SEARCH
NEW RPMS
DIRECTORIES
ABOUT
FAQ
VARIOUS
BLOG

 
 
Changelog for nodejs14-14.21.3-lp154.12.1.x86_64.rpm :

* Thu Apr 11 2024 Adam Majer - CVE-2024-27983.patch - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983)- CVE-2024-27982.patch - HTTP Request Smuggling via Content Length Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982)- updated dependencies: + llhttp version 6.1.1- CVE-2024-22025.patch - test timeout adjustment
* Tue Feb 20 2024 Adam Majer
* CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997)
* CVE-2024-22019.patch: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) (CVE-2024-22019, bsc#1219993)
* CVE-2024-22025.patch: fix Denial of Service by resource exhaustion in fetch() brotli decoding (CVE-2024-22025, bsc#1220014)
* CVE-2024-24806.patch: fix improper domain lookup that potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053)
* Tue Oct 24 2023 Adam Majer - CVE-2023-38552.patch: Integrity checks according to policies can be circumvented (CVE-2023-38552, bsc#1216272)- CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190)- nodejs.keyring: include new releaser keys- newicu_test_fixup.patch: workaround whitespaces funnies in some icu versions
* Fri Aug 11 2023 Adam Majer
* CVE-2023-32002.patch: + fixes policies can be bypassed via Module._load + fixes policies can be bypassed by module.constructor.createRequire (CVE-2023-32002, CVE-2023-32006, bsc#1214150, bsc#1214156)
* CVE-2023-32559.patch: Policies can be bypassed via process.binding (CVE-2023-32559, bsc#1214154)
* Fri Aug 04 2023 Adam Majer - CVE-2023-30581.patch: fixes mainModule.__proto__ Bypass Experimental Policy Mechanism (CVE-2023-30581, bsc#1212574)- CVE-2023-30589.patch: HTTP Request Smuggling via empty headers separated by CR (CVE-2023-30589, bsc#1212582)- CVE-2023-30590.patch: DiffieHellman does not generate keys after setting a private key (CVE-2023-30590, bsc#1212583)
* Thu Apr 13 2023 Adam Majer - CVE-2022-25881.patch: http-cache-semantics(npm): Don\'t use regex to trim whitespace (bsc#1208744, CVE-2022-25881)
* Tue Feb 21 2023 Adam Majer - Update to 14.21.3:
* fixes permissions policies can be bypassed via process.mainModule (bsc#1208481, CVE-2023-23918)
* fixes insecure loading of ICU data through ICU_DATA environment variable (bsc#1208487, CVE-2023-23920)
* deps: update npm to 6.14.18 + CVE-2021-44907.patch: upstreamed and removed- BR: python 3.6
* Sat Dec 31 2022 Adam Majer - Update to 14.21.2:
* http2: fix memory leak when nghttp2 hd threshold is reached
* Fri Dec 23 2022 Guillaume GARDET - Update _constraints:
* Less RAM for aarch64 and 32-bit arm
* Use \'asimdrdm\' cpu flag to use aarch64 workers where tests are more stable
* Mon Nov 07 2022 Adam Majer - Update to 14.21.1:
* inspector: DNS rebinding in --inspect via invalid octal IP (bsc#1205119, CVE-2022-43548)
* Wed Nov 02 2022 Adam Majer - Update to 14.21.0:
* src: add --openssl-shared-config option
* Mon Sep 26 2022 Adam Majer - Update to 14.20.1:
* deps: update llhttp to 2.1.6: + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325) + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)
* Sat Sep 17 2022 Bruno Pitrus - Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl.
