Resolves: RHEL-12602
Update node and nghttp Add FIPS patch
This commit is contained in:
		
							parent
							
								
									741d7d6dca
								
							
						
					
					
						commit
						09d5f2c0d8
					
				
							
								
								
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							
							
						
						
									
										2
									
								
								.gitignore
									
									
									
									
										vendored
									
									
								
							| @ -49,3 +49,5 @@ | |||||||
| /wasi-sdk-11.0-linux.tar.gz | /wasi-sdk-11.0-linux.tar.gz | ||||||
| /wasi-sdk-14.0-linux.tar.gz | /wasi-sdk-14.0-linux.tar.gz | ||||||
| /node-v20.5.1-stripped.tar.gz | /node-v20.5.1-stripped.tar.gz | ||||||
|  | /node-v20.8.1-stripped.tar.gz | ||||||
|  | /undici-5.26.3.tar.gz | ||||||
|  | |||||||
							
								
								
									
										20
									
								
								nodejs-fips-disable-options.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										20
									
								
								nodejs-fips-disable-options.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,20 @@ | |||||||
|  | FIPS related options cause a segfault, let's end sooner | ||||||
|  | 
 | ||||||
|  | Upstream report: https://github.com/nodejs/node/pull/48950 | ||||||
|  | RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 | ||||||
|  | 
 | ||||||
|  | This patch makes the part of the code that processes cmd-line options for | ||||||
|  | FIPS to end sooner before the code gets to the problematic part of the code. | ||||||
|  | 
 | ||||||
|  | diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc
 | ||||||
|  | --- node-v18.16.1/src/crypto/crypto_util.cc.origfips	2023-07-31 12:09:46.603683081 +0200
 | ||||||
|  | +++ node-v18.16.1/src/crypto/crypto_util.cc	2023-07-31 12:16:16.906617914 +0200
 | ||||||
|  | @@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
 | ||||||
|  |    /* Override FIPS settings in configuration file, if needed. */ | ||||||
|  |    if (per_process::cli_options->enable_fips_crypto || | ||||||
|  |        per_process::cli_options->force_fips_crypto) { | ||||||
|  | +      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
 | ||||||
|  | +      return false;
 | ||||||
|  |  #if OPENSSL_VERSION_MAJOR >= 3 | ||||||
|  |      OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); | ||||||
|  |      if (fips_provider == nullptr) | ||||||
							
								
								
									
										23
									
								
								nodejs.spec
									
									
									
									
									
								
							
							
						
						
									
										23
									
								
								nodejs.spec
									
									
									
									
									
