14 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-
 # Version: jq '.version' deps/undici/src/package.json
 # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz
 # Adjustments: rm -f undici-5.21.0/lib/llhttp/llhttp*.wasm*
-Source111: undici-5.22.1.tar.gz
+Source111: undici-5.26.3.tar.gz
 # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in.
 # Version source: build/Dockerfile
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz

 # Disable running gyp on bundled deps we don't use
 Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
+Patch3: nodejs-fips-disable-options.patch

 BuildRequires: make
 BuildRequires: python3-devel
@ -452,7 +453,7 @@ make BUILDTYPE=Release %{?_smp_mflags}

 # Extract the ICU data and convert it to the appropriate endianness
 pushd deps/
-tar xfz %SOURCE3
+tar xfz %{SOURCE3}

 pushd icu/source

@ -720,6 +721,12 @@ end


 %changelog
+* Wed Oct 18 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.8.1-1
+- Update node and nghttp
+- Add fips patch
+- Fixes CVE-2023-44487 (nghttp)
+- Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333
+
 * Thu Aug 10 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.5.1-1
 - Rebase to new security release
 - Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high)