* Mon Jul 11 2022 Adam Majer - Update to 14.20.0:
* http: stricter Transfer-Encoding and header separator parsing (bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
* src: fix IPv4 validation in inspector_socket (bsc#1201328, CVE-2022-32212)
* Tue Jun 28 2022 Adam Majer - Update to 14.19.3:
* Upgrade npm to v6.14.17- obsoleted and removed: CVE-2021-3807.patch, CVE-2021-44906.patch- refreshed: versioned.patch
* Wed Apr 20 2022 Adam Majer Update to 14.19.1:
* deps: upgrade openssl sources to 1.1.1n (bsc#1196877, CVE-2022-0778) Infinite loop in BN_mod_sqrt() reachable when parsing certificates More details at https://www.openssl.org/news/secadv/20220315.txt- CVE-2021-44906.patch: fix prototype pollution in npm dependency (bsc#1198247, CVE-2021-44906)- CVE-2021-44907.patch: fix insuficient sanitation in npm dependency (bsc#1197283, CVE-2021-44907)- CVE-2022-0235.patch: fix passing of cookie data and sensitive headers to different hostnames in node-fetch-npm (bsc#1194819, CVE-2022-0235)
* Wed Feb 16 2022 Adam Majer - update to 14.19.0:
* crypto: make FIPS related options always available
* deps: deps: upgrade npm to 6.14.16 + CVE-2021-23343 - ReDoS via splitDeviceRe, splitTailRe and splitPathRe (bsc#1192153) + CVE-2021-32803 - node-tar: Insufficient symlink protection allowing arbitrary file creation and overwrite (bsc#1191963) + CVE-2021-32804 - node-tar: Insufficient absolute path sanitization allowing arbitrary file creation and overwrite (bsc#1191962) + CVE-2021-3918 - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes (bsc#1192696)
* module: support pattern trailers
* src: make napi_create_reference accept symbol- CVE-2021-3807.patch: node-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes (bsc#1192154, CVE-2021-3807)- versioned.patch, nodejs-libpath.patch: refreshed
* Wed Jan 12 2022 Adam Majer - z15-test-skip.patch: dropped, no longer required- fix_ci_tests.patch: update tests for z15
* Tue Jan 11 2022 Adam Majer - update to 14.18.3: Security update fixing the following issues:
* Improper handling of URI Subject Alternative Names (Medium) (CVE-2021-44531, bsc#1194511)
* Certificate Verification Bypass via String Injection (Medium) (CVE-2021-44532, bsc#1194512)
* Incorrect handling of certificate subject and issuer fields (Medium) (CVE-2021-44533, bsc#1194513)
* Prototype pollution via console.table properties (Low) (CVE-2022-21824, bsc#1194514)
* Thu Dec 16 2021 Adam Majer - update to 14.18.2:
* lib: fix regular expression to detect `/` and `\\`
* worker: avoid potential deadlock on NearHeapLimit- sle12_python3_compat.patch: refreshed
* Thu Nov 25 2021 Guillaume GARDET - Fix CXXFLAGS in Tumbleweed - boo#1192824
* Tue Nov 09 2021 Adam Majer - update to 14.18.1:
* deps: update llhttp to 2.1.4 - HTTP Request Smuggling due to spaced in headers (bsc#1191601, CVE-2021-22959) - HTTP Request Smuggling when parsing the body (bsc#1191602, CVE-2021-22960)- changes in 14.18.0:
* buffer: + introduce Blob + add base64url encoding option
* child_process: + allow options.cwd receive a URL + add timeout to spawn and fork + allow promisified exec to be cancel + add \'overlapped\' stdio flag
* dns: add \"tries\" option to Resolve options
* fs: + allow empty string for temp directory prefix + allow no-params fsPromises fileHandle read + add support for async iterators to fsPromises.writeFile
* http2: add support for sensitive headers
* process: add \'worker\' event
* tls: allow reading data into a static buffer
* worker: add setEnvironmentData/getEnvironmentData- changes in 14.17.6:
* deps: upgrade npm to 6.14.15 which fixes a number of security issues (bsc#1190057, CVE-2021-37701, bsc#1190056, CVE-2021-37712, bsc#1190055, CVE-2021-37713, bsc#1190054, CVE-2021-39134, bsc#1190053, CVE-2021-39135)- test-skip-y2038-on-32bit-time_t.patch: fix test failure when 64-bit time_t is used on 32-bit arches- refreshed patches: versioned.patch, flaky_test_rerun.patch- PR39011.patch: upstreamed
* Thu Aug 12 2021 Adam Majer - update to 14.17.5:
* CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (bsc#1189370, bsc#1188881)
* CVE-2021-22940: Use after free on close http2 on stream canceling (bsc#1189368)
* CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (bsc#1189369)- cares_public_headers.patch: don\'t use private headers
* Mon Aug 09 2021 Adam Majer - z15-test-skip.patch: skip problematic test on s390x
* Mon Aug 02 2021 Adam Majer - update to 14.17.4: http2: fixes use after free on close http2 on stream canceling (bsc#1188917, CVE-2021-22930)- old_icu.patch: merged, removed- versioned.patch: updated- node_modules.tar.xz: refreshed- PR39011.patch: use localhost instead of remote for unit test
