|
|
|
|
Changelog for npm12-12.20.1-lp152.3.9.1.x86_64.rpm :
* Mon Jan 04 2021 Adam Majer - New upstream LTS version 12.20.1: * CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits (bsc#1180553) * CVE-2020-8287: HTTP Request Smuggling allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554) * CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a vulnerability in OpenSSL which may be exploited through Node.js. (bsc#1179491)- versioned.patch, nodejs-libpath.patch: refreshed * Mon Nov 30 2020 Adam Majer - openssl_binary_detection.patch: fixes unit tests on SLE12 * Thu Nov 26 2020 Adam Majer - New upstream LTS version 12.20.0: * deps: + update llhttp \'2.1.2\' -> \'2.1.3\' + update uv \'1.39.0\' -> \'1.40.0\' + update uvwasi \'0.0.10\' -> \'0.0.11\' * fs: add .ref() and .unref() methods to watcher classes * http: added scheduling option to http agent * module: + exports pattern support + named exports for CJS via static analysis * n-api: add more property defaults (gh#35214) * Mon Nov 23 2020 Adam Majer - Update Requires: so -devel requires npm- Rely on rpmbuild to define necessary python dependencies * Thu Nov 19 2020 Adam Majer - New upstream LTS version 12.19.1: * deps: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses (bsc#1178882, CVE-2020-8277) * Fri Nov 13 2020 Adam Majer - python3.patch: allows building of node with python3 toolchain * Fri Oct 09 2020 Adam Majer - fix_ci_tests.patch: add support to SUSE\'s ECDH backport errors in SLE\'s openssl * Wed Oct 07 2020 Adam Majer - New upstream LTS version 12.19.0: * crypto: add randomInt function * deps: + upgrade to libuv 1.39.0 + deps: upgrade npm to 6.14.7 + deps: upgrade to libuv 1.38.1 * doc: deprecate process.umask() with no arguments * module: + package \"imports\" field + module: deprecate module.parent * n-api: create N-API version 7 * zlib: switch to lazy init for zlib streams- fix_ci_tests.patch: refreshed- versioned.patch: refreshed * Wed Sep 23 2020 Adam Majer - New upstream LTS version 12.18.4: * deps: + update llhttp to 2.1.2 (bsc#1176605, CVE-2020-8201) + fs.realpath.native may cause buffer overflow (bsc#1176589, CVE-2020-8252)- fix_ci_tests.patch: re-add missing debug symbol removal before running unit tests * Mon Aug 10 2020 Adam Majer - Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686) * Mon Aug 03 2020 Adam Majer - New upstream LTS version 12.18.3: deps: * upgrade npm to 6.14.6 (claudiahdz) #34246 Fixes information leak through log files (bsc#1173937, CVE-2020-15095) * update node-inspect to v2.0.0 (Jan Krems) #33447 * uvwasi: cherry-pick 9e75217 (Colin Ihrig) #33521- fix_ci_tests.patch: refreshed- versioned.patch: refreshed * Tue Jul 28 2020 Dirk Mueller - avoid rpmbuild warnings on if/else/endif constructs * Thu Jul 02 2020 Adam Majer - New upstream LTS version 12.18.2: * deps: V8: backport fb26d0bb1835 (Matheus Marchini) #33573 + Fixes memory leak in PrototypeUsers::Add * src: use symbol to store AsyncWrap resource (Anna Henningsen) #31745 + Fixes reported memory leak (bsc#1173653) * Thu Jun 18 2020 Adam Majer - New upstream LTS version 12.18.1: + deps: * V8: cherry-pick 548f6c81d424 (Dominykas Blyžė) #33484 * update to uvwasi 0.0.9 (Colin Ihrig) #33445 * upgrade to libuv 1.38.0 (Colin Ihrig) #33446 * upgrade npm to 6.14.5 (Ruy Adorno) #33239- skip_no_console.patch: refreshed and mostly upstreamed- versioned.patch: refreshed * Tue Jun 09 2020 Adam Majer - Add Require for nodejs12 when intalling npm12. (bsc#1172728) * Thu Jun 04 2020 Adam Majer - New upstream LTS version 12.18.0: * napi: fix various types of memory corruption in napi_get_value_string_ *() (CVE-2020-8174, bsc#1172443) * http2: fix HTTP/2 Large Settings Frame DoS (CVE-2020-11080, bsc#1172442) * TLS session reuse can lead to host certificate verification bypass (CVE-2020-8172, bsc#1172441)- use system ICU on SLE-15 * Wed May 27 2020 Adam Majer - Update to LTS release 12.17.0: * async-hooks: introduce async-storage API * cli: Added a --trace-sigint CLI flag that will print the current execution stack on SIGINT #29207. * crypto: Various crypto APIs now support Diffie-Hellman secrets * dns: Added the dns.ALL flag, that can be passed to dns.lookup() with dns.V4MAPPED to return resolved IPv6 addresses as well as IPv4 mapped IPv6 addresses #32183. * events: It is now possible to monitor \'error\' events on an EventEmitter without consuming the emitted error by installing a listener using the symbol EventEmitter.errorMonitor * http,https: The default value of server.headersTimeout for http and https servers was increased from 40000 to 60000ms * process: It is now possible to monitor \'uncaughtException\' events without overriding the default behavior * repl: + Added REPL substring-based search + Added preview + Added reverse-i-search * module: Added a new experimental API to interact with Source Map V3 data #31132. * worker: Added support for passing a transferList along with workerData to the Worker constructor #32278. For further information, please see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.17.0- icu-v67.patch: upstreamed- skip_no_console.patch, versioned.patch: refreshed * Wed May 13 2020 Ismail Dönmez - Add icu-v67.patch to fix build with icu v67 * Mon May 04 2020 Adam Majer - Reduce Requires to Recommends on nodejs12-devel when installing npm12 * Tue Apr 28 2020 Adam Majer - Update to LTS release 12.16.3: * deps: + Updated OpenSSL to 1.1.1g + Updated c-ares to 1.16.0 + Updated experimental uvwasi to 0.0.6 * ESM (experimental): Additional warnings are no longer printed for modules that use conditional exports or package name self resolution- fix_ci_tests.patch: refreshed * Mon Apr 27 2020 Adam Majer - Update to LTS release 12.16.2: * deps: + upgrade npm to 6.13.6 (bsc#1166916, CVE-2020-7598) + update openssl to 1.1.1e- openssl_rand_regression.patch, wasi_compile_flags.patch: upstreamed- versioned.patch, fix_ci_tests.patch: refreshed- linker_lto_jobs.patch: serialize linker during build * Mon Mar 02 2020 Adam Majer - openssl_rand_regression.patch: Add getrandom syscall definition for all Linux platforms. This fixes a runtime error in SLE-12 (bnc#1162117) * Wed Feb 19 2020 Adam Majer - Update to LTS release 12.16.1: * Reverted regressions from 12.16.0 + accidental unflagging of self resolving modules - it now requires - -experimental-modules flag to enable. + process cleanup changes introduced WASM-Related assertion + use of largepages runtime option introduced linking failure + async_hooks was causing an exception when handling errors + enumerable Read-Only property on EventEmitter breaks AATTtypes/extend + exceptions in the HTTP parser were not emitting as an uncaughtException * Wed Feb 12 2020 Adam Majer - Update to LTS release 12.16.0: * assert: add experimental assert.match() and assert.doesNotMatch() methods. These allow matching vs. provided regular expressions. * child_process, cluster: now support serialization option to allow for custom serialization mechanism for IPC. * cli: add --trace-edit and --trance-uncaught flags * crypto: + added support for \'ieee-p1363\' signature type for DSA and ECDSA in addition to DER + Added Hash.prototype.copy making it possibly to clone internal state of Hash object. This allows digest computation between updates. * deps: + libuv was updated to 1.34.0 + V8 was updated to 7.8.279.23 - for official changes, see https://v8.dev/blog/v8-release-78 * events: + add EventEmitter.on to async iterate over events + allow monitoring error events via EventEmitter.errorMonitor + add experimental method to captureRejections for async handlers * perf_hooks: now considered stable API * wasi: Add new core module for WebAssebly System Interface as an experimental feature.- wasi_compile_flags.patch: fix header inclusions in uvwasi dependency * Fri Feb 07 2020 Adam Majer - Update to LTS release 12.15.0: * fixes a remotely triggerable assertion on a TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104) * fixes an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102) * trim HTTP header values of optional white space (CVE-2019-15606, bsc#1163103) * enabled stricter HTTP header parsing by default.