Compare commits

...

No commits in common. 'i8c-stream-16' and 'c9' have entirely different histories.

@ -1,6 +1,6 @@
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
406b0c8635288b772913b6ff646451e69748878a SOURCES/icu4c-71_1-src.tgz
f50d6a8dfc8d24c29091a8cf39221e6b4d21b0d8 SOURCES/node-v16.20.2-stripped.tar.gz
a96c780a67c578c31e9c8d291e357b2ae98a0ce5 SOURCES/undici-5.20.0.tar.gz
0024086ed6090aaea422fb2bd329f898bf924df6 SOURCES/node-v16.20.2-stripped.tar.gz
0b3e890fd45200fb3a2fdc14408cc51e23990480 SOURCES/undici-5.20.0.tar.gz
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz

@ -1,4 +1,4 @@
From 39f761838b5fc10af995642bd44e6bb4c79085f1 Mon Sep 17 00:00:00 2001
From 6c80c1956373978489a297a630f4f50222c47775 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Tue, 30 May 2023 13:12:35 +0200
Subject: [PATCH] Disable running gyp on shared deps
@ -22,5 +22,5 @@ index ef3eda2..8b52a4f 100644
tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
$(PYTHON) tools/gyp_node.py -f make
--
2.41.0
2.44.0

@ -0,0 +1,26 @@
From b7d979b5f7d28114050d1cdc43f39e6e83bd80d5 Mon Sep 17 00:00:00 2001
From: Honza Horak <hhorak@redhat.com>
Date: Thu, 12 Oct 2023 13:52:59 +0200
Subject: [PATCH] disable fips options
Signed-off-by: rpm-build <rpm-build>
---
src/crypto/crypto_util.cc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 59ae7f8..7343396 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
/* Override FIPS settings in configuration file, if needed. */
if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) {
+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+ return false;
#if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr)
--
2.44.0

@ -1,4 +1,4 @@
From 3cdb8a61ff25e4d299d9d47284da5134bc5f1072 Mon Sep 17 00:00:00 2001
From de21a714db98bade7a0438af0a0351a9f53f2fb8 Mon Sep 17 00:00:00 2001
From: rpm-build <rpm-build>
Date: Thu, 12 Oct 2023 14:18:12 +0200
Subject: [PATCH] deps(nghttp2): update to 1.57.0
@ -5798,5 +5798,5 @@ index 0dcd034..7b02f39 100644
}
]
--
2.41.0
2.44.0

@ -1,4 +1,7 @@
Fix CVE-2024-22019
From fb8b050abf63459eb83cad4d4bf695c56db2790a Mon Sep 17 00:00:00 2001
From: Honza Horak <hhorak@redhat.com>
Date: Mon, 15 Apr 2024 15:21:35 +0200
Subject: [PATCH] Fix CVE-2024-22019
Resolves: RHEL-28064
@ -8,17 +11,20 @@ https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
and necessary rebase of llhttp from 6.0.11 to 6.1.0 that has the needed
chunk features.
From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
From: Paolo Insogna <paolo@cowtech.it>
Date: Tue, 9 Jan 2024 18:10:04 +0100
Subject: [PATCH] http: add maximum chunk extension size
Original patch:
> From 11bd886e0a4eadd7e55502758fff6486a3fa3a4e Mon Sep 17 00:00:00 2001
> From: Paolo Insogna <paolo@cowtech.it>
> Date: Tue, 9 Jan 2024 18:10:04 +0100
> Subject: [PATCH] http: add maximum chunk extension size
>
> Cherry-picked from v18 patch:
> https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
>
> PR-URL: https://github.com/nodejs-private/node-private/pull/520
> Refs: https://github.com/nodejs-private/node-private/pull/518
> CVE-ID: CVE-2024-22019
Cherry-picked from v18 patch:
https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171
PR-URL: https://github.com/nodejs-private/node-private/pull/520
Refs: https://github.com/nodejs-private/node-private/pull/518
CVE-ID: CVE-2024-22019
Signed-off-by: rpm-build <rpm-build>
---
deps/llhttp/.gitignore | 1 +
deps/llhttp/CMakeLists.txt | 2 +-
@ -36,13 +42,13 @@ CVE-ID: CVE-2024-22019
diff --git a/deps/llhttp/.gitignore b/deps/llhttp/.gitignore
new file mode 100644
index 0000000000..98438a2cd3
index 0000000..98438a2
--- /dev/null
+++ b/deps/llhttp/.gitignore
@@ -0,0 +1 @@
+libllhttp.pc
diff --git a/deps/llhttp/CMakeLists.txt b/deps/llhttp/CMakeLists.txt
index d0382038b9..747564a76f 100644
index d038203..747564a 100644
--- a/deps/llhttp/CMakeLists.txt
+++ b/deps/llhttp/CMakeLists.txt
@@ -1,7 +1,7 @@
@ -55,7 +61,7 @@ index d0382038b9..747564a76f 100644
set(CMAKE_C_STANDARD 99)
diff --git a/deps/llhttp/include/llhttp.h b/deps/llhttp/include/llhttp.h
index 2da66f15e6..78f27abc03 100644
index 2da66f1..78f27ab 100644
--- a/deps/llhttp/include/llhttp.h
+++ b/deps/llhttp/include/llhttp.h
@@ -2,8 +2,8 @@
@ -80,7 +86,7 @@ index 2da66f15e6..78f27abc03 100644
llhttp_data_cb on_body;
diff --git a/deps/llhttp/src/api.c b/deps/llhttp/src/api.c
index c4ce197c58..d3065b3664 100644
index c4ce197..d3065b3 100644
--- a/deps/llhttp/src/api.c
+++ b/deps/llhttp/src/api.c
@@ -355,6 +355,13 @@ int llhttp__on_chunk_header(llhttp_t* s, const char* p, const char* endp) {
@ -98,7 +104,7 @@ index c4ce197c58..d3065b3664 100644
int err;
CALLBACK_MAYBE(s, on_chunk_complete);
diff --git a/deps/llhttp/src/llhttp.c b/deps/llhttp/src/llhttp.c
index 5e7c5d1093..e6db6e3188 100644
index 5e7c5d1..46f86a0 100644
--- a/deps/llhttp/src/llhttp.c
+++ b/deps/llhttp/src/llhttp.c
@@ -340,6 +340,8 @@ enum llparse_state_e {
@ -312,7 +318,7 @@ index 5e7c5d1093..e6db6e3188 100644
state->error = 0x2;
state->reason = "Invalid character in chunk parameters";
diff --git a/doc/api/errors.md b/doc/api/errors.md
index dcf8744d8b..a76bfe528d 100644
index dcf8744..a76bfe5 100644
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@@ -3043,6 +3043,18 @@ malconfigured clients, if more than 8 KiB of HTTP header data is received then
@ -335,7 +341,7 @@ index dcf8744d8b..a76bfe528d 100644
### `HPE_UNEXPECTED_CONTENT_LENGTH`
diff --git a/lib/_http_server.js b/lib/_http_server.js
index 4e23266f63..325bce6f54 100644
index 4e23266..325bce6 100644
--- a/lib/_http_server.js
+++ b/lib/_http_server.js
@@ -706,6 +706,12 @@ const requestHeaderFieldsTooLargeResponse = Buffer.from(
@ -362,7 +368,7 @@ index 4e23266f63..325bce6f54 100644
response = requestTimeoutResponse;
break;
diff --git a/src/node_http_parser.cc b/src/node_http_parser.cc
index 74f32480b9..b92e8486ae 100644
index 74f3248..b92e848 100644
--- a/src/node_http_parser.cc
+++ b/src/node_http_parser.cc
@@ -79,6 +79,8 @@ const uint32_t kOnExecute = 5;
@ -424,7 +430,7 @@ index 74f32480b9..b92e8486ae 100644
Proxy<Call, &Parser::on_chunk_header>::Raw,
diff --git a/test/parallel/test-http-chunk-extensions-limit.js b/test/parallel/test-http-chunk-extensions-limit.js
new file mode 100644
index 0000000000..6868b3da6c
index 0000000..6868b3d
--- /dev/null
+++ b/test/parallel/test-http-chunk-extensions-limit.js
@@ -0,0 +1,131 @@
@ -560,7 +566,7 @@ index 0000000000..6868b3da6c
+ });
+}