* Fri Jul 02 2021 Adam Majer - update to 14.17.2: deps: libuv upgrade - Out of bounds read (Medium) (bsc#1187973, CVE-2021-22918)- old_icu.patch: update with upstream\'s patch from https://github.com/nodejs/node/pull/39068- specfile cleanup
* Thu Jun 17 2021 Adam Majer - update to 14.17.1:
* deps: update ICU to 69.1
* errors: align source-map stacks with spec- Fix-build-with-icu-69.patch: upstreamed
* Fri Jun 04 2021 Dirk Müller - update to 14.17.0:
* Experimental support for AbortController and AbortSignal
* Diagnostics channel (experimental module)
* UUID support in the crypto module
* update ICU to 68.1
* upgrade to libuv 1.41.0
* deps: npm update to 6.14.13 ssri Regular Expression Denial of Service and hosted-git-info Regular Expression Denial of Service (bsc#1187976, bsc#1187977, CVE-2021-27290, CVE-2021-23362)- add Fix-build-with-icu-69.patch: fix build with icu 69
* Mon May 31 2021 Adam Majer - Use libalternatives instead of update-alternatives
* Wed Apr 07 2021 Adam Majer - New upstream LTS version 14.16.1:
* CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High) This is a vulnerability in the y18n npm module which may be exploited by prototype pollution. You can read more about it in https://github.com/advisories/GHSA-c4w7-xm78-47vh (bsc#1184450)
* deps: upgrade npm to 6.14.12- versioned.patch: refreshed
* Tue Feb 23 2021 Adam Majer - New upstream LTS version 14.16.0:
* CVE-2021-22883: HTTP2 \'unknownProtocol\' cause Denial of Service by resource exhaustion (bsc#1182619)
* CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
* Wed Feb 17 2021 Adam Majer - New upstream LTS version 14.15.5:
* deps: + upgrade npm to 6.14.11 + V8: backport dfcf1e86fac0 #37245 Note: Node.js is not believed to be vulnerable to CVE-2021-21148
* stream,zlib: do not use _stream_
* anymore- relax OpenSSL cipher suite policies for unit tests
* Mon Jan 04 2021 Adam Majer - New upstream LTS version 14.15.4:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a header field in a http request. For example, two Transfer-Encoding header fields. In this case Node.js identifies the first header field and ignores the second. This can lead to HTTP Request Smuggling (https://cwe.mitre.org/data/definitions/444.html). (bsc#1180554)
* Mon Dec 21 2020 Adam Majer - New upstream LTS version 14.15.3:
* deps: + upgrade npm to 6.14.9 + update acorn to v8.0.4
* http2: check write not scheduled in scope destructor
* stream: fix regression on duplex end- versioned.patch, sle12_python3_compat.patch: refreshed
* Mon Nov 30 2020 Adam Majer - openssl_binary_detection.patch: fixes unit tests on SLE12
* Mon Nov 23 2020 Adam Majer - Update Requires: so -devel requires npm- Rely on rpmbuild to define necessary python dependencies
* Thu Nov 19 2020 Adam Majer - New upstream LTS version 14.15.1:
* deps: Denial of Service through DNS request (High). A Node.js application that allows an attacker to trigger a DNS request for a host of their choice could trigger a Denial of Service by getting the application to resolve a DNS record with a larger number of responses (bsc#1178882, CVE-2020-8277)
* Thu Oct 29 2020 Adam Majer - Update to LTS version 14.15.0: (jsc#SLE-15774)
* no major changes
* test: reverts marking test-webcrypto-encrypt-decrypt-aes flaky
* Tue Oct 20 2020 Adam Majer - Use SLE OpenSSL version with 12-SP4+, and not just 12-SP5+- Bump mininum ICU version to 65
* Fri Oct 16 2020 Adam Majer - Update to version 14.14.0:
* fs: add rm method
* http: allow passing array of key/val into writeHead
* src: expose v8::Isolate setup callbacks- sle12_python3_compat.patch: refreshed
* Thu Oct 08 2020 Adam Majer - Update to version 14.13.1:
* fs: rmdir recursive is no longer considered experimental- fix_ci_tests.patch: add support to SUSE\'s ECDH backport errors in SLE\'s openssl
* Tue Oct 06 2020 Adam Majer - Update to version 14.13.0:
* deps: upgrade to libuv 1.40.0 #35333
* module: named exports for CJS via static analysis #35249
* module: exports pattern support #34718
* src: allow N-API addon in AddLinkedBinding()
* Thu Sep 24 2020 Adam Majer - Update to version 14.12.0:
* n-api: + create N-API version 7 + add more property defaults- Changes since version 14.9.0
* deps: + update llhttp to 2.1.2 (bsc#1176605, CVE-2020-8201) + http: add requestTimeout. Fixes Denial of Service by resource exhaustion due to unfinished HTTP/1.1 requests (bsc#1176604, CVE-2020-8251) + buffer: also alias BigUInt methods + crypto: add randomInt function + perf_hooks: add idleTime and event loop util + stream: simpler and faster Readable async iterator + stream: save error in state
