import UBI nodejs-22.23.1-1.module+el9.8.0+24457+996af7aa
This commit is contained in:
parent
ff76cf8248
commit
2ce0be970c
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,3 +1,3 @@
|
||||
SOURCES/icu4c-78.2-data-bin-b.zip
|
||||
SOURCES/icu4c-78.2-data-bin-l.zip
|
||||
SOURCES/node-v22.22.2-stripped.tar.gz
|
||||
SOURCES/node-v22.23.1-stripped.tar.gz
|
||||
|
||||
@ -1,3 +1,3 @@
|
||||
7a91e81c4f2c8368d80285a5bbdfe278d68e4a84 SOURCES/icu4c-78.2-data-bin-b.zip
|
||||
b9f5918e2118ef8531b0ffc04b3d50e951e3a166 SOURCES/icu4c-78.2-data-bin-l.zip
|
||||
99fded7e2ca8329a6bcdba962599c9c8f2f3b689 SOURCES/node-v22.22.2-stripped.tar.gz
|
||||
8751335622db226d57c19ed444575147f0b62396 SOURCES/node-v22.23.1-stripped.tar.gz
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
166
SOURCES/0002-CVE-2026-42338-npm-ip-address-security-fix.patch
Normal file
166
SOURCES/0002-CVE-2026-42338-npm-ip-address-security-fix.patch
Normal file
@ -0,0 +1,166 @@
|
||||
From d98f88cfa68abef0e57ec2b48df0049032e50c85 Mon Sep 17 00:00:00 2001
|
||||
From: Beau Gunderson <beau@beaugunderson.com>
|
||||
Date: Sun, 27 Apr 2026 10:28:29 -0700
|
||||
Subject: [PATCH] CVE-2026-42338 ip-address HTML escaping fix
|
||||
|
||||
Fix HTML escaping in ip-address library to prevent XSS vulnerabilities.
|
||||
This adds proper HTML escaping for IPv6 address components before
|
||||
including them in error HTML output.
|
||||
|
||||
Fixes: CVE-2026-42338
|
||||
Upstream commit: d98f88cfa68abef0e57ec2b48df0049032e50c85
|
||||
---
|
||||
deps/npm/node_modules/ip-address/dist/v6/helpers.js | 9 +++++++++
|
||||
deps/npm/node_modules/ip-address/dist/ipv6.js | 32 ++++++++++++++----------
|
||||
deps/npm/node_modules/ip-address/package.json | 2 +-
|
||||
3 files changed, 30 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/ip-address/dist/v6/helpers.js b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/deps/npm/node_modules/ip-address/dist/v6/helpers.js
|
||||
+++ b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
|
||||
@@ -1,14 +1,23 @@
|
||||
"use strict";
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
+exports.escapeHtml = escapeHtml;
|
||||
exports.spanAllZeroes = spanAllZeroes;
|
||||
exports.spanAll = spanAll;
|
||||
exports.spanLeadingZeroes = spanLeadingZeroes;
|
||||
exports.simpleGroup = simpleGroup;
|
||||
+function escapeHtml(s) {
|
||||
+ return s
|
||||
+ .replace(/&/g, '&')
|
||||
+ .replace(/</g, '<')
|
||||
+ .replace(/>/g, '>')
|
||||
+ .replace(/"/g, '"')
|
||||
+ .replace(/'/g, ''');
|
||||
+}
|
||||
/**
|
||||
* @returns {String} the string with all zeroes contained in a <span>
|
||||
*/
|
||||
function spanAllZeroes(s) {
|
||||
- return s.replace(/(0+)/g, '<span class="zero">$1</span>');
|
||||
+ return escapeHtml(s).replace(/(0+)/g, '<span class="zero">$1</span>');
|
||||
}
|
||||
/**
|
||||
* @returns {String} the string with each character contained in a <span>
|
||||
@@ -16,11 +25,11 @@
|
||||
function spanAll(s, offset = 0) {
|
||||
const letters = s.split('');
|
||||
return letters
|
||||
- .map((n, i) => `<span class="digit value-${n} position-${i + offset}">${spanAllZeroes(n)}</span>`)
|
||||
+ .map((n, i) => `<span class="digit value-${escapeHtml(n)} position-${i + offset}">${spanAllZeroes(n)}</span>`)
|
||||
.join('');
|
||||
}
|
||||
function spanLeadingZeroesSimple(group) {
|
||||
- return group.replace(/^(0+)/, '<span class="zero">$1</span>');
|
||||
+ return escapeHtml(group).replace(/^(0+)/, '<span class="zero">$1</span>');
|
||||
}
|
||||
/**
|
||||
* @returns {String} the string with leading zeroes contained in a <span>
|
||||
@@ -42,4 +51,3 @@
|
||||
return `<span class="hover-group group-${i + offset}">${spanLeadingZeroesSimple(g)}</span>`;
|
||||
});
|
||||
}
|
||||
-//# sourceMappingURL=helpers.js.map
|
||||
\ No newline at end of file
|
||||
diff --git a/deps/npm/node_modules/ip-address/dist/ipv6.js b/deps/npm/node_modules/ip-address/dist/ipv6.js