- fix_ci_tests.patch: refreshed * Thu Jan 09 2020 Adam Majer - Update to LTS release 12.14.1: * crypto: fix key requirements in asymmetric cipher * deps: + update llhttp to 2.0.1 + update nghttp2 to 1.40.0 * v8: mark serdes API as stable- nodejs-libpath.patch: refreshed * Tue Jan 07 2020 Guillaume GARDET - Really disable LTO when required (nodejs < 12) * Thu Dec 19 2019 Adam Majer - Update to LTS release 12.14.0: * deps: update npm to 6.13.4 fixing an arbitrary path overwrite and access via \"bin\" field (bsc#1159352, CVE-2019-16777, CVE-2019-16776, CVE-2019-16775)- refreshed: fix_ci_tests.patch versioned.patch * Tue Nov 19 2019 Adam Majer - Update to LTS release 12.13.1: * improved experimental support for building Node.js with Python3 * ICU time zone data is updated to version 2019c - fixing TZ offset for Brazil * deps: + upgrade to libuv 1.33.1 + upgrade npm to 6.12.1 * Tue Nov 05 2019 Adam Majer - skip_no_console.patch: skip tests with dumb console- versioned.patch: fix symlinks * Mon Oct 21 2019 Adam Majer - Update to LTS release 12.13.0 (jsc#SLE-8947): * deps: update npm to 6.12.0 * doc: + fix --enable-source-maps flag in v12.12.0 changelog + set module version 72 to node 12 + fix tls version values * fs: do not emit \'finish\' before \'open\' on write empty file- versioned.patch: refreshed * Mon Oct 14 2019 Adam Majer - Update to 12.12.0: * depreciations: Add documentation-only deprecation for process._tickCallback() * esm: Using JSON modules is experimental again * fs: Introduce opendir() and fs.Dir to iterate through directories * process: Add source-map support to stack traces by using - -enable-source-maps * tls: + Honor pauseOnConnect option + Add option for private keys for OpenSSL engines- fix_build_with_openssl_1.1.1d.patch: upstreamed * Mon Oct 14 2019 Adam Majer - Update to 12.11.1: * build: fixed building * deps: Updated small-icu data to support \"unit\" style in the Intl.NumberFormat API- Remove unsupported 32-bit architectures- fix_ci_tests.patch: correct build with SUSE backport of KDF patches to OpenSSL 1.1.1d * Thu Sep 26 2019 Adam Majer - Update to 12.11.0: * crypto: Add oaepLabel option * deps: updated V8 to 7.7.299.11 + More efficient memory handling + Stack trace serialization got faster + The Intl.NumberFormat - API gained new functionality + more information: https://v8.dev/blog/v8-release-77 * events: Add support for EventTarget in once * fs: Expose memory file mapping flag UV_FS_O_FILEMAP * inspector: New API - Session.connectToMainThread * process: Initial SourceMap support via env.NODE_V8_COVERAGE * stream: Make _write() optional when _writev() is implemented * tls: Add option to override signature algorithms * util: Add encodeInto to TextEncoder * worker: The worker_thread module is now stable- versioned.patch: refreshed * Wed Sep 18 2019 Vítězslav Čížek - Fix build with OpenSSL 1.1.1d (bsc#1149792) * https://github.com/nodejs/node/pull/29550 * add fix_build_with_openssl_1.1.1d.patch * Fri Sep 06 2019 Adam Majer - Update to 12.10.0: * deps: + update npm to 6.10.3 * fs: + Add recursive option to rmdir() + Allow passing true to emitClose option + Add *timeNs properties to BigInt Stats objects * net: + Allow reading data into a static buffer- versioned.patch: refreshed * Mon Aug 26 2019 Adam Majer - Update to 12.9.0: * crypto: Added an oaepHash option to asymmetric encryption which allows users to specify a hash function when using OAEP padding * deps: Updated V8 to 7.6.303.29 + Improves the performance of various APIs such as JSON.parse and methods called on frozen arrays. + Adds the Promise.allSettled method. + Improves support of BigInt in Intl methods. + For more information: https://v8.dev/blog/v8-release-76 * fs: Added fs.writev, fs.writevSync and filehandle.writev (promise version) methods. * http: Added three properties to OutgoingMessage.prototype: writableObjectMode, writableLength and writableHighWaterMark * stream: + Added an new property \'readableEnded\' to readable streams. + Added an new property \'writableEnded\' to writable streams.