* Wed Sep 02 2020 Adam Majer - old_icu.patch: re-add support for ICU 65 from SLE15 SP2- fix_ci_tests.patch: move debug symbol strip for testing to the Makefile
* Fri Aug 28 2020 Adam Majer - Update to version 14.9.0:
* build: set --v8-enable-object-print by default (Mary Marchini) #34705
* deps: + upgrade to libuv 1.39.0 (cjihrig) #34915 + upgrade npm to 6.14.8 (Ruy Adorno) #34834 + V8: cherry-pick e06ace6b5cdb (Anna Henningsen) #34673
* n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) #34839
* tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) #34378- Changes in version 14.8.0:
* async_hooks: add AsyncResource.bind utility (James M Snell) #34574
* deps: update to uvwasi 0.0.10 (Colin Ihrig) #34623
* module: unflag Top-Level Await (Myles Borins) #34558
* n-api: support type-tagging objects (Gabriel Schulhof) #28237
* n-api,src: provide asynchronous cleanup hooks (Anna Henningsen) #34572- versioned.patch: refreshed- linker_lto_jobs.patch: refreshed
* Mon Aug 10 2020 Adam Majer - Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation on Aarch64 with gcc10 (bsc#1172686)
* Mon Aug 03 2020 Adam Majer - Update to version 14.7.0:
* deps: upgrade npm to 6.14.7
* dgram: add IPv6 scope id suffix to received udp6 dgrams
* src: + allow preventing SetPromiseRejectCallback #34387 + allow setting a dir for all diagnostic output #33584
* worker: make MessagePort inherit from EventTarget #34057
* zlib: switch to lazy init for zlib streams (Andrey Pechkurov) #34048
* Tue Jul 28 2020 Dirk Mueller - avoid rpmbuild warnings on if/else/endif constructs
* Wed Jul 22 2020 Adam Majer - Update to version 14.6.0:
* deps: + upgrade to libuv 1.38.1 + upgrade npm to 6.14.6 fixing information leak through log files (bsc#1173937, CVE-2020-15095) + update V8 to 8.4.371.19
* module: + doc only deprecation of module.parent + package \"imports\" field
* src: allow embedders to disable esm loader
* tls: make \'createSecureContext\' honor more options
* vm: add run-after-evaluate microtask mode
* worker: add option to track unmanaged file descriptors- versioned.patch - refreshed
* Thu Jul 02 2020 Adam Majer - Update to version 14.5.0:
* deps: V8 engine is updated to version 8.3. For details, see https://v8.dev/blog/v8-release-83
* events: experimental implementation of EventTarget For details, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.5.0- sle12_python3_compat.patch: refreshed- fix_ci_tests.patch: refreshed
* Tue Jun 09 2020 Adam Majer - Add Require for nodejs14 when intalling npm14. (bsc#1172728)
* Thu Jun 04 2020 Adam Majer - Update to version 14.4.0:
* napi: fix various types of memory corruption in napi_get_value_string_
*() (CVE-2020-8174, bsc#1172443)
* http2: fix HTTP/2 Large Settings Frame DoS (CVE-2020-11080, bsc#1172442)
* TLS session reuse can lead to host certificate verification bypass (CVE-2020-8172, bsc#1172441)
* Fri May 29 2020 Adam Majer - Update to version 14.3.0:
* repl: previews improvements with autocompletion
* it\'s now possible to use the await keyword outside of async functions, with the --experimental-top-level-await flag- Changes in version 14.2.0:
* console: Support for console constructor groupIndentation options- skip_no_console.patch: refreshed- versioned.patch, fix_ci_tests.patch: refreshed
* Thu Apr 30 2020 Adam Majer - Update to version 14.1.0:
* deps: upgrade openssl sources to 1.1.1g (SLE-12 only)
* http: doc deprecate abort and improve docs
* module: do not warn when accessing __esModule of unfinished exports
* n-api: detect deadlocks in thread-safe function
* src: deprecate embedder APIs with replacements
* stream: + don\'t emit end after close + don\'t wait for close on legacy streams + pipeline should only destroy un-finished streams
* vm: add importModuleDynamically option to compileFunction skip_no_console.patch: add more unit tests that fail on dumb terminals
* Mon Apr 27 2020 Adam Majer - Initial version 14.0.0 Deprecations
* crypto: move pbkdf2 without digest to EOL
* fs: deprecate closing FileHandle on garbage collection
* http: move OutboundMessage.prototype.flush to EOL
* lib: move GLOBAL and root aliases to EOL
* os: move tmpDir() to EOL
* src: remove deprecated wasm type check
* stream: move _writableState.buffer to EOL
* doc: deprecate process.mainModule
* doc: deprecate process.umask() with no arguments For a detailed list of changes, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.0.0
 
ICM