SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for nodejs16-devel-16.20.1-lp154.2.10.x86_64.rpm :

* Wed Jun 21 2023 Adam Majer - Update to version 16.20.1 (security fixes only). The following CVEs are fixed in this release:
* (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
* (CVE-2023-30585, bsc#1212579): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
* (CVE-2023-30588, bsc#1212581): Process interuption due to invalid Public Key information in x509 certificates (Medium)
* (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via Empty headers separated by CR (Medium)
* (CVE-2023-30590, bsc#1212583): DiffieHellman does not generate keys after setting a private key (Medium)
* deps: update c-ares to 1.19.1: c-ares security issues fixed: + CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service (bsc#1211604) + CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs (bsc#1211605) + CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() (bsc#1211606) + CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607)- fix_ci_tests.patch: increase default timeout on unit tests to 20min from 2min. This seems to have lead to build failures on some platforms, like s390x in Factory. (bsc#1211407)
* Wed Apr 12 2023 Adam Majer - 16.20.0- Update to LTS version 16.20.0
* deps: + update undici to 5.20.0 + update c-ares to 1.19.0 + upgrade npm to 8.19.4 (bsc#1208744, CVE-2022-25881)- legacy_python.patch, versioned.patch: refreshed
* Wed Feb 22 2023 Adam Majer - Update to LTS version 16.19.1:
* fixes permissions policies can be bypassed via process.mainModule (bsc#1208481, CVE-2023-23918)
* fixes insecure loading of ICU data through ICU_DATA environment variable (bsc#1208487, CVE-2023-23920)
* fixes OpenSSL error handling issues in nodejs crypto library (bsc#1208483, CVE-2023-23919)
* updates undici to v5.19.1 + Fetch API in Node.js did not protect against CRLF injection in host headers + Regular Expression Denial of Service in Headers in Node.js fetch API (bsc#1208413, bsc#1208485, CVE-2023-24807, CVE-2023-23936)
* Sat Dec 31 2022 Adam Majer - Update to LTS version 16.19.0:
* dgram: add dgram send queue info
* cli: add --watch- systemtap.patch: upstreamed, removed- versioned.patch: refreshed
* Fri Dec 23 2022 Guillaume GARDET - Update _constraints:
* Less RAM for aarch64 and 32-bit arm
* Use \'asimdrdm\' cpu flag to use aarch64 workers where tests are more stable
* Tue Nov 29 2022 Adam Majer - sle12_python3_compat.patch: only apply for older SLE12 codestreams where Python 3.6 is not available. Still worlaround for bsc#1205568
* Wed Nov 23 2022 Adam Majer - Workaround bug on SLE12SP5 during source unpack (bsc#1205568)
* Mon Nov 07 2022 Adam Majer - Update to LTS versino 16.18.1:
* inspector: DNS rebinding in --inspect via invalid octal IP (bsc#1205119, CVE-2022-43548)- Replace node-gyp for SLE12 with python 3.4 compatible gyp
* Thu Oct 13 2022 Adam Majer - Update to LTS version 16.18.0:
* http: throw error on content-length mismatch
* stream: add ReadableByteStream.tee()
* deps: npm updated to 8.19.2- nodejs-libpath.patch, fix_ci_tests.patch, versioned.patch: refreshed- undici_5.8.1.patch, undici_5.8.2.patch: upstreamed and removed- systemtap.patch: upstream regression
* Mon Sep 26 2022 Adam Majer - Update to Nodejs 16.17.1:
* deps: llhttp updated to 6.0.9 + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325) + Incorrect Parsing of Multi-line Transfer-Encoding (CVE-2022-32215, bsc#1201327) + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)
* crypto: fix weak randomness in WebCrypto keygen (CVE-2022-35255, bsc#1203831)
* Sat Sep 17 2022 Bruno Pitrus - Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl.
