import UBI nodejs-20.11.1-1.module+el9.3.0+21385+bac43d5a
This commit is contained in:
parent
c3453334f8
commit
0057e6dce1
|
|
@ -1,6 +1,6 @@
|
|||
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||
SOURCES/icu4c-73_2-src.tgz
|
||||
SOURCES/node-v20.11.0-stripped.tar.gz
|
||||
SOURCES/undici-5.27.2.tar.gz
|
||||
SOURCES/node-v20.11.1-stripped.tar.gz
|
||||
SOURCES/undici-5.28.3.tar.gz
|
||||
SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||
SOURCES/wasi-sdk-16.0-linux.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||
3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
|
||||
8b62ac9e63c605f9942a0bee294c8a98c1ca63ba SOURCES/node-v20.11.0-stripped.tar.gz
|
||||
af3eca3508a818ea8e5829b2a4104f5ef7ddd5e2 SOURCES/undici-5.27.2.tar.gz
|
||||
59aed60100c3d6373c218378ccc8e03eb26cc1e5 SOURCES/node-v20.11.1-stripped.tar.gz
|
||||
b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
|
||||
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||
fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-16.0-linux.tar.gz
|
||||
|
|
|
|||
|
|
@ -1,15 +1,77 @@
|
|||
FIPS related options cause a segfault, let's end sooner
|
||||
From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
|
||||
From: Michael Dawson <midawson@redhat.com>
|
||||
Date: Fri, 23 Feb 2024 13:43:56 +0100
|
||||
Subject: [PATCH] Disable FIPS options
|
||||
|
||||
On RHEL, FIPS should be configured only on system level.
|
||||
Additionally, the related options may cause segfault when used on RHEL.
|
||||
|
||||
This patch causes the option processing to end sooner
|
||||
than the problematic code gets executed.
|
||||
Additionally, the JS-level options to mess with FIPS settings
|
||||
are similarly disabled.
|
||||
|
||||
Upstream report: https://github.com/nodejs/node/pull/48950
|
||||
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
|
||||
Customer case: https://access.redhat.com/support/cases/#/case/03711488
|
||||
|
||||
This patch makes the part of the code that processes cmd-line options for
|
||||
FIPS to end sooner before the code gets to the problematic part of the code.
|
||||
Signed-off-by: rpm-build <rpm-build>
|
||||
---
|
||||
lib/crypto.js | 10 ++++++++++
|
||||
lib/internal/errors.js | 6 ++++++
|
||||
src/crypto/crypto_util.cc | 2 ++
|
||||
3 files changed, 18 insertions(+)
|
||||
|
||||
diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc
|
||||
--- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200
|
||||
+++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200
|
||||
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
|
||||
diff --git a/lib/crypto.js b/lib/crypto.js
|
||||
index 41adecc..b2627ac 100644
|
||||
--- a/lib/crypto.js
|
||||
+++ b/lib/crypto.js
|
||||
@@ -36,6 +36,9 @@ const {
|
||||
assertCrypto();
|
||||
|
||||
const {
|
||||
+ // RHEL specific error
|
||||
+ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
|
||||
+
|
||||
ERR_CRYPTO_FIPS_FORCED,
|
||||
ERR_WORKER_UNSUPPORTED_OPERATION,
|
||||
} = require('internal/errors').codes;
|
||||
@@ -251,6 +254,13 @@ function getFips() {
|
||||
}
|
||||
|
||||
function setFips(val) {
|
||||
+ // in RHEL FIPS enable/disable should only be done at system level
|
||||
+ if (getFips() != val) {
|
||||
+ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
|
||||
+ } else {
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
if (getOptionValue('--force-fips')) {
|
||||
if (val) return;
|
||||
throw new ERR_CRYPTO_FIPS_FORCED();
|
||||
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
|
||||
index a722360..04d8a53 100644
|
||||
--- a/lib/internal/errors.js
|
||||
+++ b/lib/internal/errors.js
|
||||
@@ -1060,6 +1060,12 @@ module.exports = {
|
||||
//
|
||||
// Note: Node.js specific errors must begin with the prefix ERR_
|
||||
|
||||
+// insert RHEL specific erro
|
||||
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
|
||||
+ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
|
||||
+ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
|
||||
+ Error);
|
||||
+
|
||||
E('ERR_ACCESS_DENIED',
|
||||
'Access to this API has been restricted. Permission: %s',
|
||||
Error);
|
||||
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
|
||||
index 5734d8f..ef9d1b1 100644
|
||||
--- a/src/crypto/crypto_util.cc
|
||||
+++ b/src/crypto/crypto_util.cc
|
||||
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
|
||||
/* Override FIPS settings in configuration file, if needed. */
|
||||
if (per_process::cli_options->enable_fips_crypto ||
|
||||
per_process::cli_options->force_fips_crypto) {
|
||||
|
|
@ -18,3 +80,5 @@ diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/cryp
|
|||
#if OPENSSL_VERSION_MAJOR >= 3
|
||||
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
|
||||
if (fips_provider == nullptr)
|
||||
--
|
||||
2.43.2
|
||||
|
|
|
|||
|
|
@ -44,7 +44,7 @@
|
|||
%global nodejs_epoch 1
|
||||
%global nodejs_major 20
|
||||
%global nodejs_minor 11
|
||||
%global nodejs_patch 0
|
||||
%global nodejs_patch 1
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
%global nodejs_soversion 115
|
||||
|
|
@ -180,10 +180,10 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
|
|||
Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
|
||||
|
||||
# Version: jq '.version' deps/undici/src/package.json
|
||||
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.27.2.tar.gz
|
||||
# Adjustments: rm -f undici-5.27.2/lib/llhttp/llhttp*.wasm
|
||||
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
|
||||
# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm*
|
||||
# wasi-sdk version can be found in lib/llhttp/wasm_build_env.txt
|
||||
Source102: undici-5.27.2.tar.gz
|
||||
Source102: undici-5.28.3.tar.gz
|
||||
Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk-16.0-linux.tar.gz
|
||||
|
||||
# Disable running gyp on bundled deps we don't use
|
||||
|
|
@ -424,7 +424,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl
|
|||
export LDFLAGS="%{build_ldflags}"
|
||||
|
||||
%{__python3} configure.py --prefix=%{_prefix} --verbose \
|
||||
--shared-openssl \
|
||||
--shared-openssl --openssl-conf-name=openssl_conf \
|
||||
--shared-zlib \
|
||||
--shared-brotli \
|
||||
%{!?with_bundled:--shared-libuv} \
|
||||
|
|
@ -634,9 +634,13 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
|
|||
|
||||
|
||||
%changelog
|
||||
* Thu Feb 29 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.1-1
|
||||
- Rebase to version 20.11.1
|
||||
- Resolves: RHEL-26694 RHEL-26684 RHEL-26687 RHEL-26010 RHEL-26597 RHEL-26689 RHEL-26022
|
||||
|
||||
* Fri Jan 12 2024 Jan Staněk <jstanek@redhat.com> - 1:20.11.0-1
|
||||
- Rebase to version 20.11.0
|
||||
Resolves: RHEL-21188
|
||||
Resolves: RHEL-21189
|
||||
|
||||
* Thu Nov 09 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.9.0-1
|
||||
- Rebase to LTS
|
||||
|
|
|
|||
Loading…
Reference in New Issue