Resolve CVE-2022-35255/6

2022-10-07 12:12:55 +00:00 · 2022-10-07 12:12:55 +00:00 · 298cc24caa
parent 26a8c2a789
commit 298cc24caa
3 changed files with 27 additions and 13 deletions
--- a/.gitignore
+++ b/.gitignore
@ -31,3 +31,7 @@
 /cjs-module-lexer-1.2.2.tar.gz
 /wasi-sdk-11.0-linux.tar.gz
 /wasi-sdk-14.0-linux.tar.gz
+/node-v18.10.0-stripped.tar.gz
+/undici-5.9.1.tar.gz
+/wasi-sdk-11.tar.gz
+/wasi-sdk-14.tar.gz
--- a/nodejs.spec
+++ b/nodejs.spec
@ -29,7 +29,7 @@
 # This is used by both the nodejs package and the npm subpackage that
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 1
+%global baserelease 2

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -40,7 +40,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 18
-%global nodejs_minor 8
+%global nodejs_minor 10
 %global nodejs_patch 0
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -57,7 +57,7 @@
 %global v8_major 10
 %global v8_minor 2
 %global v8_build 154
-%global v8_patch 13
+%global v8_patch 15
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -68,7 +68,7 @@
 %global c_ares_version 1.18.1

 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_version 6.0.7
+%global llhttp_version 6.0.10

 # libuv - from deps/uv/include/uv/version.h
 %global libuv_version 1.43.0
@ -78,14 +78,14 @@

 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %global nghttp3_major 0
-%global nghttp3_minor 1
-%global nghttp3_patch 0-DEV
+%global nghttp3_minor 7
+%global nghttp3_patch 0
 %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch}

 # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
 %global ngtcp2_major 0
-%global ngtcp2_minor 1
-%global ngtcp2_patch 0-DEV
+%global ngtcp2_minor 8
+%global ngtcp2_patch 1
 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}

 # ICU - from tools/icu/current_ver.dep
@ -117,7 +117,7 @@

 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 8.18.0
+%global npm_version 8.19.2

 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -126,7 +126,7 @@
 %global npm_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
-%global uvwasi_version 0.0.12
+%global uvwasi_version 0.0.13

 # histogram_c - assumed from timestamps
 %global histogram_version 0.9.7
@ -172,7 +172,7 @@ Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-
 # Adjustments: rm -f undici-5.7.0/lib/llhttp/llhttp*.wasm
 # wasi-sdk version can be found in Dockerfile
 # https://github.com/nodejs/cjs-module-lexer/blob/1.2.2/Makefile
-Source102: undici-5.8.2.tar.gz
+Source102: undici-5.9.1.tar.gz
 Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz

 # Disable running gyp on bundled deps we don't use
@ -578,6 +578,7 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
 %doc %{_mandir}/man5/package-lock-json.5*
 %doc %{_mandir}/man5/npm-shrinkwrap-json.5*
 %doc %{_mandir}/man7/config.7*
+%doc %{_mandir}/man7/dependency-selectors.7*
 %doc %{_mandir}/man7/developers.7*
 %doc %{_mandir}/man7/logging.7*
 %doc %{_mandir}/man7/orgs.7*
@ -597,6 +598,15 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod


 %changelog
+* Fri Oct 07 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.10.0-2
+- Resolves: #2130565
+- Add missing file
+
+* Thu Oct 06 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.10.0-1
+- Update to latest release
+- Resolves: #2130565
+- Resolves #2111009, #2111861, #2132732
+
 * Fri Aug 26 2022 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.8.0-1
 - Update to latest release
 - Resolves: RHBZ#2111009
--- a/4
+++ b/4
@ -1,6 +1,6 @@
-SHA512 (node-v18.8.0-stripped.tar.gz) = 7bf8020c62a838a0ad987b2e7a27bb47e965221f40ec81b5550fd4c960bbdc14aabf5c3bb3290edd03b8a4352026f56974714ae8a8d7a365aee83c21f094e4de
+SHA512 (node-v18.10.0-stripped.tar.gz) = b0514f61ab38e48f2ebd2dc0e909f764005628dfe7ba872c3f5f3b0d70f65e11057be21fd2ced2be6b85786360522d63908a7606e4949189e16a7c778f35c899
 SHA512 (icu4c-71_1-src.tgz) = 1fd2a20aef48369d1f06e2bb74584877b8ad0eb529320b976264ec2db87420bae242715795f372dbc513ea80047bc49077a064e78205cd5e8b33d746fd2a2912
-SHA512 (undici-5.8.2.tar.gz) = 60553b6ea6b1af8e1c9184b9f8db16813ebe8ce9904e1029afbbd8a60f0f2b8ee67467031375169fa53d9b946a2ccc1f45d7000fbc06716354b22396cc542341
+SHA512 (undici-5.9.1.tar.gz) = fcadac58e368b1f90975a609b24900794c6b234733755cc35bc81f20fda977e8eecfedb6b43b91a25fd6900dbf4c5b133847f65c00d97144d39b5995d0b65568
 SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 2c8e9caf2231ca7d61e71936305389774859aca9b5c86c63489c9a62a81f4736f99477c3f0cbb41077bb7924fdd23e0f24b7bce858e42fb0f87e7c0ffc87afeb
 SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20
 SHA512 (wasi-sdk-14.0-linux.tar.gz) = 288a367e051f5b3f5853de97fabaedd3acf2255819d50c24f48f573897518500ea808342fd9aea832b2a5717089807bf1cbcf6d46b156b4eb60cc6b3c02ee997