diff --git a/tools/update-llhttp.sh b/tools/update-llhttp.sh
index 12e2f465d7..a95eef1237 100755
index 12e2f46..a95eef1 100755
--- a/tools/update-llhttp.sh
+++ b/tools/update-llhttp.sh
@@ -59,5 +59,5 @@ echo ""
@ -571,5 +577,5 @@ index 12e2f465d7..a95eef1237 100755
+echo "$ git commit -m \"deps: update llhttp to $LLHTTP_VERSION\""
echo ""
--
2.41.0
2.44.0

@ -0,0 +1,42 @@
From 2df9af7073929ab94b6dda040df08bc3ff7d8ab1 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Tue, 26 Mar 2024 15:55:13 -0300
Subject: [PATCH] src: ensure to close stream when destroying session
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Co-Authored-By: Anna Henningsen <anna@addaleax.net>
PR-URL: https://github.com/nodejs-private/node-private/pull/561
Fixes: https://hackerone.com/reports/2319584
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
CVE-ID: CVE-2024-27983
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Signed-off-by: rpm-build <rpm-build>
---
src/node_http2.cc | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/node_http2.cc b/src/node_http2.cc
index 53216dc..9a6d63d 100644
--- a/src/node_http2.cc
+++ b/src/node_http2.cc
@@ -529,6 +529,12 @@ Http2Session::Http2Session(Http2State* http2_state,
Http2Session::~Http2Session() {
CHECK(!is_in_scope());
Debug(this, "freeing nghttp2 session");
+ // Ensure that all `Http2Stream` instances and the memory they hold
+ // on to are destroyed before the nghttp2 session is.
+ for (const auto& [id, stream] : streams_) {
+ stream->Detach();
+ }
+ streams_.clear();
// Explicitly reset session_ so the subsequent
// current_nghttp2_memory_ check passes.
session_.reset();
--
2.44.0

@ -0,0 +1,112 @@
From 132ad9e8a8f8e246e59744a7fed995ed396f6cb4 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:26:42 +0900
Subject: [PATCH] Limit CONTINUATION frames following an incoming HEADER frame
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Fixes: CVE-2024-28182
Signed-off-by: rpm-build <rpm-build>
---
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 7 ++++++-
deps/nghttp2/lib/nghttp2_helper.c | 2 ++
deps/nghttp2/lib/nghttp2_session.c | 7 +++++++
deps/nghttp2/lib/nghttp2_session.h | 10 ++++++++++
4 files changed, 25 insertions(+), 1 deletion(-)
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
index fa22081..b394bde 100644
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -440,7 +440,12 @@ typedef enum {
* exhaustion on server side to send these frames forever and does
* not read network.
*/
- NGHTTP2_ERR_FLOODED = -904
+ NGHTTP2_ERR_FLOODED = -904,
+ /**
+ * When a local endpoint receives too many CONTINUATION frames
+ * following a HEADER frame.
+ */
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
} nghttp2_error;
/**
diff --git a/deps/nghttp2/lib/nghttp2_helper.c b/deps/nghttp2/lib/nghttp2_helper.c
index 93dd475..b3563d9 100644
--- a/deps/nghttp2/lib/nghttp2_helper.c
+++ b/deps/nghttp2/lib/nghttp2_helper.c
@@ -336,6 +336,8 @@ const char *nghttp2_strerror(int error_code) {
"closed";
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
return "SETTINGS frame contained more than the maximum allowed entries";
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
+ return "Too many CONTINUATION frames following a HEADER frame";
default:
return "Unknown error code";
}
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
index ec5024d..8e4d2e7 100644
--- a/deps/nghttp2/lib/nghttp2_session.c
+++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -496,6 +496,7 @@ static int session_new(nghttp2_session **session_ptr,
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
if (option) {
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
@@ -6778,6 +6779,8 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
}
session_inbound_frame_reset(session);
+
+ session->num_continuations = 0;
}
break;
}
@@ -6899,6 +6902,10 @@ ssize_t nghttp2_session_mem_recv(nghttp2_session *session, const uint8_t *in,
}
#endif /* DEBUGBUILD */
+ if (++session->num_continuations > session->max_continuations) {
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
+ }
+
readlen = inbound_frame_buf_read(iframe, in, last);
in += readlen;
diff --git a/deps/nghttp2/lib/nghttp2_session.h b/deps/nghttp2/lib/nghttp2_session.h
index b119329..ef8f7b2 100644
--- a/deps/nghttp2/lib/nghttp2_session.h
+++ b/deps/nghttp2/lib/nghttp2_session.h
@@ -110,6 +110,10 @@ typedef struct {
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
+/* The default max number of CONTINUATION frames following an incoming
+ HEADER frame. */
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
+
/* Internal state when receiving incoming frame */
typedef enum {
/* Receiving frame header */
@@ -290,6 +294,12 @@ struct nghttp2_session {
size_t max_send_header_block_length;
/* The maximum number of settings accepted per SETTINGS frame. */
size_t max_settings;
+ /* The maximum number of CONTINUATION frames following an incoming
+ HEADER frame. */
+ size_t max_continuations;
+ /* The number of CONTINUATION frames following an incoming HEADER
+ frame. This variable is reset when END_HEADERS flag is seen. */
+ size_t num_continuations;
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
uint32_t next_stream_id;
/* The last stream ID this session initiated. For client session,
--
2.44.0

@ -0,0 +1,94 @@
From 625b03149d2ec68cdbcfe3f2801d6f0420d917cb Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 9 Mar 2024 16:48:10 +0900
Subject: [PATCH] Add nghttp2_option_set_max_continuations
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Related: CVE-2024-28182
Signed-off-by: rpm-build <rpm-build>
---
deps/nghttp2/lib/includes/nghttp2/nghttp2.h | 11 +++++++++++
deps/nghttp2/lib/nghttp2_option.c | 5 +++++
deps/nghttp2/lib/nghttp2_option.h | 5 +++++
deps/nghttp2/lib/nghttp2_session.c | 4 ++++
4 files changed, 25 insertions(+)
diff --git a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
index b394bde..4d3339b 100644
--- a/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
+++ b/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
@@ -2778,6 +2778,17 @@ NGHTTP2_EXTERN void
nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
uint64_t burst, uint64_t rate);
+/**
+ * @function
+ *
+ * This function sets the maximum number of CONTINUATION frames
+ * following an incoming HEADER frame. If more than those frames are
+ * received, the remote endpoint is considered to be misbehaving and
+ * session will be closed. The default value is 8.