* Thu Aug 25 2022 Adam Majer - undici_5.8.1.patch, undici_5.8.2.patch: update undici to 5.8.2 (bsc#1202382, CVE-2022-35949, bsc#1202383, CVE-2022-35948)
* Tue Aug 16 2022 Adam Majer - enable crypto-policies for SLE15 SP4+ and TW (bsc#1200303)- Update to LTS version 16.17.0:
* deps: upgrade npm to 8.15.0
* Improved interoperability of the Web Crypto API
* Updated Undici to 5.8.0 (bsc#1201710, CVE-2022-31150) For full list of changes, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.17.0- nodejs-libpath.patch, versioned.patch: refreshed patches
* Mon Jul 11 2022 Adam Majer - Update to LTS version 16.16.0:
* http: stricter Transfer-Encoding and header separator parsing (bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
* src: fix IPv4 validation in inspector_socket (bsc#1201328, CVE-2022-32212)
* Thu Jun 23 2022 Ferdinand Thiessen - Update to LTS version 16.15.1
* upgrade npm to 8.11.0 (bsc#1200517, CVE-2022-29244)- Update to LTS version 16.15.0
* Add experimental support to the fetch API. This adds the `--experimental-fetch` flag that installs the fetch, Request, Response, Headers, and FormData globals.
* Broken x32 support is removed
* crypto: Add KeyObject.prototype.equals method
* esm: support https remotely and http locally under flag
* module: unflag esm jso- rebased: nodejs-libpath.patch, npm_search_paths.patch, versioned.patch
* Wed Apr 13 2022 Adam Majer - update to LTS release 16.14.2:
* deps: upgrade openssl sources to OpenSSL_1_1_1n- fix_ci_tests.patch: refreshed
* Wed Mar 16 2022 Adam Majer - update to LTS release 16.14.1:
* deps: upgrade npm to 8.5.0
* http2: fix memory leak on nghttp2 hd threshold- 42342.patch: upstreamed, dropped- versioned.patch: refreshed
* Tue Mar 15 2022 Adam Majer - 42342.patch: fix expired certificates in unit tests
* Thu Feb 17 2022 Adam Majer - update to LTS release 16.14.0:
* deps: upgrade npm to 8.1.4
* child_process: add support for URL to cp.fork
* fs: accept URL as argument for fs.rm and fs.rmSync
* lib: + make AbortSignal cloneable/transferable + add AbortSignal.timeout + add reason to AbortSignal + add unsubscribe method to non-active DC channels
* process: add getActiveResourcesInfo()
* src: + add x509.fingerprint512 to crypto module + add flags for controlling process behavior
* stream: + add map and filter methods to readable + deprecate thenable support
* timers: add experimental scheduler api
* util: + add numericSeparator to util.inspect + always visualize cause property in errors during inspection + pass through the inspect function to custom inspect functions npm_search_paths.patch, versioned.patch: refreshed
* Fri Jan 28 2022 Adam Majer - Add buildtime version check to determine if we need patched openssl Requires: or already in upstream. (bsc#1192489)
* Tue Jan 18 2022 Adam Majer - rsa-pss-revert.patch: dropped, since openssl updated with needed functionality
* Tue Jan 11 2022 Adam Majer - update to 16.13.2: Security update fixing the following issues:
* Improper handling of URI Subject Alternative Names (Medium) (CVE-2021-44531, bsc#1194511)
* Certificate Verification Bypass via String Injection (Medium) (CVE-2021-44532, bsc#1194512)
* Incorrect handling of certificate subject and issuer fields (Medium) (CVE-2021-44533, bsc#1194513)
* Prototype pollution via console.table properties (Low) (CVE-2022-21824, bsc#1194514)
* Wed Jan 05 2022 Adam Majer - fix_ci_tests.patch: fix tests on s390x
* Tue Jan 04 2022 Adam Majer - rsa-pss-revert.patch: temporarily revert functionality requiring newer openssl
* Tue Dec 07 2021 Adam Majer - Update to 16.13.1:
* deps: upgrade npm to 8.1.2
* lib: fix regular expression to detect `/` and `\\`- 40670.patch: upstreamed- fix_ci_tests.patch: refreshed
* Thu Nov 25 2021 Guillaume GARDET - Fix CXXFLAGS in Tumbleweed - boo#1192824
* Tue Nov 09 2021 Adam Majer - BR python 3.6+
* Sat Nov 06 2021 Adam Majer - Update to 16.13.0:
* Experimental ESM Loader Hooks API https://github.com/nodejs/node/pull/37468
* deps: upgrade npm to 8.1.0 (npm team)
* vm: add support for import assertions in dynamic imports- Changes in 16.11.1:
* deps: update llhttp to 6.0.4 - HTTP Request Smuggling due to spaced in headers (bsc#1191601, CVE-2021-22959) - HTTP Request Smuggling when parsing the body (bsc#1191602, CVE-2021-22960)- Changes in 16.11.0:
* deps: update nghttp2 to v1.45.1- Changes in 16.10.0:
* crypto: add rsa-pss keygen parameters
* fs: make open and close stream override optional when unused
* http: limit requests per connection The maximum number of requests a socket can handle before closing keep alive connection can be set with server.maxRequestsPerSocket.
