import CS nodejs-22.19.0-2.module_el9+1269+2b208c4d

2025-09-15 09:37:08 +00:00 · 2025-09-15 09:37:08 +00:00 · 19bbe31500
commit 19bbe31500
parent 9c73262db0
7 changed files with 4040 additions and 24 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,3 +1,3 @@
-SOURCES/icu4c-76_1-data-bin-b.zip
-SOURCES/icu4c-76_1-data-bin-l.zip
-SOURCES/node-v22.13.1-stripped.tar.gz
+SOURCES/icu4c-77_1-data-bin-b.zip
+SOURCES/icu4c-77_1-data-bin-l.zip
+SOURCES/node-v22.19.0-stripped.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,3 +1,3 @@
-d1c5586e6733b5c4790d05a76d47ad159ff31e9b SOURCES/icu4c-76_1-data-bin-b.zip
-547c6ffcb7833b1a14abd6114e0a1722144d410a SOURCES/icu4c-76_1-data-bin-l.zip
-20a992fe68e168bd5600ccc2bfe4e315b6db6e4b SOURCES/node-v22.13.1-stripped.tar.gz
+c459faa36dedc60af6a0c6d5b9b84b6198389bf0 SOURCES/icu4c-77_1-data-bin-b.zip
+c602459f93a43dfe7440686b46430e93a85dfc06 SOURCES/icu4c-77_1-data-bin-l.zip
+fcb143615038d08f68d1c53636bec5f7f1c95d3b SOURCES/node-v22.19.0-stripped.tar.gz
--- a/SOURCES/0003-fips-disable-options.patch
+++ b/SOURCES/0003-fips-disable-options.patch
@ -0,0 +1,84 @@
+From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
+From: Michael Dawson <midawson@redhat.com>
+Date: Fri, 23 Feb 2024 13:43:56 +0100
+Subject: [PATCH] Disable FIPS options
+
+On RHEL, FIPS should be configured only on system level.
+Additionally, the related options may cause segfault when used on RHEL.
+
+This patch causes the option processing to end sooner
+than the problematic code gets executed.
+Additionally, the JS-level options to mess with FIPS settings
+are similarly disabled.
+
+Upstream report: https://github.com/nodejs/node/pull/48950
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
+---
+ lib/crypto.js             | 10 ++++++++++
+ lib/internal/errors.js    |  6 ++++++
+ src/crypto/crypto_util.cc |  2 ++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/lib/crypto.js b/lib/crypto.js
+index 41adecc..b2627ac 100644
+--- a/lib/crypto.js
+++ b/lib/crypto.js
+@@ -36,7 +36,10 @@ const {
+ assertCrypto();
+
+ const {
+  // RHEL specific error
+  ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
+   ERR_CRYPTO_FIPS_FORCED,
+   ERR_WORKER_UNSUPPORTED_OPERATION,
+ } = require('internal/errors').codes;
+ const constants = internalBinding('constants').crypto;
+@@ -251,6 +254,13 @@ function getFips() {
+ }
+ 
+ function setFips(val) {
+  // in RHEL FIPS enable/disable should only be done at system level
+  if (getFips() != val) {
+    throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+  } else {
+    return;
+  }
+
+   if (getOptionValue('--force-fips')) {
+     if (val) return;
+     throw new ERR_CRYPTO_FIPS_FORCED();
+diff --git a/lib/internal/errors.js b/lib/internal/errors.js
+index a722360..04d8a53 100644
+--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
+@@ -1111,6 +1111,12 @@ module.exports = {
+ //
+ // Note: Node.js specific errors must begin with the prefix ERR_
+ 
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+  'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+  'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+  Error);
+
+ E('ERR_ACCESS_DENIED',
+   function(msg, permission = '', resource = '') {
+     this.permission = permission;
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 5734d8f..ef9d1b1 100644
+--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
+@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
+   /* Override FIPS settings in configuration file, if needed. */
+   if (per_process::cli_options->enable_fips_crypto ||
+       per_process::cli_options->force_fips_crypto) {
+      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+      return false;
+ #if OPENSSL_VERSION_MAJOR >= 3
+     OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
+     if (fips_provider == nullptr)
+-- 
+2.43.2
+
+
--- a/SOURCES/nodejs-tarball.sh
+++ b/SOURCES/nodejs-tarball.sh
@ -123,8 +123,8 @@ tar -zcf node-v${version}-stripped.tar.gz node-v${version}
 ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
 ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
 rm -Rf icu4c-${ICU_MAJOR}_${ICU_MINOR}-data-bin-*.zip
-wget $(grep Source3 nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
-wget $(grep Source4 nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
+wget $(grep -w 'Source3' nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")
+wget $(grep -w 'Source4' nodejs.spec | sed --expression="s/.*http/http/g" --expression="s/\(\%{icu_major}\)/${ICU_MAJOR}/g" --expression="s/\(\%{icu_minor}\)/${ICU_MINOR}/g")