								
							| @ -44,7 +44,7 @@ | |||||||
| # than a Fedora release lifecycle. | # than a Fedora release lifecycle. | ||||||
| %global nodejs_epoch 1 | %global nodejs_epoch 1 | ||||||
| %global nodejs_major 20 | %global nodejs_major 20 | ||||||
| %global nodejs_minor 5 | %global nodejs_minor 8 | ||||||
| %global nodejs_patch 1 | %global nodejs_patch 1 | ||||||
| %global nodejs_abi %{nodejs_major}.%{nodejs_minor} | %global nodejs_abi %{nodejs_major}.%{nodejs_minor} | ||||||
| # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h | # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h | ||||||
| @ -78,7 +78,7 @@ | |||||||
| %global libuv_version 1.46.0 | %global libuv_version 1.46.0 | ||||||
| 
 | 
 | ||||||
| # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h | # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h | ||||||
| %global nghttp2_version 1.55.1 | %global nghttp2_version 1.57.0 | ||||||
| 
 | 
 | ||||||
| # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h | # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h | ||||||
| %global nghttp3_version 0.7.0 | %global nghttp3_version 0.7.0 | ||||||
| @ -106,10 +106,10 @@ | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| # simduft from deps/simdutf/simdutf.h | # simduft from deps/simdutf/simdutf.h | ||||||
| %global simduft_version 3.2.14 | %global simduft_version 3.2.17 | ||||||
| 
 | 
 | ||||||
| # ada from deps/ada/ada.h | # ada from deps/ada/ada.h | ||||||
| %global ada_version 2.5.1 | %global ada_version 2.6.0 | ||||||
| 
 | 
 | ||||||
| # OpenSSL minimum version | # OpenSSL minimum version | ||||||
| %global openssl_minimum 1:1.1.1 | %global openssl_minimum 1:1.1.1 | ||||||
| @ -122,7 +122,7 @@ | |||||||
| 
 | 
 | ||||||
| # npm - from deps/npm/package.json | # npm - from deps/npm/package.json | ||||||
| %global npm_epoch 1 | %global npm_epoch 1 | ||||||
| %global npm_version 9.8.0 | %global npm_version 10.1.0 | ||||||
| 
 | 
 | ||||||
| # In order to avoid needing to keep incrementing the release version for the | # In order to avoid needing to keep incrementing the release version for the | ||||||
| # main package forever, we will just construct one for npm that is guaranteed | # main package forever, we will just construct one for npm that is guaranteed | ||||||
| @ -132,7 +132,7 @@ | |||||||
| 
 | 
 | ||||||
| # Node.js 16.9.1 and later comes with an experimental package management tool | # Node.js 16.9.1 and later comes with an experimental package management tool | ||||||
| # corepack - from deps/corepack/package.json | # corepack - from deps/corepack/package.json | ||||||
| %global corepack_version 0.19.0 | %global corepack_version 0.20.0 | ||||||
| 
 | 
 | ||||||
| # uvwasi - from deps/uvwasi/include/uvwasi.h | # uvwasi - from deps/uvwasi/include/uvwasi.h | ||||||
| %global uvwasi_version 0.0.18 | %global uvwasi_version 0.0.18 | ||||||
| @ -183,13 +183,14 @@ Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk- | |||||||
| # Version: jq '.version' deps/undici/src/package.json | # Version: jq '.version' deps/undici/src/package.json | ||||||
| # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz | # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz | ||||||
| # Adjustments: rm -f undici-5.21.0/lib/llhttp/llhttp*.wasm* | # Adjustments: rm -f undici-5.21.0/lib/llhttp/llhttp*.wasm* | ||||||
| Source111: undici-5.22.1.tar.gz | Source111: undici-5.26.3.tar.gz | ||||||
| # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. | # The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. | ||||||
| # Version source: build/Dockerfile | # Version source: build/Dockerfile | ||||||
| Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz | Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz | ||||||
| 
 | 
 | ||||||
| # Disable running gyp on bundled deps we don't use | # Disable running gyp on bundled deps we don't use | ||||||
| Patch1: 0001-Disable-running-gyp-on-shared-deps.patch | Patch1: 0001-Disable-running-gyp-on-shared-deps.patch | ||||||
|  | Patch3: nodejs-fips-disable-options.patch | ||||||
| 
 | 
 | ||||||
| BuildRequires: make | BuildRequires: make | ||||||
| BuildRequires: python3-devel | BuildRequires: python3-devel | ||||||
| @ -452,7 +453,7 @@ make BUILDTYPE=Release %{?_smp_mflags} | |||||||
| 
 | 
 | ||||||
| # Extract the ICU data and convert it to the appropriate endianness | # Extract the ICU data and convert it to the appropriate endianness | ||||||
| pushd deps/ | pushd deps/ | ||||||
| tar xfz %SOURCE3 | tar xfz %{SOURCE3} | ||||||
| 
 | 
 | ||||||
| pushd icu/source | pushd icu/source | ||||||
| 
 | 
 | ||||||
| @ -720,6 +721,12 @@ end | |||||||
| 
 | 
 | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Wed Oct 18 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.8.1-1 | ||||||
|  | - Update node and nghttp | ||||||
|  | - Add fips patch | ||||||
|  | - Fixes CVE-2023-44487 (nghttp) | ||||||
|  | - Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333 | ||||||
|  | 
 | ||||||
| * Thu Aug 10 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.5.1-1 | * Thu Aug 10 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.5.1-1 | ||||||
| - Rebase to new security release | - Rebase to new security release | ||||||
| - Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high) | - Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high) | ||||||
|  | |||||||
							
