Changelog for
nodejs6-devel-6.17.1-15.18.x86_64.rpm :
* Mon Aug 10 2020 adam.majerAATTsuse.de- Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686)
* Tue Jun 09 2020 adam.majerAATTsuse.de- Add Require for nodejs6 when intalling npm6. (bsc#1172728)
* Thu Jun 04 2020 adam.majerAATTsuse.de- CVE-2020-8174.patch: napi: fix various types of memory corruption in napi_get_value_string_
*() (CVE-2020-8174, bsc#1172443)- minimist.patch: Fixes a vulnerability in an npm component (CVE-2020-7598, bsc#1166916)
* Mon May 04 2020 adam.majerAATTsuse.de- Reduce Requires to Recommends on nodejs6-devel when installing npm6
* Fri Feb 07 2020 adam.majerAATTsuse.de- CVE-2019-15604.patch: fixes a remotely triggerable assertion on a TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104)- CVE-2019-15605.patch: fixes an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102)- CVE-2019-15606.patch: trim HTTP header values of optional white space (CVE-2019-15606, bsc#1163103)
* Tue Jan 07 2020 guillaume.gardetAATTopensuse.org- Really disable LTO when required (nodejs < 12)
* Thu Jan 02 2020 adam.majerAATTsuse.de- Add npm.tar.xz - Update npm to 6.13.4 fixing an arbitrary path overwrite and access via \"bin\" field (bsc#1159352, CVE-2019-16777, CVE-2019-16776, CVE-2019-16775).- CVE-2019-13173.patch - upstreamed- refreshed: node-gyp-addon-gypi.patch, npm_search_paths.patch, versioned.patch
* Thu Oct 24 2019 adam.majerAATTsuse.de- New upstream LTS release 6.17.1:
* http: fix error check in Execute()
* Wed Oct 02 2019 normandAATTlinux.vnet.ibm.com- Add _constraints for ppc64le to avoid build error
* Mon Jul 29 2019 adam.majerAATTsuse.de- CVE-2019-13173.patch: fix potential file overwrite via hardlink in fstream.DirWriter() function (bsc#1140290, CVE-2019-13173)
* Thu Feb 28 2019 adam.majerAATTsuse.de- New upstream LTS release 6.17.0:
* deps: OpenSSL has been upgraded to 1.0.2r. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data. (CVE-2019-1559, bsc#1127080)
* http: + Backport server.keepAliveTimeout to prevent keep-alive HTTP and HTTPS connections remaining open and inactive for an extended period of time, leading to a potential Denial of Service (DoS). (CVE-2019-5739, bsc#1127533) + Further prevention of \"Slowloris\" attacks on HTTP and HTTPS connections by consistently applying the receive timeout set by server.headersTimeout to connections in keep-alive mode. (CVE-2019-5737, bsc#1127532)
* Fri Feb 01 2019 adam.majerAATTsuse.de- nodejs.keyring: update keyring to today\'s list as per https://github.com/nodejs/node
* Mon Jan 07 2019 adam.majerAATTsuse.de- Update upstream LTS release 6.16.0:
* cli: add --max-http-header-size flag
* http: add maxHeaderSize property- Changes in LTS release 6.15.0:
* debugger: prevent the debugger from listening on 0.0.0.0. It now defaults to 127.0.0.1. (CVE-2018-12120, bsc#1117625)
* deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 (bsc#1113652) and CVE-2018-5407 (bsc#1113534)
* http: + Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. (CVE-2018-12121, bsc#1117626) + A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. (CVE-2018-12122, bsc#1117627) + Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \\u0021 - \\u00ff will now be rejected with a TypeError. This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). (CVE-2018-12116, bsc#1117630)
* util: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the \'javascript:\' protocol. (CVE-2018-12123, bsc#1117629)- skip_test_on_lowmem.patch: skip test on low-memory build machine
* Mon Nov 26 2018 adam.majerAATTsuse.de- flaky_test_rerun.patch: Rerun failing tests in case of flakiness
* Mon Nov 12 2018 adam.majerAATTsuse.de- env_shebang.patch: dropped in favour of programmatic update
* Mon Oct 01 2018 adam.majerAATTsuse.de- fix_ci_tests.patch: Fix unit tests
* Mon Aug 20 2018 adam.majerAATTsuse.de- New upstream LTS release 6.14.4:
* buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115, bsc#1105019)
* deps: Upgrade to OpenSSL 1.0.2p, fixing: + Client DoS due to large DH parameter (CVE-2018-0732, bsc#1097158) + ECDSA key extraction via local side-channel
* Sun Jul 29 2018 jengelhAATTinai.de- Ensure neutrality of description.- Use %make_install.