+ */
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
+ size_t val);
+
/**
* @function
*
diff --git a/deps/nghttp2/lib/nghttp2_option.c b/deps/nghttp2/lib/nghttp2_option.c
index 43d4e95..53144b9 100644
--- a/deps/nghttp2/lib/nghttp2_option.c
+++ b/deps/nghttp2/lib/nghttp2_option.c
@@ -150,3 +150,8 @@ void nghttp2_option_set_stream_reset_rate_limit(nghttp2_option *option,
option->stream_reset_burst = burst;
option->stream_reset_rate = rate;
}
+
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
+ option->max_continuations = val;
+}
diff --git a/deps/nghttp2/lib/nghttp2_option.h b/deps/nghttp2/lib/nghttp2_option.h
index 2259e18..c89cb97 100644
--- a/deps/nghttp2/lib/nghttp2_option.h
+++ b/deps/nghttp2/lib/nghttp2_option.h
@@ -71,6 +71,7 @@ typedef enum {
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
} nghttp2_option_flag;
/**
@@ -98,6 +99,10 @@ struct nghttp2_option {
* NGHTTP2_OPT_MAX_SETTINGS
*/
size_t max_settings;
+ /**
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
+ */
+ size_t max_continuations;
/**
* Bitwise OR of nghttp2_option_flag to determine that which fields
* are specified.
diff --git a/deps/nghttp2/lib/nghttp2_session.c b/deps/nghttp2/lib/nghttp2_session.c
index 8e4d2e7..ced7517 100644
--- a/deps/nghttp2/lib/nghttp2_session.c
+++ b/deps/nghttp2/lib/nghttp2_session.c
@@ -585,6 +585,10 @@ static int session_new(nghttp2_session **session_ptr,
option->stream_reset_burst,
option->stream_reset_rate);
}
+
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
+ (*session_ptr)->max_continuations = option->max_continuations;
+ }
}
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
--
2.44.0

File diff suppressed because one or more lines are too long

@ -0,0 +1,39 @@
From ec80a9196e2aedfd617d05964725f113000a41ea Mon Sep 17 00:00:00 2001
From: Brad House <brad@brad-house.com>
Date: Thu, 22 Feb 2024 16:23:33 -0500
Subject: [PATCH] Address CVE-2024-25629
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Original commit title: Merge pull request from GHSA-mg26-v6qh-x48q
Signed-off-by: Jan Staněk <jstanek@redhat.com>
Fixes: CVE-2024-25629
Signed-off-by: rpm-build <rpm-build>
---
deps/cares/src/lib/ares__read_line.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/deps/cares/src/lib/ares__read_line.c b/deps/cares/src/lib/ares__read_line.c
index c62ad2a..16627e4 100644
--- a/deps/cares/src/lib/ares__read_line.c
+++ b/deps/cares/src/lib/ares__read_line.c
@@ -49,6 +49,14 @@ int ares__read_line(FILE *fp, char **buf, size_t *bufsize)
if (!fgets(*buf + offset, bytestoread, fp))
return (offset != 0) ? 0 : (ferror(fp)) ? ARES_EFILE : ARES_EOF;
len = offset + strlen(*buf + offset);
+
+ /* Probably means there was an embedded NULL as the first character in
+ * the line, throw away line */
+ if (len == 0) {
+ offset = 0;
+ continue;
+ }
+
if ((*buf)[len - 1] == '\n')
{
(*buf)[len - 1] = 0;
--
2.44.0

