Resolves: RHEL-12611

Update node and nghttp
Add FIPS patch
This commit is contained in:
Zuzana Svetlikova 2023-10-19 17:46:25 +02:00
parent 27fc3aecc6
commit 04e906c947
4 changed files with 38 additions and 9 deletions

2
.gitignore vendored
View File

@ -49,3 +49,5 @@
/icu4c-73_2-src.tgz /icu4c-73_2-src.tgz
/undici-5.22.1.tar.gz /undici-5.22.1.tar.gz
/node-v20.5.1-stripped.tar.gz /node-v20.5.1-stripped.tar.gz
/node-v20.8.1-stripped.tar.gz
/undici-5.26.3.tar.gz

View File

@ -0,0 +1,20 @@
FIPS related options cause a segfault, let's end sooner
Upstream report: https://github.com/nodejs/node/pull/48950
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
This patch makes the part of the code that processes cmd-line options for
FIPS to end sooner before the code gets to the problematic part of the code.
diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc
--- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200
+++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
/* Override FIPS settings in configuration file, if needed. */
if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) {
+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+ return false;
#if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr)

View File

@ -43,7 +43,7 @@
# than a Fedora release lifecycle. # than a Fedora release lifecycle.
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 20 %global nodejs_major 20
%global nodejs_minor 5 %global nodejs_minor 8
%global nodejs_patch 1 %global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -77,7 +77,7 @@
%global libuv_version 1.46.0 %global libuv_version 1.46.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_version 1.55.1 %global nghttp2_version 1.57.0
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
%global nghttp3_version 0.7.0 %global nghttp3_version 0.7.0
@ -105,10 +105,10 @@
%endif %endif
# simduft from deps/simdutf/simdutf.h # simduft from deps/simdutf/simdutf.h
%global simduft_version 3.2.14 %global simduft_version 3.2.17
# ada from deps/ada/ada.h # ada from deps/ada/ada.h
%global ada_version 2.5.1 %global ada_version 2.6.0
# OpenSSL minimum version # OpenSSL minimum version
%global openssl_minimum 1:1.1.1 %global openssl_minimum 1:1.1.1
@ -121,7 +121,7 @@
# npm - from deps/npm/package.json # npm - from deps/npm/package.json
%global npm_epoch 1 %global npm_epoch 1
%global npm_version 9.8.0 %global npm_version 10.1.0
# In order to avoid needing to keep incrementing the release version for the # In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed # main package forever, we will just construct one for npm that is guaranteed
@ -131,7 +131,7 @@
# Node.js 16.9.1 and later comes with an experimental package management tool # Node.js 16.9.1 and later comes with an experimental package management tool
# corepack - from deps/corepack/package.json # corepack - from deps/corepack/package.json
%global corepack_version 0.19.0 %global corepack_version 0.20.0
# uvwasi - from deps/uvwasi/include/uvwasi.h # uvwasi - from deps/uvwasi/include/uvwasi.h
%global uvwasi_version 0.0.18 %global uvwasi_version 0.0.18
@ -189,6 +189,7 @@ Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-
# Disable running gyp on bundled deps we don't use # Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch3: nodejs-fips-disable-options.patch
BuildRequires: make BuildRequires: make
BuildRequires: python3-devel BuildRequires: python3-devel
@ -439,7 +440,7 @@ make BUILDTYPE=Release %{?_smp_mflags}
# Extract the ICU data and convert it to the appropriate endianness # Extract the ICU data and convert it to the appropriate endianness
pushd deps/ pushd deps/
tar xfz %SOURCE3 tar xfz %{SOURCE3}
pushd icu/source pushd icu/source
@ -634,6 +635,12 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
%changelog %changelog
* Wed Oct 18 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.8.1-1
- Update node and nghttp
- Add fips patch
- Fixes CVE-2023-44487 (nghttp)
- Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333
* Thu Aug 10 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.5.1-1 * Thu Aug 10 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.5.1-1
- Rebase to new security release - Rebase to new security release
- Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high) - Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high)

View File

@ -1,6 +1,6 @@
SHA512 (node-v20.5.1-stripped.tar.gz) = d0d9fe30b502e3e2f95ed2cecf1ee1365f36978b85feb50f3551369aa7fdf19341809dfbd0de59ddf347738ba8b3c00ae8da2b53cf3166fb8c1e48edb20166a2 SHA512 (node-v20.8.1-stripped.tar.gz) = 42e65b317613ff698997fba98510624ba874812b53cfc4ec1659d3d31abd248e7c6973e4229ad5b967ed2f100ef0274dc7257e3c89d25de2377f5f5758255632
SHA512 (icu4c-73_2-src.tgz) = 76dd782db6205833f289d7eb68b60860dddfa3f614f0ba03fe7ec13117077f82109f0dc1becabcdf4c8a9c628b94478ab0a46134bdb06f4302be55f74027ce62 SHA512 (icu4c-73_2-src.tgz) = 76dd782db6205833f289d7eb68b60860dddfa3f614f0ba03fe7ec13117077f82109f0dc1becabcdf4c8a9c628b94478ab0a46134bdb06f4302be55f74027ce62
SHA512 (undici-5.22.1.tar.gz) = d372c6d5b9705901d3377a3d1ab2b42b7b8cb66b0d9d427843ab1f8ca15da7a7b1d5895280c54d71507112534ca9f1d934c647159f74b7868d8bfc876bfeca19 SHA512 (undici-5.26.3.tar.gz) = 990f5ab05e6bbe9ec3f15900e4a900620212322057c7f110be2c268f016679bf21789f3d4623b00ebda6c3fd2891deeb29c3324ada2a3740d8187192f440a53d
SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb
SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20 SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20
SHA512 (wasi-sdk-14.0-linux.tar.gz) = 288a367e051f5b3f5853de97fabaedd3acf2255819d50c24f48f573897518500ea808342fd9aea832b2a5717089807bf1cbcf6d46b156b4eb60cc6b3c02ee997 SHA512 (wasi-sdk-14.0-linux.tar.gz) = 288a367e051f5b3f5853de97fabaedd3acf2255819d50c24f48f573897518500ea808342fd9aea832b2a5717089807bf1cbcf6d46b156b4eb60cc6b3c02ee997