								
								
									
										4
									
								
								sources
									
									
									
									
									
								
							
							
						
						
									
										4
									
								
								sources
									
									
									
									
									
								
							| @ -1,6 +1,6 @@ | |||||||
| SHA512 (node-v20.5.1-stripped.tar.gz) = e04ce5702662cfc98d19066da8e8bbef2db89df4a1417d0c43a5fa9da103f4fc6003252a83687c3ac7aad95afe2d401137249740309527fa869c9cf0e68ff8f3 | SHA512 (node-v20.8.1-stripped.tar.gz) = 42e65b317613ff698997fba98510624ba874812b53cfc4ec1659d3d31abd248e7c6973e4229ad5b967ed2f100ef0274dc7257e3c89d25de2377f5f5758255632 | ||||||
| SHA512 (icu4c-73_2-src.tgz) = 76dd782db6205833f289d7eb68b60860dddfa3f614f0ba03fe7ec13117077f82109f0dc1becabcdf4c8a9c628b94478ab0a46134bdb06f4302be55f74027ce62 | SHA512 (icu4c-73_2-src.tgz) = 76dd782db6205833f289d7eb68b60860dddfa3f614f0ba03fe7ec13117077f82109f0dc1becabcdf4c8a9c628b94478ab0a46134bdb06f4302be55f74027ce62 | ||||||
| SHA512 (undici-5.22.1.tar.gz) = d372c6d5b9705901d3377a3d1ab2b42b7b8cb66b0d9d427843ab1f8ca15da7a7b1d5895280c54d71507112534ca9f1d934c647159f74b7868d8bfc876bfeca19 | SHA512 (undici-5.26.3.tar.gz) = 990f5ab05e6bbe9ec3f15900e4a900620212322057c7f110be2c268f016679bf21789f3d4623b00ebda6c3fd2891deeb29c3324ada2a3740d8187192f440a53d | ||||||
| SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 27c666fd5298022236b659c407cfb82a5a014c17ee4f9301be1015dd59b1a7c15e57d575f5a53908f9a3ff2069cbc0a8f3c2d5b28c4a2f933cd31015c20c750e | SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 27c666fd5298022236b659c407cfb82a5a014c17ee4f9301be1015dd59b1a7c15e57d575f5a53908f9a3ff2069cbc0a8f3c2d5b28c4a2f933cd31015c20c750e | ||||||
| SHA512 (wasi-sdk-wasi-sdk-11.tar.gz) = cb37f357b09431a3efad26141d83dce63232a35b536d9a7bd341d4d9627a0a3d4bd4d57504b6e3dab421942d2c168a96da2a6be889aab3f9a2852fc5a3200d3c | SHA512 (wasi-sdk-wasi-sdk-11.tar.gz) = cb37f357b09431a3efad26141d83dce63232a35b536d9a7bd341d4d9627a0a3d4bd4d57504b6e3dab421942d2c168a96da2a6be889aab3f9a2852fc5a3200d3c | ||||||
| SHA512 (wasi-sdk-wasi-sdk-14.tar.gz) = 4fecb3d9c04b91eb2388a9e51d49fbff6f22b81f9945a07ecdbfe479c96dad1e3b673b8bee24842b0dae5294129a9cb35dcf8e5ecf45437a6d01fb6e0fd13645 | SHA512 (wasi-sdk-wasi-sdk-14.tar.gz) = 4fecb3d9c04b91eb2388a9e51d49fbff6f22b81f9945a07ecdbfe479c96dad1e3b673b8bee24842b0dae5294129a9cb35dcf8e5ecf45437a6d01fb6e0fd13645 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user