@ -1,11 +1,3 @@
%bcond_with debug
# PowerPC, s390x and aarch64 segfault during Debug builds
# https://github.com/nodejs/node/issues/20642
%ifarch %{power64} s390x aarch64
%bcond_with debug
%endif
# The following macros control the usage of dependencies bundled from upstream.
#
# When to use what:
@ -19,11 +11,7 @@
%bcond_with bootstrap
# bundle dependencies that are not available in CentOS
# currently hardcoded to bundle; see Fedora spec on how to make this dependent on bootstrap
%if %{with bootstrap}
%bcond_without bundled
%else
%bcond_with bundled
%endif
%if 0%{?rhel} && 0%{?rhel} < 9
%bcond_without python3_fixup
@ -31,11 +19,18 @@
%bcond_with python3_fixup
%endif
# LTO is currently broken on Node.js builds
%define _lto_cflags %{nil}
# Heavy-handed approach to avoiding issues with python
# bytecompiling files in the node_modules/ directory
%global __python %{__python3}
# == Master Relase ==
# This is used by both the nodejs package and the npm subpackage that
# has a separate version - the name is special so that rpmdev-bumpspec
# will bump this rather than adding .1 to the end.
%global baserelease 4
%global baserelease 8
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
@ -77,16 +72,10 @@
%global llhttp_version 6.0.11
# libuv - from deps/uv/include/uv/version.h
%global libuv_major 1
%global libuv_minor 43
%global libuv_patch 0
%global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch}
%global libuv_version 1.43.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_major 1
%global nghttp2_minor 57
%global nghttp2_patch 0
%global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch}
%global nghttp2_version 1.57.0
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
%global nghttp3_major 0
@ -125,10 +114,7 @@
# punycode - from lib/punycode.js
# Note: this was merged into the mainline since 0.6.x
# Note: this will be unmerged in an upcoming major release
%global punycode_major 2
%global punycode_minor 1
%global punycode_patch 0
%global punycode_version %{punycode_major}.%{punycode_minor}.%{punycode_patch}
%global punycode_version 2.1.0
# npm - from deps/npm/package.json
%global npm_epoch 1
@ -141,17 +127,10 @@
%global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
# uvwasi - from deps/uvwasi/include/uvwasi.h
%global uvwasi_major 0
%global uvwasi_minor 0
%global uvwasi_patch 13
%global uvwasi_version %{uvwasi_major}.%{uvwasi_minor}.%{uvwasi_patch}
%global uvwasi_version 0.0.13
# histogram_c - assumed from timestamps
%global histogram_major 0
%global histogram_minor 11
%global histogram_patch 2
%global histogram_version %{histogram_major}.%{histogram_minor}.%{histogram_patch}
%global histogram_version 0.11.2
Name: nodejs
Epoch: %{nodejs_epoch}
@ -203,8 +182,21 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
# Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch2: 0002-disable-fips-options.patch
Patch3: 0003-deps-nghttp2-update-to-1.57.0.patch
Patch4: nodejs-CVE-2024-22019.patch
Patch4: 0004-Fix-CVE-2024-22019.patch
# CVE-2025-27983
Patch5: 0005-src-ensure-to-close-stream-when-destroying-session.patch
# CVE-2024-28182
Patch6: 0006-Limit-CONTINUATION-frames-following-an-incoming-HEAD.patch
# CVE-2024-28182
Patch7: 0007-Add-nghttp2_option_set_max_continuations.patch
# CVE-2024-22025
Patch8: 0008-zlib-pause-stream-if-outgoing-buffer-is-full.patch
# CVE-2024-25629
Patch9: 0009-Address-CVE-2024-25629.patch
# CVE-2024-27982
Patch10: 0010-http-do-not-allow-OBS-fold-in-headers-by-default.patch
BuildRequires: make
BuildRequires: python3-devel
@ -252,6 +244,8 @@ Requires: openssl >= %{openssl_minimum}
# we need the system certificate store
Requires: ca-certificates
Requires: nodejs-libs%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
# Pull in the full-icu data by default
Recommends: nodejs-full-i18n%{?_isa} = %{nodejs_epoch}:%{version}-%{release}
@ -304,6 +298,11 @@ Provides: bundled(icu) = %{icu_version}
Provides: bundled(uvwasi) = %{uvwasi_version}
Provides: bundled(histogram) = %{histogram_version}
%if 0%{?fedora}
# Make sure to pull in the appropriate packaging macros when building RPMs
Requires: (nodejs-packaging if rpm-build)
%endif
# Make sure we keep NPM up to date when we update Node.js
Recommends: npm >= %{npm_epoch}:%{npm_version}-%{npm_release}%{?dist}
@ -332,6 +331,29 @@ Requires: libuv-devel%{?_isa}
Development headers for the Node.js JavaScript runtime.
%package libs
Summary: Node.js and v8 libraries
# Compatibility for obsolete v8 package
%if 0%{?__isa_bits} == 64
Provides: libv8.so.%{v8_major}()(64bit)
Provides: libv8_libbase.so.%{v8_major}()(64bit)
Provides: libv8_libplatform.so.%{v8_major}()(64bit)
%else
# 32-bits
Provides: libv8.so.%{v8_major}
Provides: libv8_libbase.so.%{v8_major}
Provides: libv8_libplatform.so.%{v8_major}
%endif
Provides: v8 = %{v8_epoch}:%{v8_version}-%{nodejs_release}%{?dist}
Provides: v8%{?_isa} = %{v8_epoch}:%{v8_version}-%{nodejs_release}%{?dist}
Obsoletes: v8 < 1:6.7.17-10
%description libs
Libraries to support Node.js and provide stable v8 interfaces.
%package full-i18n
Summary: Non-English locale data for Node.js
Requires: %{name}%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
@ -341,6 +363,17 @@ Optional data files to provide full-icu support for Node.js. Remove this
package to save space if non-English locales are not needed.
%package -n v8-devel
Summary: v8 - development headers
Epoch: %{v8_epoch}
Version: %{v8_version}
Release: %{v8_release}%{?dist}
Requires: %{name}-devel%{?_isa} = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
%description -n v8-devel
Development headers for the v8 runtime.
%package -n npm
Summary: Node.js Package Manager
Epoch: %{npm_epoch}
@ -353,9 +386,7 @@ Release: %{npm_release}%{?dist}
Obsoletes: npm < 0:3.5.4-6
Provides: npm = %{npm_epoch}:%{npm_version}
Requires: nodejs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
%if 0%{?fedora} || 0%{?rhel} >= 8
Recommends: nodejs-docs = %{nodejs_epoch}:%{nodejs_version}-%{nodejs_release}%{?dist}