* Fri Jun 15 2018 adam.majerAATTsuse.de- Recommend same major version npm package (bsc#1097748)
* Thu Jun 14 2018 adam.majerAATTsuse.de- New upstream LTS release 6.14.3:
* buffer: Fixes Denial of Service vulnerability where calling Buffer.fill() could hang (CVE-2018-7167, bsc#1097375)
* Thu May 24 2018 adam.majerAATTsuse.de- env_shebang.patch: use absolute paths in executable shebang lines- versioned.patch: updated to move shebang modifications to above patch.
* Fri May 11 2018 adam.majerAATTsuse.de- New upstream LTS release 6.14.2:
* n-api: n-api has been backported to v6.x.- icu_61_namespacefix.patch: Fix building with ICU61.1 (bsc#1091764)- versioned.patch: rebased
* Thu Apr 05 2018 adam.majerAATTsuse.de- Install license with %license, not %doc (bsc#1082318)
* Wed Apr 04 2018 adam.majerAATTsuse.de- Fix some node-gyp permissions
* Tue Apr 03 2018 adam.majerAATTsuse.de- New upstream LTS release 6.14.1:
* Security fixes: + Fix for inspector DNS rebinding vulnerability (bsc#1087463, CVE-2018-7160) + Fix for \'path\' module regular expression denial of service (bsc#1087459, CVE-2018-7158) + Reject spaces in HTTP Content-Length header values (bsc#1087453, CVE-2018-7159)
* Upgrade to OpenSSL 1.0.2o
* deps: upgrade http-parser to v2.8.0
* Thu Mar 22 2018 adam.majerAATTsuse.de- New upstream LTS release 6.13.1:
* http,tls: better support for IPv6 addresses
* console: added console.count() and console.clear()
* crypto: + expose ECDH class + added cypto.randomFill() and crypto.randomFillSync() + warn on invalid authentication tag length
* deps: upgrade libuv to 1.16.1
* dgram: added socket.setMulticastInterface()
* http: add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of Agent
* lib: return this from net.Socket.end()
* module: add builtinModules api that provides list of all builtin modules in Node
* net: return this from getConnections()
* promises: more robust stringification for unhandled rejections
* repl: improve require() autocompletion
* src: + add openssl-system-ca-path configure option + add --use-bundled-ca --use-openssl-ca check + add process.ppid
* tls: accept lookup option for tls.connect()
* tools,build: a new macOS installer!
* url: WHATWG URL api support
* util: add %i and %f formatting specifiers- remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages.
* Tue Feb 13 2018 adam.majerAATTsuse.de- Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules.
