pkgsrc-Changes archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: pkgsrc/lang/nodejs12
Module Name: pkgsrc
Committed By: adam
Date: Fri Sep 17 20:07:15 UTC 2021
Modified Files:
pkgsrc/lang/nodejs12: Makefile distinfo
Removed Files:
pkgsrc/lang/nodejs12/patches: patch-src_cares__wrap.cc
Log Message:
nodejs12: updated to 12.22.6
Version 12.22.6 'Erbium' (LTS)
This is a security release.
Notable Changes
These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and
CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar,
and npm arborist.
Version 12.22.5 'Erbium' (LTS)
This is a security release.
Notable Changes
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the
output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as
the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would
have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.
Version 12.22.4 'Erbium' (LTS)
This is a security release.
Notable Changes
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
To generate a diff of this commit:
cvs rdiff -u -r1.35 -r1.36 pkgsrc/lang/nodejs12/Makefile
cvs rdiff -u -r1.24 -r1.25 pkgsrc/lang/nodejs12/distinfo
cvs rdiff -u -r1.3 -r0 pkgsrc/lang/nodejs12/patches/patch-src_cares__wrap.cc
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: pkgsrc/lang/nodejs12/Makefile
diff -u pkgsrc/lang/nodejs12/Makefile:1.35 pkgsrc/lang/nodejs12/Makefile:1.36
--- pkgsrc/lang/nodejs12/Makefile:1.35 Tue Jul 6 07:04:11 2021
+++ pkgsrc/lang/nodejs12/Makefile Fri Sep 17 20:07:15 2021
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.35 2021/07/06 07:04:11 adam Exp $
+# $NetBSD: Makefile,v 1.36 2021/09/17 20:07:15 adam Exp $
-DISTNAME= node-v12.22.3
+DISTNAME= node-v12.22.6
EXTRACT_SUFX= .tar.xz
USE_LANGUAGES= c gnu++14
@@ -13,7 +13,7 @@ MAKE_ENV+= LD_LIBRARY_PATH=${PREFIX}/lib
CONFIGURE_ARGS+= --shared-brotli
CONFIGURE_ARGS+= --shared-nghttp2
# ICU 69.1: error: 'createInstance' is a private member of 'icu_69::ListFormatter'
-#CONFIGURE_ARGS+= --with-intl=system-icu
+CONFIGURE_ARGS+= --with-intl=system-icu
PYTHON_VERSIONS_ACCEPTED= 27
@@ -29,7 +29,7 @@ CXXFLAGS+= -mstackrealign
.include "../../lang/nodejs/Makefile.common"
.include "../../archivers/brotli/buildlink3.mk"
-#.include "../../textproc/icu/buildlink3.mk"
+.include "../../textproc/icu/buildlink3.mk"
# Requires nghttp2_option_set_max_settings
BUILDLINK_API_DEPENDS.nghttp2+= nghttp2>=1.41.0
.include "../../www/nghttp2/buildlink3.mk"
Index: pkgsrc/lang/nodejs12/distinfo
diff -u pkgsrc/lang/nodejs12/distinfo:1.24 pkgsrc/lang/nodejs12/distinfo:1.25
--- pkgsrc/lang/nodejs12/distinfo:1.24 Tue Jul 6 07:04:11 2021
+++ pkgsrc/lang/nodejs12/distinfo Fri Sep 17 20:07:15 2021
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.24 2021/07/06 07:04:11 adam Exp $
+$NetBSD: distinfo,v 1.25 2021/09/17 20:07:15 adam Exp $
-SHA1 (node-v12.22.3.tar.xz) = 0cb24e343ce26a96b20799ec234e5abe44985faa
-RMD160 (node-v12.22.3.tar.xz) = d9d6526d038c0789299e0dd8b25edd2a25c3a872
-SHA512 (node-v12.22.3.tar.xz) = 11684b6df15b6b74b8674ebf2c2bb950d1e52b83f90478638e85dd11a163dc7c62ae888bc4c1c29e89179e0c47fdccc26bee2817d64eb3ff926b2d3e648c351c
-Size (node-v12.22.3.tar.xz) = 23662268 bytes
+SHA1 (node-v12.22.6.tar.xz) = e91060181f5c34450aff5b3cb1f9ce02ce32fdd7
+RMD160 (node-v12.22.6.tar.xz) = 1578f89347c4dbb7e0f94494995b69bd5c4b0e26
+SHA512 (node-v12.22.6.tar.xz) = d107f1ff7073d2db9f0198f14b0523870e9b262c71055de2e03fba54f87bc98a57dad43d902c0b349957df21de71dc066133d4831eb7eb07f4e548d0ac724fb2
+Size (node-v12.22.6.tar.xz) = 23664904 bytes
SHA1 (patch-common.gypi) = a3fa3b5b974f910b3c8fea640ded4dca262e1ba8
SHA1 (patch-deps_cares_cares.gyp) = 22b44f2ac59963f694dfe4f4585e08960b3dec32
SHA1 (patch-deps_uv_common.gypi) = d38a9c8d9e3522f15812aec2f5b1e1e636d4bab3
@@ -17,7 +17,6 @@ SHA1 (patch-deps_v8_src_compiler_types.h
SHA1 (patch-deps_v8_src_zone_zone.h) = 651b49d242dac8f713cccc101147ccf61f828ecb
SHA1 (patch-deps_v8_tools_run-llprof.sh) = 39aa3faf77492ef8dd35b411b7b0e4605b469af3
SHA1 (patch-node.gypi) = 4a104dba6c22702211009bc60a6be6f87554e2fa
-SHA1 (patch-src_cares__wrap.cc) = 76a56a757ccaa81bb744890253e694333d66cb73
SHA1 (patch-src_inspector__agent.cc) = 2ec2a7be459648700488096f467a4ae6af5a9d91
SHA1 (patch-src_node__postmortem__metadata.cc) = 9938482d724ad6636af5dc3fa719ec26ed8539ff
SHA1 (patch-tools_gyp_pylib_gyp_generator_make.py) = be3cc1aaa85c3d59b6f2758df813cb5ad8d8f74e
Home |
Main Index |
Thread Index |
Old Index