%endif
# Do not add epoch to the virtual NPM provides or it will break
# the automatic dependency-generation script.
@ -417,6 +448,11 @@ find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
%endif
%build
# When compiled on armv7hl this package generates an out of range
# reference to the literal pool. This is most likely a GCC issue.
%ifarch armv7hl
%define _lto_cflags %{nil}
%endif
%ifarch s390 s390x %{arm} %ix86
# Decrease debuginfo verbosity to reduce memory consumption during final
@ -424,14 +460,13 @@ find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
%global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
%endif
export CC='gcc'
export CXX='g++'
export CC='%{__cc}'
export CXX='%{__cxx}'
%{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}}
# build with debugging symbols and add defines from libuv (#892601)
# Node's v8 breaks with GCC 6 because of incorrect usage of methods on
# NULL objects. We need to pass -fno-delete-null-pointer-checks
extra_cflags=(
-D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64
@ -442,6 +477,8 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl
export LDFLAGS="%{build_ldflags}"
%{__python3} configure.py --prefix=%{_prefix} \
--shared \
--libdir=%{_lib} \
--shared-openssl \
--shared-zlib \
--shared-brotli \
@ -451,15 +488,11 @@ export LDFLAGS="%{build_ldflags}"
--with-intl=small-icu \
--with-icu-default-data-dir=%{icudatadir} \
--without-corepack \
--openssl-conf-name=openssl_conf \
--openssl-use-def-ca-store \
--openssl-default-cipher-list=PROFILE=SYSTEM
%if %{with debug}
# Setting BUILDTYPE=Debug builds both release and debug binaries
make BUILDTYPE=Debug %{?_smp_mflags}
%else
make BUILDTYPE=Release %{?_smp_mflags}
%endif
# Extract the ICU data and convert it to the appropriate endianness
pushd deps/
@ -500,10 +533,19 @@ rm -rf %{buildroot}
chmod 0755 %{buildroot}/%{_bindir}/node
chrpath --delete %{buildroot}%{_bindir}/node
%if %{with debug}
# Install the debug binary and set its permissions
install -Dpm0755 out/Debug/node %{buildroot}/%{_bindir}/node_g
%endif
# Install library symlink
ln -s libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/libnode.so
# Install v8 compatibility symlinks
for header in %{buildroot}%{_includedir}/node/libplatform %{buildroot}%{_includedir}/node/v8*.h; do
header=$(basename ${header})
ln -s ./node/${header} %{buildroot}%{_includedir}/${header}
done
ln -s ./node/cppgc %{buildroot}%{_includedir}/cppgc
for soname in libv8 libv8_libbase libv8_libplatform; do
ln -s libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so
ln -s libnode.so.%{nodejs_soversion} %{buildroot}%{_libdir}/${soname}.so.%{v8_major}
done
# own the sitelib directory
mkdir -p %{buildroot}%{_prefix}/lib/node_modules
@ -576,67 +618,21 @@ install -Dpm0644 -t %{buildroot}%{icudatadir} deps/icu/source/converted/*
%check
# Fail the build if the versions don't match
%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
%{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.ares.replace(/-DEV$/, ''), '%{c_ares_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require('assert').equal(process.versions.ares.replace(/-DEV$/, ''), '%{c_ares_version}')"
# Ensure we have punycode and that the version matches
%{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(require(\"punycode\").version, '%{punycode_version}')"
# Ensure we have npm and that the version matches
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules %{buildroot}/%{_bindir}/node -e "require(\"assert\").equal(JSON.parse(require(\"fs\").readFileSync(\"%{buildroot}%{_prefix}/lib/node_modules/npm/package.json\")).version, '%{npm_version}')"
LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}%{_bindir}/node %{buildroot}%{_bindir}/npm version --json |jq -e '.npm == "%{npm_version}"'
# Make sure i18n support is working
NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/node_modules/npm/node_modules LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node --icu-data-dir=%{buildroot}%{icudatadir} %{SOURCE2}
%pretrans -n npm -p <lua>
-- Remove all of the symlinks from the bundled npm node_modules directory
-- This scriptlet can be removed in Fedora 31
base_path = "%{_prefix}/lib/node_modules/npm/node_modules/"
d_st = posix.stat(base_path)
if d_st then
for f in posix.files(base_path) do
path = base_path..f
st = posix.stat(path)
if st and st.type == "link" then
os.remove(path)
end
end
end
-- Replace the npm docs directory with a symlink
-- Drop this scriptlet when F31 is EOL
path = "%{_prefix}/lib/node_modules/npm/doc"
st = posix.stat(path)
if st and st.type == "directory" then
status = os.rename(path, path .. ".rpmmoved")
if not status then
suffix = 0
while not status do
suffix = suffix + 1
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
end
os.rename(path, path .. ".rpmmoved")
end
end
-- Replace the npm docs directory with a symlink
-- Drop this scriptlet when F31 is EOL
path = "%{_prefix}/lib/node_modules/npm/html"
st = posix.stat(path)
if st and st.type == "directory" then
status = os.rename(path, path .. ".rpmmoved")
if not status then
suffix = 0
while not status do
suffix = suffix + 1
status = os.rename(path .. ".rpmmoved", path .. ".rpmmoved." .. suffix)
end
os.rename(path, path .. ".rpmmoved")
end
end
-- Replace the npm man directory with a symlink
-- Drop this scriptlet when F31 is EOL
path = "%{_prefix}/lib/node_modules/npm/man"
@ -675,8 +671,8 @@ end
%files devel
%{?with_debug:%{_bindir}/node_g}
%{_includedir}/node
%{_libdir}/libnode.so
%{_datadir}/node/common.gypi
%{_pkgdocdir}/gdbinit
@ -686,6 +682,24 @@ end
%{icudatadir}/icudt%{icu_major}*.dat
%files libs
%license LICENSE
%{_libdir}/libnode.so.%{nodejs_soversion}
%{_libdir}/libv8.so.%{v8_major}
%{_libdir}/libv8_libbase.so.%{v8_major}
%{_libdir}/libv8_libplatform.so.%{v8_major}
%dir %{nodejs_datadir}/
%files -n v8-devel
%{_includedir}/libplatform
%{_includedir}/v8*.h
%{_includedir}/cppgc
%{_libdir}/libv8.so
%{_libdir}/libv8_libbase.so
%{_libdir}/libv8_libplatform.so
%files -n npm
%{_bindir}/npm
%{_bindir}/npx
@ -723,199 +737,424 @@ end
%changelog
* Tue May 07 2024 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-8
- Actually apply the patch for CVE-2024-27982
* Wed Apr 24 2024 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-7
- Backport patch for CVE-2024-27982
* Tue Apr 09 2024 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-6
- Use system OpenSSL configuration section
* Mon Apr 08 2024 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-5
- Backport patches for several CVEs.