* Tue Jan 30 2018 roAATTsuse.de- even on recent codestreams there is no binutils gold on s390 only on s390x
* Tue Jan 09 2018 adam.majerAATTsuse.de- New upstream LTS release 6.12.3:
* v8: profiler-related fixes
* mostly documentation and test related changes- nodejs-sle11-python26-check_output.patch: refreshed
* Fri Dec 22 2017 adam.majerAATTsuse.de- Enable CI tests in %check target + fix_ci_tests.patch: - DNS queries in buildroots are failing with EAI_AGAIN - disable test-module-loading-globalpaths.js - we have hardcoded global paths + versioned.patch: call versioned node binary for tests
* Thu Dec 14 2017 adam.majerAATTsuse.de- Dropped 8334.diff - no longer needed
* Sat Dec 09 2017 qantas94heavyAATTgmail.com- New upstream LTS release 6.12.2:
* deps/openssl: updated to 1.0.2n (only applies to SLE 12 SP1 and lower) (bsc#1072322) [ CVE-2017-3738 CVE-2017-15896 ]- Changes in 6.12.1:
* build: fix npm install with --shared [ gh#nodejs/node#16438 ]
* build: building on systems with default Python 3 is now supported [ gh#nodejs/node#16058 ]
* src: v8 options can be specified with either \'_\' or \'-\' in NODE_OPTIONS [ gh#nodejs/node#14093 ]- Remove unnecessary curl BuildRequires- Enable gold linker on s390x (TW and SLE/Leap 15)- Build with bundled ICU if system ICU not available (only applies to SLE 11)
* Wed Nov 29 2017 qantas94heavyAATTgmail.com- Change BuildRequires from openssl-devel to libopenssl-1_0_0-devel due to Tumbleweed/Leap 15 change to OpenSSL 1.1.0 as default
* Thu Nov 16 2017 adam.majerAATTsuse.de- Update nodejs.keyring based on current Release Team as found on https://github.com/nodejs/node#release-team
* Mon Nov 13 2017 adam.majerAATTsuse.de- Fix permissions of node-gyp. This should be executable to allow building of binary node modules.
* Mon Nov 13 2017 adam.majerAATTsuse.de- New upstream LTS release 6.12.0:
* assert: assert.fail() can now take one or two arguments
* crypto: add sign/verify support for RSASSA-PSS
* deps: + upgrade openssl sources to 1.0.2m [OpenSSL Security Advisory (bsc#1066242, bsc#1056058) CVE-2017-3735 CVE-2017-3736] + upgrade libuv to 1.15.0
* fs: Add support for fs.write/fs.writeSync(fd, buffer, cb) and fs.write/fs.writeSync(fd, buffer, offset, cb) as documented
* inspector: enable --inspect-brk
* process: add --redirect-warnings command line argument
* src: + allow CLI args in env with NODE_OPTIONS + --abort-on-uncaught-exception in NODE_OPTIONS + allow --tls-cipher-list in NODE_OPTIONS + use SafeGetenv() for NODE_REDIRECT_WARNINGS
* test: remove common.fail()- 0f3e69db.patch, icu59.patch: removed empty patches- nodejs-libpath.patch: refreshed
* Wed Oct 25 2017 qantas94heavyAATTgmail.com- New upstream LTS release 6.11.5:
* zlib: (CVE-2017-14919: only affects TW) In zlib v1.2.9, a change was made that causes an exception to be thrown when a raw deflate stream is initialized with windowBits set to 8. Node.js will now gracefully set windowBits to 9 (replicating the legacy behavior) to avoid a DOS vector.
* Thu Oct 19 2017 adam.majerAATTsuse.de- Replace {{node_version_major}} with RPM define %node_version_number for simpler spec file review.- Make sure npm program remains executable
* Wed Oct 04 2017 adam.majerAATTsuse.de- New upstream LTS release 6.11.4:
* net: support passing undefined to listen() to match behavior in v4.x and v8.x
* Mon Sep 11 2017 qantas94heavyAATTgmail.com- New upstream LTS release 6.11.3:
* deps: Snapshots are turned back on!!! (#14385)
* path: win32 volume-relative paths are working again! (#14440)
* tools: v6.x can now build with ICU 59 (#12078)- Drop icu59.patch: merged upstream.- Refresh versioned.patch
* Thu Aug 17 2017 qantas94heavyAATTgmail.com- New upstream LTS release 6.11.2
* configure: add mips64el to valid_arch (#13620)
* crypto: updated root certificates based on NSS 3.30 (#13279, #12402)
* deps: upgrade OpenSSL to version 1.0.2.l (#12913)
* http: + parse errors are now reported when NODE_DEBUG=http (#13206) + Agent constructor can now be invoked without new (#12927)
* zlib: node will now throw an Error when zlib rejects the value of windowBits, instead of crashing (#13098)- Drop 0f3e69db.patch: fixed upstream
* Wed Aug 02 2017 adam.majerAATTsuse.de- Fix update-alternative handling in %postun - don\'t remove links on upgrades.