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/deps/npm/node_modules/ip-address/dist/ipv6.js
|
||||
+++ b/deps/npm/node_modules/ip-address/dist/ipv6.js
|
||||
@@ -17,13 +17,23 @@
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
-var __importStar = (this && this.__importStar) || function (mod) {
|
||||
- if (mod && mod.__esModule) return mod;
|
||||
- var result = {};
|
||||
- if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
- __setModuleDefault(result, mod);
|
||||
- return result;
|
||||
-};
|
||||
+var __importStar = (this && this.__importStar) || (function () {
|
||||
+ var ownKeys = function(o) {
|
||||
+ ownKeys = Object.getOwnPropertyNames || function (o) {
|
||||
+ var ar = [];
|
||||
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
||||
+ return ar;
|
||||
+ };
|
||||
+ return ownKeys(o);
|
||||
+ };
|
||||
+ return function (mod) {
|
||||
+ if (mod && mod.__esModule) return mod;
|
||||
+ var result = {};
|
||||
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
||||
+ __setModuleDefault(result, mod);
|
||||
+ return result;
|
||||
+ };
|
||||
+})();
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.Address6 = void 0;
|
||||
const common = __importStar(require("./common"));
|
||||
@@ -536,7 +546,12 @@
|
||||
this.address4 = new ipv4_1.Address4(this.parsedAddress4);
|
||||
for (let i = 0; i < this.address4.groups; i++) {
|
||||
if (/^0[0-9]+/.test(this.address4.parsedAddress[i])) {
|
||||
- throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", address.replace(constants4.RE_ADDRESS, this.address4.parsedAddress.map(spanLeadingZeroes4).join('.')));
|
||||
+ // The prefix groups haven't been through the bad-character check
|
||||
+ // yet, so escape them before including in the error HTML.
|
||||
+ const highlighted = this.address4.parsedAddress.map(spanLeadingZeroes4).join('.');
|
||||
+ const prefix = groups.slice(0, -1).map(helpers.escapeHtml).join(':');
|
||||
+ const separator = groups.length > 1 ? ':' : '';
|
||||
+ throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", `${prefix}${separator}${highlighted}`);
|
||||
}
|
||||
}
|
||||
this.v4 = true;
|
||||
@@ -896,10 +911,13 @@
|
||||
formFunction = this.to4in6;
|
||||
}
|
||||
const form = formFunction.call(this);
|
||||
+ const safeHref = helpers.escapeHtml(`${options.prefix}${form}`);
|
||||
+ const safeForm = helpers.escapeHtml(form);
|
||||
if (options.className) {
|
||||
- return `<a href="${options.prefix}${form}" class="${options.className}">${form}</a>`;
|
||||
+ const safeClass = helpers.escapeHtml(options.className);
|
||||
+ return `<a href="${safeHref}" class="${safeClass}">${safeForm}</a>`;
|
||||
}
|
||||
- return `<a href="${options.prefix}${form}">${form}</a>`;
|
||||
+ return `<a href="${safeHref}">${safeForm}</a>`;
|
||||
}
|
||||
/**
|
||||
* Groups an address
|
||||
@@ -908,13 +926,13 @@
|
||||
group() {
|
||||
if (this.elidedGroups === 0) {
|
||||
// The simple case
|
||||
- return helpers.simpleGroup(this.address).join(':');
|
||||
+ return helpers.simpleGroup(this.addressMinusSuffix).join(':');
|
||||
}
|
||||
assert(typeof this.elidedGroups === 'number');
|
||||
assert(typeof this.elisionBegin === 'number');
|
||||
// The elided case
|
||||
const output = [];
|
||||
- const [left, right] = this.address.split('::');
|
||||
+ const [left, right] = this.addressMinusSuffix.split('::');
|
||||
if (left.length) {
|
||||
output.push(...helpers.simpleGroup(left));
|
||||
}
|
||||
@@ -1000,4 +1018,3 @@
|
||||
}
|
||||
}
|
||||
exports.Address6 = Address6;
|
||||
-//# sourceMappingURL=ipv6.js.map
|
||||
\ No newline at end of file
|
||||
diff --git a/deps/npm/node_modules/ip-address/package.json b/deps/npm/node_modules/ip-address/package.json
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/deps/npm/node_modules/ip-address/package.json
|
||||
+++ b/deps/npm/node_modules/ip-address/package.json
|
||||
@@ -7,7 +7,7 @@
|
||||
"browser",
|
||||
"validation"
|
||||
],
|
||||
- "version": "10.1.0",
|
||||