Fixes CVE-2024-22025 CVE-2024-25629 CVE-2024-27983 CVE-2024-28182
* Tue Mar 05 2024 Honza Horak <hhorak@redhat.com> - 1:16.20.2-4
- Fix CVE-2024-22019
* Sun Dec 10 2023 MSVSphere Packaging Team <packager@msvsphere-os.ru> - 1:16.20.2-3
- Rebuilt for MSVSphere 8.8
* Fri Oct 13 2023 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-3
- Update version of bundled nghttp2 in spec file
* Thu Oct 12 2023 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-3
* Thu Oct 12 2023 Jan Staněk <jstanek@redhat.com> - 1:16.20.2-2
- Update bundled nghttp2 to 1.57.0 (CVE-2023-44487)
* Wed Sep 06 2023 Masahiro Matsuya <mmatsuya@redhat.com> - 1:16.20.2-2
- Bump Release. Need to rebuild with the updated nodejs-packaging
Resolves: rhbz#2237393
* Fri Aug 18 2023 Dominik Rehák <drehak@redhat.com> - 1:16.20.2-1
* Wed Aug 30 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.20.2-1
- Rebase to 16.20.2
Resolves: rhbz#2231866
Resolves: CVE-2023-32002 CVE-2023-32006 CVE-2023-32559
* Mon Jul 31 2023 Honza Horak <hhorak@redhat.com> - 1:16.20.1-2
- Fix segfault that happens when processing fips-related options
Resolves: BZ#2227796
* Thu Jul 13 2023 Jan Staněk <jstanek@redhat.com> - 1:16.20.1-1
- Rebase to 16.20.1
Resolves: rhbz#2188289
Resolves: rhbz#2188291
Resolves: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589 CVE-2023-30590
- Replace /usr/etc/npmrc symlink with builtin configuration
Resolves: rhbz#2222288
Resolves: rhbz#2177781
* Wed May 31 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-2
- Update bundled c-ares to 1.19.1
Resolves: CVE-2023-31124 CVE-2023-31130 CVE-2023-31147 CVE-2023-32067
* Mon Feb 27 2023 Jan Staněk <jstanek@redhat.com> - 1:16.19.1-1
* Mon Mar 27 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.19.1-1
- Rebase to 16.19.1
Resolves: rhbz#2153713
Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920
Resolves: CVE-2022-25881 CVE-2022-4904
- Resolves: rhbz#2153714
- Resolves: CVE-2023-23918 CVE-2023-23919 CVE-2023-23936 CVE-2023-24807 CVE-2023-23920
- Resolves: CVE-2022-25881 CVE-2022-4904
* Wed Dec 07 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-3
- Update sources of undici WASM blobs
Resolves: rhbz#2151546
Resolves: rhbz#2151617
* Fri Dec 02 2022 Jan Staněk <jstanek@redhat.com> - 1:16.18.1-2
- Record CVE references already addressed in this or previous upstream versions
Resolves: CVE-2021-44531 CVE-2021-44532 CVE-2021-44533 CVE-2022-21824
* Mon Dec 05 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.18.1-2
- Add back libs and v8-devel subpackages
- Related: RHBZ#2121126
- Record previously fixed CVE
- Resolves: CVE-2021-44906
* Wed Nov 16 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.18.1-1
- Rebase + CVE fixes
- Resolves: #2121024
- Resolves: #2135490, #2140926
- Rebase + CVEs
- Resolves: #2142808
- Resolves: #2142826, #2131745, #2142855
* Fri Oct 07 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.17.1-1
* Tue Sep 27 2022 Jan Staněk <jstanek@redhat.com> - 16.17.1-1
- Rebase to version 16.17.1
- Resolves: CVE-2022-35255 CVE-2022-35256
Resolves: CVE-2022-35255 CVE-2022-35256
* Tue Aug 23 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.16.0-1
- Resolves: #2104754, #2108057, #2108062, #2108067, #2108072
- Resolves CVE-2022-29244, CVE-2022-32212/3/4/5
- Resolves: #2106285
- Rebase to latest release
* Tue Aug 23 2022 Jan Staněk <jstanek@redhat.com> - 16.16.0-1
- Rebase to version 16.16.0
Resolves: RHBZ#2106290
Resolves: CVE-2022-32212 CVE-2022-32213 CVE-2022-32214 CVE-2022-32215
Resolves: CVE-2022-29244
* Mon Apr 25 2022 Jan Staněk <jstanek@redhat.com> - 1:16.14.0-5
- Unify configure calls into single command
- Refactor bootstrap-related parts
* Thu Apr 21 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-5
- Decouple dependency bundling from bootstrapping
* Mon Apr 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-4
* Tue Apr 05 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-4
- Apply lock file validation fixes
- Resolves: CVE-2021-43616
- Resolves: RHBZ#2070013
* Mon Dec 06 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.13.1-3
- Resolves: RHBZ#2026329
- Add corepack to spec
* Mon Dec 06 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.13.1-2
- Resolves: RHBZ#2026329
- Update npm version test
* Thu Dec 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.13.1-1
- Resolves: RHBZ#2014132, RHBZ#2014126, RHBZ#2013828, RHBZ#2024920
- Resolves: RHBZ#2026329
- Rebase to LTS release and to fix multiple low and medium CVEs
* Mon Sep 13 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.8.0-1
- Resolves CVE-2021-32803, CVE-2021-32804, CVE-2021-37701, CVE-2021-37712
- Resolves: RHBZ#1993948, RHBZ#1993941, RHBZ#2000151, RHBZ#2002176
* Mon Aug 30 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.7.0-2
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
- CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
- Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
- Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
- fix python3 in gyp
* Wed Aug 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.7.0-1
- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939,
- CVE-2021-22940, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672
- Resolves: RHBZ#1988608, RHBZ#1993816, RHBZ#1993810
- Resolves: RHBZ#1993097, RHBZ#1993948, RHBZ#1993941, RHBZ#1994963
* Fri Jul 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.4.2-1
- Resolves: RHBZ#1979847
- Resolves CVE-2021-22918(libuv)
- Use system cipher list(1842826, 1952915)
* Tue May 11 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.1.0-1
- Resolves: RHBZ#1953991
Resolves: CVE-2021-43616
* Thu Mar 31 2022 Jan Staněk <jstanek@redhat.com> - 16.14.0-3
- Refactor bootstap handling and configure script invocation
Resolves: rhbz#2056969
* Sun Feb 13 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-2
- Build with bootstrap by default due to old versions of dependencies available
- Resolves: #2042995, #2042970, #2042981, #2042989
- Resolves: #2029936, #2024890, #2014499, #2014135
- Resolves: #2013834, #1945299
* Fri Feb 11 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.14.0-1
- Update to latest version
- Use jinja and jq
- Don't fix python3
- Resolves: CVE-2022-21824, CVE-2021-44531, CVE-2021-44532, CVE-2021-44533
- Resolves CVE-2020-15095
- Resolves: CVE-2021-3918, CVE-2021-22959, CVE-2021-22960
- Resolves: CVE-2021-3807, CVE-2021-27290
* Wed Sep 29 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.10.0-1
- Rebase to 16.10.0, add corepack, fix PowerShell dependency
- Resolves: RHBZ#2000539, #2000548, #2000549, #2002177
* Thu Aug 12 2021 Jan Staněk <jstanek@redhat.com> - 1:16.6.2-1
- Rebase to 16.6.2
Resolves: CVE-2021-22931 CVE-2021-22939 CVE-2021-22940
* Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:16.5.0-3
- Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
Related: rhbz#1991688
* Thu Jul 22 2021 Zuzana Svetlikova <zsvetlik@redhat.com - 1:16.5.0-2
- Bump for gating
- Resolves: RHBZ#1979926