* Wed Jul 12 2017 adam.majerAATTsuse.de- New upstream LTS release 6.11.1
* v8: disable V8 snapshots. The hashseed embedded in the snapshot is currently the same for all runs of the binary. This opens node up to collision attacks which could result in a Denial of Service. We have temporarily disabled snapshots until a more robust solution is found. (bnc#1048299, CVE-2017-11499)
* The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. (CVE-2017-1000381, bnc#1044946)
* Fri Jul 07 2017 adam.majerAATTsuse.de- Depend on nodejs-common that is then used to pick correctly versioned node or npm binary. This is required since 3rd party modules use `/usr/bin/env node` which breaks if multiple versions of NodeJS are installed at the same time and non-default version is used (for example, to compile a native module)
* Thu Jul 06 2017 adam.majerAATTsuse.de- npm_search_paths.patch: Since concurrent installations are now possible, node manual pages are moved once again back under npm searcheable locations only.- versioned.patch: All files are now under versioned directoies and names. node and npm symlinks are now managed by update-alternatives- node-gyp-addon-gypi.patch: Reference versioned directories only
* Tue Jun 13 2017 adam.majerAATTsuse.de- New upstream LTS release 6.11.0
* added support for building mips64el
* cluster: + disconnect() now returns a reference to the disconnected worker.
* crypto: + ability to select cert store at runtime + Use system CAs instead of using bundled ones (obsoletes 8334.diff) + The Decipher methods setAuthTag() and setAAD now return this + adding support for OPENSSL_CONF again + make LazyTransform compabile with Streams1
* deps: + upgrade libuv to 1.11.0
* dns: + Implemented {ttl: true} for resolve4() and resolve6().
* process: + add NODE_NO_WARNINGS environment variable
* readline: + add option to stop duplicates in history
* src: + support \"--\" after \"-e\" as end-of-options
* tls: + new tls.TLSSocket() supports sec ctx options + Allow obvious key/passphrase combinations.- Fix typo in node-gyp-addon-gypi.patch patch- Refresh icu59.patch
* Tue May 30 2017 adam.majerAATTsuse.de- 0f3e69db.patch, icu59.patch: backported GCC 7 compilation fixes for v8 backported and add missing ICU59 includes (bnc#1041282)
* Tue May 23 2017 adam.majerAATTsuse.de- New upstream LTS release 6.10.3
* b8: + Trigger OOM crash on memory allcation errors + Don\'t treat catch scopes as possibly-shadowing for sloppy eval
* lib: fix event race condition with -e
* src: fix base64 decoding in rare edgecase
* tls: + fix segfault on destroy after partial read + keep track of stream that is closed + fix macro to check NPN feature- nodejs-libpath.patch: updated
* Wed Apr 05 2017 qantas94heavyAATTgmail.com- New upstream LTS release 6.10.2
* crypto: fix memory leak if certificate is revoked (#12089)
* deps: backport V8 fixes for spread syntax regression causing segfaults (#12037)- Changes not applicable to openSUSE in 6.10.2:
* deps: upgrade zlib to 1.2.11 (#10980)
* repl: revert commit that broke REPL display on Windows (#12123)- Changes in LTS release 6.10.1
* performance: The performance of several APIs has been improved. + Buffer.compare() is up to 35% faster on average. + buffer.toJSON() is up to 2859% faster on average. + fs.
*statSync() functions are now up to 9% faster on average. + os.loadavg is up to 151% faster. + process.memoryUsage() is up to 34% faster. + querystring.unescape() for Buffers is 15% faster on average. + querystring.stringify() is up to 7.8% faster on average. + querystring.parse() is up to 21% faster on average.
* IPC: Batched writes have been enabled for process IPC on platforms that support Unix Domain Sockets. Performance gains may be up to 40% for some workloads.