 #fedpkg new-sources node-v${version}-stripped.tar.gz icu4c*-src.tgz

--- a/SOURCES/test-runner.sh
+++ b/SOURCES/test-runner.sh
@ -0,0 +1,60 @@
+#!/bin/bash
+	
+NODE_BIN="$1"
+PARENT_TEST_FOLDER="$2"
+TEST_LIST_FILE="$3"
+
+# At most 10 min per test
+TIMEOUT_DURATION=600
+# Exit code
+FINAL_RESULT=0 	
+ARCH=$(uname -m)
+
+echo "Started test run:"
+# Run the list of test
+while IFS= read -r test_line; do
+  # ignore commented lines
+  if [[ "$test_line" =~ ^# ]]; then
+    continue
+  fi
+  # If test has specified ARCH which it should be skipped
+  # Extract it
+  TEST_PATH=$(echo "$test_line" | awk '{print $1}')
+  IGNORE_ARCHES=$(echo "$test_line" |\
+    awk '{for (i=2; i<=NF; i++) printf "%s ", $i; print ""}')
+  
+  # Skip test for specified ARCH
+  for ARCH_IGNORE in $IGNORE_ARCHES; do
+    if [[ "$ARCH_IGNORE" == "$ARCH" ]]; then
+      continue 2  
+    fi
+  done
+  
+  # Construct test path
+  TEST_SCRIPT="$PARENT_TEST_FOLDER/$TEST_PATH"
+
+  if [ ! -f "$TEST_SCRIPT" ]; then
+    echo "Test script not found: $TEST_SCRIPT"
+    continue
+  fi
+
+  TEST_OUTPUT=$(timeout "$TIMEOUT_DURATION" "$NODE_BIN" "$TEST_SCRIPT" 2>&1)
+  TEST_RESULT=$?
+
+  # Handle test result
+  if [ $TEST_RESULT -ne 0 ]; then
+    FINAL_RESULT=1
+    if [ $TEST_RESULT -eq 124 ]; then
+      echo "Test timed out: $TEST_SCRIPT"
+    else
+      echo "Test failed: $TEST_SCRIPT"
+    fi
+    echo "Test failure message:"
+    echo "$TEST_OUTPUT"
+  fi
+done < "$TEST_LIST_FILE"
+
+if [ $FINAL_RESULT -eq 0 ]; then
+    echo "All tests succesfully passed."
+fi
+exit $FINAL_RESULT
--- a/SOURCES/test-should-pass.txt
+++ b/SOURCES/test-should-pass.txt
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -57,8 +57,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 22
-%global nodejs_minor 13
-%global nodejs_patch 1
+%global nodejs_minor 19
+%global nodejs_patch 0
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 127
 %global nodejs_abi %{nodejs_soversion}
@ -81,17 +81,17 @@
 %global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}

 # zlib - from deps/zlib/zlib.h
-%global zlib_version 1.3.0.1-motley
+%global zlib_version 1.3.1

 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
-%global c_ares_version 1.34.4
+%global c_ares_version 1.34.5

 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_version 9.2.1
+%global llhttp_version 9.3.0

 # libuv - from deps/uv/include/uv/version.h
-%global libuv_version 1.49.2
+%global libuv_version 1.51.0

 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
 %global nghttp2_version 1.64.0
@ -100,10 +100,10 @@
 %global nghttp3_version 1.6.0

 # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
-%global ngtcp2_version 1.9.1
+%global ngtcp2_version 1.11.0

 # ICU - from tools/icu/current_ver.dep
-%global icu_major 76
+%global icu_major 77
 %global icu_minor 1
 %global icu_version %{icu_major}.%{icu_minor}

@ -112,7 +112,7 @@
 # " this line just fixes syntax highlighting for vim that is confused by the above and continues literal

 # simdutf from deps/simdutf/simdutf.h
-%global simdutf_version 5.6.4
+%global simdutf_version 6.4.2

 # OpenSSL minimum version
 %global openssl11_minimum 1:1.1.1
@ -125,7 +125,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.9.2
+%global npm_version 10.9.3

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -142,7 +142,7 @@
 %global histogram_version 0.11.8

 # sqlite - from deps/sqlite/sqlite3.h
-%global sqlite_version 3.47.2
+%global sqlite_version 3.50.4


 Name: nodejs
@ -170,8 +170,11 @@ Source200: nodejs-tarball.sh
 Source201: npmrc.builtin.in
 Source202: nodejs.pc.in
 Source203: v8.pc.in
+Source300: test-runner.sh
+Source301: test-should-pass.txt

 Patch: 0001-Remove-unused-OpenSSL-config.patch
+Patch: 0003-fips-disable-options.patch

 %global pkgname nodejs

@ -319,7 +322,7 @@ Provides: bundled(simdutf) = %{simdutf_version}

 # Upstream has added a new URL parser that has no option to build as a shared
 # library (19.7.0+)
-Provides: bundled(ada) = 2.8.0
+Provides: bundled(ada) = 2.9.2


 # undici and cjs-module-lexer ship with pre-built WASM binaries.
@ -570,7 +573,8 @@ export PATH="${cwd}/.bin:$PATH"
           --with-intl=small-icu \
           --with-icu-default-data-dir=%{icudatadir} \
           --without-corepack \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
+           --use-prefix-to-find-headers

 %ninja_build -C out/Release

@ -766,6 +770,13 @@ sed -e 's#@PREFIX@#%{_prefix}#g' \


 %check
+#run unit test that should pass from list
+LD_LIBRARY_PATH=%{buildroot}%{_libdir} \
+  bash %{SOURCE300} \
+       %{buildroot}/%{_bindir}/node-%{nodejs_pkg_major} \
+       %{_builddir}/node-v%{nodejs_version}/test/ \
+       %{SOURCE301}
+
 # Fail the build if the versions don't match
 LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node-%{nodejs_pkg_major} -e "require('assert').equal(process.versions.node, '%{nodejs_version}')"
 LD_LIBRARY_PATH=%{buildroot}%{_libdir} %{buildroot}/%{_bindir}/node-%{nodejs_pkg_major} -e "require('assert').equal(process.versions.v8.replace(/-node\.\d+$/, ''), '%{v8_version}')"
@ -886,9 +897,33 @@ end


 %changelog
-* Mon Feb 24 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.13.1-2
- Remove lua pretransaction script from spec file
-  Resolves: RHEL-81122
+* Fri Aug 29 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.19.0-1
+- Update to 22.19.0
+  Resolves: RHEL-100426
+
+* Mon Jul 21 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.16.0-2
+- Patch fix for CVE-2025-6965
+  Resolves: RHEL-103853
+
+* Tue May 20 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.16.0-1
+- Update to 22.16.0
+  Resolves: RHEL-92870 RHEL-89599 RHEL-92058
+
+* Thu Apr 24 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.15.0-1
+- Update to 22.15.0
+- Drop upstream patches
+
+* Tue Apr 22 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.13.1-4
+- Patch fix for sqlite CVE-2025-31498
+  Resolves: RHEL-87320
+
+* Mon Apr 14 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.13.1-3
+- Update c-ares to newest version with fix for CVE-2025-31498
+  Resolves: RHEL-86587
+
+* Mon Mar 03 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.13.1-2
+- Remove obsolete lua pretransaction script from spec file
+  Resolves: RHEL-81119
 - Disable npm update notifications for users
  Resolves: RHEL-81079