* Tue Jul 20 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.5.0-1
- Rebase to 16.5.0
- Fixes CVE-2021-22918(libuv)
- Resolves: RHBZ#1979926
* Wed Jun 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:16.3.0-2
- Rebuilt for RHEL 9 BETA for openssl 3.0
Related: rhbz#1971065
* Tue Jun 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.3.0-1
- Resolves: RHBZ#1953491
- Rebase to 16.3.0
- includes https://github.com/nodejs/node/pull/38732
* Thu May 20 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.2.0-1
- Resolves: RHBZ#1953491
- Rebase to 16.2.0
- includes https://github.com/nodejs/node/pull/38633 (FIPS for OpenSSL 3.0)
* Wed May 19 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:16.1.0-1
- Resolves: RHBZ#1953491
- Support for OpenSSL 3.0.0
- Rebase to v16.x
- Update version of gcc and gcc-c++ needed
- Remove libs conditionals
- Remove unused patches
- Bundle nghttp3 and ngtcp2
* Mon Mar 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-2
- Resolves RHBZ#1930775
- remove --debug-nghttp2 option
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com>
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Tue Mar 30 2021 Jonathan Wakely <jwakely@redhat.com> - 1:14.16.0-4
- Rebuilt for removed libstdc++ symbol (#1937698)
* Tue Mar 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-3
- Only require nodejs-packaging on Fedora
- remove --debug-nghttp2 (#1930775)
- always build with systemtap
* Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:14.15.4-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Mon Jan 04 2021 Stephen Gallagher <sgallagh@redhat.com> - 1:14.15.4-1
- Update to 14.15.4
* Wed Dec 02 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.15.1-1
- Update to 14.15.1
* Mon Mar 01 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.16.0-1
- Resolves CVE-2021-22883 CVE-2021-22884
- Resolves: RHBZ#1934566, RHBZ#1934599
- Rebase, remove ini patch
* Tue Oct 20 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.14.0-2
- Don't build with LTO on aarch64
* Tue Jan 26 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-2
- Add patch for yarn crash
- Resolves: RHBZ#1915296
* Mon Oct 19 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.14.0-1
- Update to 14.14.0
* Tue Jan 19 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.4-1
- Security rebase to 14.15.4
- https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
- Resolves: RHBZ#1913001, RHBZ#1912953
- Resolves: RHBZ#1912636, RHBZ#1898602, RHBZ#1898768, RHBZ#1893987, RHBZ#1893184
* Fri Oct 09 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.13.1-1
- Update to 14.13.1
* Thu Oct 29 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.15.0-1
- Resolves: RHBZ#1858864
- Update to LTS release
* Thu Oct 01 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.13.0-1
- Update to 14.13.0
* Mon Sep 21 2020 Jan Staněk <jstanek@redhat.com> - 1:14.11.0-1
- Security update to 14.11.0
* Wed Sep 16 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.11.0-1
- Update to 14.11.0
* Tue Sep 08 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.10.0-1
- Update to 14.10.0
* Fri Aug 21 2020 Jeff Law <law@redhat.com> - 1:14.7.0-2
- Narrow LTO opt-out to just armv7hl
* Fri Jul 31 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.7.0-1
- Update to 14.7.0
* Tue Jul 28 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:14.5.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Tue Jul 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.5.0-1
- Update to 14.5.0
* Tue Jul 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.4.0-3
- Update for new packaging guidelines
* Tue Jun 30 2020 Jeff Law <law@redhat.com> - 1:14.4.0-2
- Disable LTO
* Wed Jun 03 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.4.0-1
- Security update to 14.4.0
- Resolves: RHBZ#1815402
* Thu May 21 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.3.0-1
* Thu May 21 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.3.0-1
- Update to 14.3.0
- Fix optflags to save memory
- Resolves: RHBZ#1815402
* Wed May 06 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.2.0-1
* Wed May 06 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.2.0-1
- Update to 14.2.0
- build with python3 only
- some clean up
* Tue Mar 17 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.16.1-2
- Fix CVE-2020-10531
* Wed Apr 29 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:14.1.0-1
- Update to 14.1.0
* Fri Apr 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.0.0-2
- Keep the fix scripts for Koji
* Thu Apr 23 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:14.0.0-1
- Update to 14.0.0
- v14.x should be python3 compatible, so commented out py sed scripts
* Thu Feb 20 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.16.1-1
- Rebase to 12.16.1
* Wed Apr 15 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:13.13.0-1
- Update to 13.13.0
- Add bundled uvwasi and histogram_c provides
- Add shared brotli dependency
- Remove icustrip.py patch, which was merged in upstream
* Wed Jan 15 2020 Jan Staněk <jstanek@redhat.com> - 1:12.14.1-1
- Rebase to 12.14.1
* Tue Mar 17 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:13.11.0-2
- Fix python3 issue in icustrip.py
* Fri Nov 29 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.13.1-1
- Resolves: RHBZ# 1773503, update to 12.13.1
- minor clean up and sync with Fedora spec
- turn off debug builds
* Mon Mar 16 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:13.11.0-1
- Update to 13.11.0
* Thu Aug 01 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.4.0-2
- Add condition to libs
* Wed Feb 26 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:13.9.0-2
- Build with python 3 only
* Wed Jun 12 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.4.0-1
- Update to v12.x
- Add v8-devel and libs subpackages from fedora
* Tue Feb 25 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:13.9.0-1
- Release Node.js 13.9.0
* Thu Mar 14 2019 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.14.1-2
- move nodejs-packaging BR out of conditional
* Tue Feb 25 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:12.16.1-1
- Update to 12.16.1
- Fixes six regressions introduced in 12.16.0
* Fri Feb 14 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:12.16.0-1
- Update to 12.16.0
- Drop upstreamed patch
* Tue Dec 11 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.14.1-1
- Resolves RHBZ#1644207
- fixes node-gyp permissions
- rebase
* Thu Feb 06 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:12.15.0-1
- Update to 12.15.0
* Wed Jan 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:12.14.1-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Thu Oct 11 2018 Jan Staněk <jstanek@redhat.com> - 1:10.11.0-2
- BuildRequire nodejs-packaging for proper npm dependency generation
- Resolves: rhbz#1615947
* Mon Jan 13 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:12.14.1-3
- Fix issue with header symlinks in v8-devel