- fix_ci_tests.patch: refreshed * Fri Aug 16 2019 Adam Majer - Update to 12.8.1: Security update regarding HTTP/2 Denial of Service vulnerabilities For details see, https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md#12.8.1 https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md (CVE-2019-9511, CVE-2019-9512, CVE-2019-9513, CVE-2019-9514, bsc#1146091, bsc#1146099, bsc#1146094, bsc#1146095, CVE-2019-9515, CVE-2019-9516, CVE-2019-9517, CVE-2019-9518, bsc#1146100, bsc#1146090, bsc#1146097, bsc#1146093) * Fri Aug 16 2019 Adam Majer - Minimum ICU version is 64. Use in-tree ICU copy for older distributions * Mon Aug 12 2019 Adam Majer - dont_return_garbage.patch: dropped and turn off unnecessary errors about it during compilation * Fri Aug 09 2019 Adam Majer - Update to 12.8.0: * crypto: + The outputLength option is added to crypto.createHash + The maxmem range is increased from 32 to 53 bits * n-api: Added APIs for per-instance state management * report: Network interfaces get included in the report * src: v8.getHeapCodeStatistics() is now exported * Wed Jul 24 2019 Adam Majer - Update to 12.7.0: * deps: + Updated nghttp2 to 1.39.1 + Updated npm to 6.10.0 (bsc#1140290, CVE-2019-13173) * esm: Implemented experimental \"pkg-exports\" proposal. * http: + Added response.writableFinished + Exposed headers, rawHeaders and other fields on an http.ClientRequest \"information\" event * inspector: Added inspector.waitForDebugger() * policy: Added --policy-integrity=sri CLI option to mitigate policy tampering * readline,tty: Exposed stream API * src: Use cgroups to get memory limits.- Changes in version 12.6.0: * child_process: The promisified versions of child_process.exec and child_process.execFile now both return a Promise which has the child instance attached to their child property * deps: Updated libuv to 1.30.1 * process: A new method, process.resourceUsage() was added * stream: Added a writableFinished property to writable streams. * worker: Fixed an issue that prevented worker threads to listen for data on stdin- Changes in version 12.5.0: * build: Improve startup time by enabling V8 snapshots by default * deps: Updated V8 to 7.5.288.22 * inspector: The --inspect-publish-uid flag was added to specify ways of the inspector web socket url exposure * n-api: Accessors on napi_define_ * are now ECMAScript-compliant * report: The cpu info got added to the report output * src: Restore the original state of the stdio file descriptors on exit to prevent leaving stdio in raw or non-blocking mode * worker: worker.terminate() now returns a promise- refreshed patches: dont_return_garbage.patch, fix_ci_tests.patch, nodejs-libpath.patch, versioned.patch * Tue Jun 11 2019 Adam Majer - Update to 12.4.0: * esm: JSON module support is always enabled under - -experimental-modules. The --experimental-json-modules flag has been removed * http, http2: A new flag has been added for overriding the default HTTP server socket timeout (which is two minutes). Pass --http-server-default-timeout=milliseconds or - -http-server-default-timeout=0 to respectively change or disable the timeout. Starting with Node.js 13.0.0, the timeout will be disabled by default * inspector: Added an experimental --heap-prof flag to start the V8 heap profiler on startup and write the heap profile to disk before exit * stream: The readable.unshift() method now correctly converts strings to buffers. Additionally, a new optional argument is accepted to specify the string\'s encoding, such as \'utf8\' or \'ascii\' * v8: The object returned by v8.getHeapStatistics() has two new properties: number_of_native_contexts and number_of_detached_contexts- nodejs-libpath.patch: install npx into proper directory- versioned.patch, fix_ci_tests.patch: refreshed * Wed May 29 2019 Adam Majer - Update to 12.3.1: * deps: + Fix handling of +0/-0 when constant field tracking is enabled + Fix os.freemem() and os.totalmem correctness- changes in 12.3.0: * esm: Added the --experimental-wasm-modules flag to support WebAssembly modules * process: Log errors using util.inspect in case of fatal exceptions * repl: Add process.on(\'uncaughtException\') support * stream: Implemented Readable.from async iterator utility * tls: + Expose built-in root certificates + Support net.Server options + Expose keylog event on TLSSocket * worker: Added the ability to unshift messages from the MessagePort- changes in 12.2.0: * deps: Updated llhttp to 1.1.3. This fixes a bug that made Node.js\' HTTP parser refuse any request URL that contained the \"|\" (vertical bar) character * tls: Added an enableTrace() method to TLSSocket and an enableTrace option to tls.createServer(). When enabled, TSL packet trace information is written to stderr. This can be used to debug TLS connection problems * cli: + Added --trace-tls enables tracing of TLS connections + Added --cpu-prof-interval * module: + Added the createRequire() method. The existing createRequireFromPath() method is now deprecated + Throw on require(\'./path.mjs\') * repl: + The REPL now supports multi-line statements using BigInt literals- enable LTO- fix_ci_tests.patch: refreshed * Fri May 03 2019 Adam Majer - Update to 12.1.0: * intl: Update ICU to 64.2. * c++ API: Added an overload EmitAsyncDestroy that can be used during garbage collection- Notable changes in 12.0.0: * assert: + validate required arguments + adjust loose assertions * async_hooks: + remove deprecated emitBefore and emitAfter + remove promise object from resource * bootstrap: make Buffer and process non-enumerable * buffer: + use stricter range checks + harden SlowBuffer creation + harden validation of buffer allocation size + do proper error propagation in addon methods * child_process: + remove options.customFds + harden fork arguments validation + use non-infinite maxBuffer defaults * console: don\'t use ANSI escape codes when TERM=dumb * crypto: + remove legacy native handles + decode missing passphrase errors + remove Cipher.setAuthTag() and Decipher.getAuthTag() + remove deprecated crypto._toBuf() + set DEFAULT_ENCODING property to non-enumerable * deps: + update V8 to 7.4.288.13 + bump minimum icu version to 63 + update bundled OpenSSL to 1.1.1b and bump minimum OpenSSL requirements to 1.1.1 * errors: update error name * fs: + use proper .destroy() implementation for SyncWriteStream + improve mode validation + harden validation of start option in createWriteStream() + make writeFile consistent with readFile wrt fd * http: + validate timeout in ClientRequest() + return HTTP 431 on HPE_HEADER_OVERFLOW error + switch default parser to llhttp + Runtime-deprecate outgoingMessage._headers and outgoingMessage._headerNames * lib: + remove Atomics.wake() + move DTRACE_ * probes out of global scope + deprecate _stream_wrap + use ES6 class inheritance style * module: + remove unintended access to deps + improve error message for MODULE_NOT_FOUND + requireStack property for MODULE_NOT_FOUND + make require(\'.\') never resolve outside the current directory + throw an error for invalid package.json main entries + don\'t search in require.resolve.paths * net: + remove Server.listenFD() + do not add .host and .port properties to DNS error + emit \"write after end\" errors in the next tick + deprecate _setSimultaneousAccepts() undocumented function * os: + implement os.type() using uv_os_uname() + remove os.getNetworkInterfaces() * process: + make global.process, global.Buffer getters + DEP0062 (node --debug) to end-of-life + exit on --debug and --debug-brk after option parsing + improve --redirect-warnings handling * readline: support TERM=dumb * repl: + add welcome message + fix terminal default setting + check colors with .getColorDepth() + deprecate REPLServer.rli * src: + update NODE_MODULE_VERSION to 72 + remove AddPromiseHook() + remove icuDataDir from node config + clean up MultiIsolatePlatform interface * tls: + support TLSv1.3 + return correct version from getCipher() + check arg types of renegotiate() + add code for ERR_TLS_INVALID_PROTOCOL_METHOD + emit a warning when servername is an IP address + disable TLS v1.0 and v1.1 by default + remove unused arg to createSecureContext() + deprecate Server.prototype.setOptions() + load NODE_EXTRA_CA_CERTS at startup * util: + remove util.print(), util.puts(), util.debug() and util.error() + change inspect compact and breakLength default + improve inspect edge cases + only the first line of the error message + don\'t set the prototype of callbackified functions + rename callbackified function + increase function length when using callbackify() + prevent tampering with internals in inspect() + prevent Proxy traps being triggered by .inspect() + prevent leaking internal properties + protect against monkeypatched Object prototype for inspect() + treat format arguments equally * zlib: + throw TypeError if callback is missing + make “bare” constants un-enumerable For detailed changelog, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V12.md * Sun Apr 07 2019 Guillaume GARDET - Add _constraints file to avoid OOM errors * Wed Feb 13 2019 adam.majerAATTsuse.de- NodeJS 12.x branch created
|
|
|