+ "version": "10.1.1",
|
||||
"author": "Beau Gunderson <beau@beaugunderson.com> (https://beaugunderson.com/)",
|
||||
"license": "MIT",
|
||||
"main": "dist/ip-address.js",
|
||||
@ -57,8 +57,8 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 22
|
||||
%global nodejs_minor 22
|
||||
%global nodejs_patch 2
|
||||
%global nodejs_minor 23
|
||||
%global nodejs_patch 1
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
%global nodejs_soversion 127
|
||||
%global nodejs_abi %{nodejs_soversion}
|
||||
@ -88,13 +88,13 @@
|
||||
%global c_ares_version 1.34.6
|
||||
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
%global llhttp_version 9.3.0
|
||||
%global llhttp_version 9.4.2
|
||||
|
||||
# libuv - from deps/uv/include/uv/version.h
|
||||
%global libuv_version 1.51.0
|
||||
|
||||
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
|
||||
%global nghttp2_version 1.68.1
|
||||
%global nghttp2_version 1.69.0
|
||||
|
||||
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
|
||||
%global nghttp3_version 1.6.0
|
||||
@ -125,7 +125,7 @@
|
||||
|
||||
# npm - from deps/npm/package.json
|
||||
%global npm_epoch 1
|
||||
%global npm_version 10.9.7
|
||||
%global npm_version 10.9.8
|
||||
|
||||
# In order to avoid needing to keep incrementing the release version for the
|
||||
# main package forever, we will just construct one for npm that is guaranteed
|
||||
@ -141,8 +141,8 @@
|
||||
# histogram_c - assumed from timestamps
|
||||
%global histogram_version 0.11.9
|
||||
|
||||
# sqlite - from deps/sqlite/sqlite3.h
|
||||
%global sqlite_version 3.51.2
|
||||
# sqlite – from deps/sqlite/sqlite3.h
|
||||
%global sqlite_version 3.51.3
|
||||
|
||||
|
||||
Name: nodejs
|
||||
@ -175,8 +175,9 @@ Source301: test-should-pass.txt
|
||||
|
||||
Patch: 0001-Remove-unused-OpenSSL-config.patch
|
||||
Patch: 0003-fips-disable-options.patch
|
||||
Patch: 0001-deps-update-nghttp2-to-1.68.1.patch
|
||||
Patch: 0001-CVE-2026-25547-braces-expansion.patch
|
||||
# npm deps patches
|
||||
Patch: 0002-CVE-2026-42338-npm-ip-address-security-fix.patch
|
||||
|
||||
%global pkgname nodejs
|
||||
|
||||
@ -336,7 +337,7 @@ Requires: nodejs-cjs-module-lexer
|
||||
%endif
|
||||
|
||||
%if %{with bundled_undici}
|
||||
Provides: bundled(nodejs-undici) = 6.24.1
|
||||
Provides: bundled(nodejs-undici) = 6.27.0
|
||||
%else
|
||||
BuildRequires: nodejs-undici
|
||||
Requires: nodejs-undici
|
||||
@ -899,21 +900,26 @@ end
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed Jun 24 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.23.1-1
|
||||
- Update to version 22.23.1
|
||||
Resolves: RHEL-186622 RHEL-185998 RHEL-183669
|
||||
Fixes: CVE-2026-12151 CVE-2026-48618 CVE-2026-48933 CVE-2026-48937 CVE-2026-48930 CVE-2026-48619 CVE-2026-48615 CVE-2026-48934 CVE-2026-48928 CVE-2026-48617 CVE-2026-48931 CVE-2026-48935 CVE-2026-42338
|
||||
|
||||
* Wed Mar 25 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-1
|
||||
- Update to version 22.22.2
|
||||
- introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135
|
||||
- disabled failing tests in nghttp2 due to newer version
|
||||
- patch for npm/braces CVE-2026-25547
|
||||
Resolves: RHEL-163369
|
||||
Resolves: RHEL-163370
|
||||
Fixes: CVE-2026-1528 CVE-2026-2229 CVE-2026-1526 CVE-2026-1525 CVE-2026-27135 CVE-2026-27904 CVE-2026-26996 CVE-2026-25547
|
||||
|
||||
* Tue Jan 13 2026 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.22.0-1
|
||||
- Update to 22.22.0
|
||||
Resolves: RHEL-141879
|
||||
Resolves: RHEL-118153
|
||||
|
||||
* Fri Aug 29 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.19.0-1
|
||||
* Fri Aug 29 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1.22.19.0-1
|
||||
- Update to 22.19.0
|
||||
Resolves: RHEL-100426
|
||||
Resolves: RHEL-111913
|
||||
|
||||
* Mon Jul 21 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.16.0-2
|
||||
- Patch fix for CVE-2025-6965
|
||||
|
||||
Loading…
Reference in New Issue
Block a user