* Mon Oct 08 2018 Jan Staněk <jstanek@redhat.com> - 1:10.11.0-1
- Rebase to 10.11.0
- Import changes from fedora
- Resolves: rhbz#1621766
* Tue Jan 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:12.14.1-2
- Drop unneeded dependency on http-parser-devel
* Mon Jul 30 2018 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:10.7.0-5
- Import sources from fedora
- Allow using python2 at %%build and %%install
- turn off debug for aarch64
* Tue Jan 07 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:12.14.1-1
- Update to 12.14.1
- https://github.com/nodejs/node/blob/v12.14.1/doc/changelogs/CHANGELOG_V12.md
* Mon Jan 06 2020 Stephen Gallagher <sgallagh@redhat.com> - 1:12.14.0-2
- Update to 12.14.0
- https://github.com/nodejs/node/blob/v12.14.0/doc/changelogs/CHANGELOG_V12.md
- Add new subpackage nodejs-full-i18n to enable optional non-English locale
support
- Update documentation packaging for NPM
* Mon Dec 02 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.13.1-1
- Update to 12.13.1
- https://github.com/nodejs/node/blob/v12.13.1/doc/changelogs/CHANGELOG_V12.md
* Tue Oct 29 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.13.0-6
- Add proper i18n support
* Tue Oct 29 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.13.0-5
- Fix issue with NPM docs being replaced with a symlink
* Mon Oct 28 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.13.0-2
- Simplify npmrc default configuration
* Mon Oct 28 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.13.0-1
- Update to 12.13.0 (LTS)
- https://github.com/nodejs/node/blob/v12.13.0/doc/changelogs/CHANGELOG_V12.md
- NPM no longer clobbers RPM-installed Node.js modules
- Drop no-longer needed patch to suppress `npm update -g npm` message
* Wed Sep 04 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.10.0-1
- Update to 12.10.0
- https://github.com/nodejs/node/blob/v12.10.0/doc/changelogs/CHANGELOG_V12.md#12.10.0
* Wed Aug 21 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.9.0-1
- Update to 12.9.0
- https://github.com/nodejs/node/blob/v12.9.0/doc/changelogs/CHANGELOG_V12.md#12.9.0
* Thu Aug 15 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.8.2-1
- Update to 12.8.1
- Resolves: CVE-2019-9511 "Data Dribble"
- Resolves: CVE-2019-9512 "Ping Flood"
- Resolves: CVE-2019-9513 "Resource Loop"
- Resolves: CVE-2019-9514 "Reset Flood"
- Resolves: CVE-2019-9515 "Settings Flood"
- Resolves: CVE-2019-9516 "0-Length Headers Leak"
- Resolves: CVE-2019-9517 "Internal Data Buffering"
- Resolves: CVE-2019-9518 "Empty Frames Flood"
- https://github.com/nodejs/node/blob/v12.8.1/doc/changelogs/CHANGELOG_V12.md#12.8.1
* Mon Aug 05 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.7.0-3
- Fix epoch dependencies
- Carry data files for ICU
* Fri Aug 02 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.7.0-2
- Change v8-devel release field to avoid duplicated package names
* Thu Aug 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.7.0-1
- Update to 12.7.0
- https://nodejs.org/en/blog/release/v12.7.0/
* Tue Jul 30 2019 Tom Hughes <tom@compton.nu> - 1:12.6.0-2
- Bump release to fix dependencies
* Thu Jul 25 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:12.6.0-1.1
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Thu Jun 27 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.6.0-1
- Update to 12.6.0
- https://nodejs.org/en/blog/release/v12.6.0/
- https://nodejs.org/en/blog/release/v12.5.0/
* Tue Jun 04 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.4.0-1
- Update to 12.4.0
- https://nodejs.org/en/blog/release/v12.4.0/
* Fri May 24 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.3.1-1
- Update to 12.3.1
- https://nodejs.org/en/blog/release/v12.3.1/
- https://nodejs.org/en/blog/release/v12.3.0/
* Wed May 15 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.2.0-1
- Update to 12.2.0
- https://nodejs.org/en/blog/release/v12.2.0/
* Tue Apr 30 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.1.0-1
- Update to 12.1.0
- https://nodejs.org/en/blog/release/v12.1.0/
* Wed Apr 24 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.0.0-3
- Fix upgrade bug for v8-devel (BZ #1702609)
* Tue Apr 23 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.0.0-2
- Node.js 12.x requires OpenSSL 1.1.1+
* Tue Apr 23 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:12.0.0-1
- Release 12.0.0
- https://nodejs.org/en/blog/release/v12.0.0/
* Thu Apr 11 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:11.13.0-1
- Update to 11.13.0
- https://nodejs.org/en/blog/release/v11.13.0/
- https://nodejs.org/en/blog/release/v11.12.0/
- https://nodejs.org/en/blog/release/v11.11.0/
* Fri Mar 01 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:11.10.1-1
- Update to 11.10.1
- https://nodejs.org/en/blog/release/v11.10.1/
- https://nodejs.org/en/blog/release/v11.10.0/
- https://nodejs.org/en/blog/release/v11.9.0/
- https://nodejs.org/en/blog/release/v11.8.0/
* Fri Jan 18 2019 Stephen Gallagher <sgallagh@redhat.com> - 1:11.7.0-1
- Update to 11.7.0
- https://nodejs.org/en/blog/release/v11.7.0/
- https://nodejs.org/en/blog/release/v11.6.0/
- https://nodejs.org/en/blog/release/v11.5.0/
- https://nodejs.org/en/blog/release/v11.4.0/
* Thu Nov 29 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:11.3.0-1
- Update to 11.3.0
- https://nodejs.org/en/blog/release/v11.2.0/
- https://nodejs.org/en/blog/release/v11.3.0/
* Fri Nov 02 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:11.1.0-1
- Update to 11.1.0
- https://nodejs.org/en/blog/release/v11.1.0/
* Thu Nov 01 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:11.0.0-1
- Update to 11.0.0
- https://nodejs.org/en/blog/release/v11.0.0/
* Thu Nov 01 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.13.0-1
- Update to 10.13.0
- https://nodejs.org/en/blog/release/v10.13.0/
* Thu Oct 11 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.12.0-1
- Update to 10.12.0
- https://nodejs.org/en/blog/release/v10.12.0/
* Wed Oct 10 2018 Jan Staněk <jstanek@redhat.com> - 1:10.11.0-2
- Add non-bootstrap BR for nodejs-packaging
* Thu Sep 20 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.11.0-1
- Update to 10.11.0
- https://nodejs.org/en/blog/release/v10.11.0/
* Wed Sep 19 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.10.0-2
- Really, finally fix npm dep executable permissions
* Tue Sep 11 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.10.0-1
- Update to 10.10.0
- https://nodejs.org/en/blog/release/v10.10.0/
- Fix issue with npm permissions
* Tue Aug 21 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.9.0-2
- Clean up automatic dependencies for npm
* Thu Aug 16 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.9.0-1
- Update to 10.9.0
- https://nodejs.org/en/blog/release/v10.9.0/
* Tue Aug 07 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.8.0-1
- Update to 10.8.0
- https://nodejs.org/en/blog/release/v10.8.0/
* Fri Jul 20 2018 Stephen Gallagher <sgallagh@redhat.com> - 1:10.7.0-4
- Fix npm upgrade scriptlet

Loading…
Cancel
Save