* child_process: spawnSync now returns a null status when child is terminated by a signal. This fixes the behavior to act like spawn() does.
* http: Control characters are now always rejected when using http.request(). Debug messages have been added for cases when headers contain invalid values.
* node: Heap statistics now support values larger than 4GB.
* timers: Timer callbacks now always maintain order when interacting with domain error handling.
* Sun Feb 26 2017 qantas94heavyAATTgmail.com- New upstream LTS release 6.10.0
* crypto: allow adding extra certs to well-known CAs
* deps: upgrade INTL ICU to version 58
* fs: cache non-symlinks in realpathSync
* process: add process.memoryUsage().external
* repl: allow autocompletion for scoped packages
* src: add wrapper for process.emitWarning()- Modify 8334.diff:
* Remove merged reference counting code (#9409)
* Bring patch in line with upstream changes (#8334)
* Fri Feb 03 2017 adam.majerAATTsuse.de- New upstream LTS release 6.9.5
* deps: upgrade openssl sources to 1.0.2k (CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, bnc#1022085, bnc#1022086, bnc#1009528)- No changes in LTS release 6.9.4- Adjusted 8334.diff to be inline with accepted changes
* Fri Jan 06 2017 qantas94heavyAATTgmail.com- Add basic check that Node.js loads successfully to spec file
* Wed Jan 04 2017 qantas94heavyAATTgmail.com- New upstream LTS release 6.9.3
* build: shared library support is now working for AIX builds
* deps/npm: upgrade npm to 3.10.10
* deps/V8: destructuring of arrow function arguments via computed property no longer throws
* inspector: /json/version returns object, not an object wrapped in an array
* module: using --debug-brk and --eval together now works as expected
* process: improve performance of nextTick up to 20%
* repl: the division operator will no longer be accidentally parsed as regex
* repl: improved support for generator functions
* timers: recanceling a cancelled timers will no longer throw
* Fri Dec 09 2016 qantas94heavyAATTgmail.com- New upstream LTS version 6.9.2
* buffer: coerce slice parameters consistently
* deps/npm: upgrade npm to 3.10.9
* deps/V8: Various fixes to destructuring edge cases + cherry-pick 3c39bac from V8 upstream + cherry pick 7166503 from upstream v8
* gtest: the test reporter now outputs tap comments as yamlish
* inspector: inspector now prompts user to use 127.0.0.1 rather than localhost
* tls: fix memory leak when writing data to TLSWrap instance during handshake- Modify 8334.diff:
* ported and updated system CA store for the new node crypto code
* Wed Nov 23 2016 adam.majerAATTsuse.de- Add missing conflicts to base package. It\'s not possible to have concurrent nodejs installations.
* Fri Nov 18 2016 adam.majerAATTsuse.de- Package unification across various branches of NodeJS. Package for 4.x, 6.x and current (7.x) branches of NodeJS are now handled via GitHub repository.- NodeJS 6.x LTS package, based on NodeJS 4.x LTS layout. All NodeJS packages are interchangeable. (FATE #321373)
* Mon Nov 07 2016 adam.majerAATTsuse.de- Add versioned dependencies for unbundling of c-ares and icu libraries- SLE12 can have unbundled libicu
* Wed Nov 02 2016 qantas94heavyAATTgmail.com- Fork package devel:languages:nodejs/nodejs- Remove support-arm64-build.patch (not necessary for aarch64 build)- Use system library versions of c-ares and ICU where supported- Remove /usr/{lib,lib64}/node_modules from global module paths
* This is deprecated behaviour that was caused by an incorrect patch in devel:languages:nodejs/nodejs almost 6 months ago (boo#985350)- Modify nodejs-libpath.patch
* Move /usr/lib64/node_modules to %{_libexecpath} as npm isn\'t architecture dependent (only npm itself is stored there)- Remove nodejs-libpath64.patch- Use separate .sig file instead of .asc file for source verification- Use exec instead of xargs to remove files in install script