* src: add --no-global-search-paths cli option
* stream: add signal support to pipeline generators- Changes in 16.9.0:
* Added support for corepack
* crypto: add RSA-PSS params to asymmetricKeyDetails
* module: support pattern trailers
* stream: add stream.compose- Changes in 16.8.0:
* doc: deprecate type coercion for dns.lookup options
* stream: add stream.Duplex.from utility and isDisturbed helper
* util: expose toUSVString- Changes in 16.7.0:
* fs: experimental: add recursive cp method- refreshed: fix_ci_tests.patch, flaky_test_rerun.patch, nodejs-libpath.patch, sle12_python3_compat.patch, versioned.patch, node_modules.tar.xz
* Tue Nov 02 2021 Dominique Leuenberger - Add 40670.patch: test: fix test-datetime-change-notify after daylight change.
* Fri Oct 15 2021 Bernhard Voelker - test-skip-y2038-on-32bit-time_t.patch: Add patch to skip the test \'test/parallel/test-fs-utimes-y2K38.js\' which fails with a FP on platforms with 32-bit time_t.- nodejs16.spec: Reference it.
* Thu Aug 12 2021 Adam Majer - Update to 16.6.2:
* CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (bsc#1189370, bsc#1188881)
* CVE-2021-22940: Use after free on close http2 on stream canceling (bsc#1189368)
* CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (bsc#1189369)
* deps: upgrade npm to 7.20.3
* deps: revert ABI-breaking change from V8 9.2
* module: fix ERR_REQUIRE_ESM error for null frames- cares_public_headers.patch: don\'t use private headers
* Mon Aug 02 2021 Adam Majer - Update to 16.6.0: http2: fixes use after free on close http2 on stream canceling (bsc#1188917, CVE-2021-22930)
* Thu Jul 22 2021 Adam Majer - legacy_python.patch: fix building with python 3.4 in SLE-12
* Wed Jul 21 2021 Adam Majer - Update to 16.5.0:
* deps: upgrade npm to 7.19.1
* fs: allow empty string for temp directory prefix
* Node.js now exposes an experimental implementation of the Web Streams API
* Fri Jul 02 2021 Adam Majer - Update to 16.4.1: deps: libuv upgrade - Out of bounds read (Medium) (bsc#1187973, CVE-2021-22918)
* Thu Jul 01 2021 Adam Majer - node-gyp_7.1.2.tar.xz: for SLE-12, use latest node-gyp that is compatible with python 3.4
* Wed Jun 23 2021 Adam Majer - Update to 16.4.0:
* async_hooks: stabilize part of AsyncLocalStorage
* deps: + upgrade npm to 7.18.1 + update V8 to 9.1.269.36
* dns: allow --dns-result-order to change default dns verbatim
* Mon Jun 21 2021 Andreas Schneider - Allow building for Fedora in the OBS
* Fri Jun 04 2021 Dirk Müller - update to 16.3.0:
* add -C alias for --conditions flag
* add workspaces support to npm install commands
* Mon May 31 2021 Adam Majer - Use libalternatives instead of update-alternatives
* Thu May 20 2021 Adam Majer - New upstream version 16.2.0:
* async_hooks: use new v8::Context PromiseHook API
* deps: npm updated to 7.13.0
* lib: support setting process.env.TZ on windows
* module: add support for URL to import.meta.resolve
* process: add \'worker\' event
* util: add util.types.isKeyObject and util.types.isCryptoKey
* Wed May 05 2021 Adam Majer - New upstream version 16.1.0 fs: allow no-params fsPromises fileHandle read
* Tue May 04 2021 Adam Majer - New upstrean version 16.0.0: For complete list of changes since 15.x, please see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.0.0
* Wed Mar 17 2021 Adam Majer - Import staging 16.x
  
ICM