import UBI nodejs-22.23.1-1.module+el9.8.0+24457+996af7aa

This commit is contained in:
AlmaLinux RelEng Bot 2026-07-06 10:36:29 -04:00
parent ff76cf8248
commit 2ce0be970c
5 changed files with 187 additions and 7727 deletions

2
.gitignore vendored
View File

@ -1,3 +1,3 @@
SOURCES/icu4c-78.2-data-bin-b.zip
SOURCES/icu4c-78.2-data-bin-l.zip
SOURCES/node-v22.22.2-stripped.tar.gz
SOURCES/node-v22.23.1-stripped.tar.gz

View File

@ -1,3 +1,3 @@
7a91e81c4f2c8368d80285a5bbdfe278d68e4a84 SOURCES/icu4c-78.2-data-bin-b.zip
b9f5918e2118ef8531b0ffc04b3d50e951e3a166 SOURCES/icu4c-78.2-data-bin-l.zip
99fded7e2ca8329a6bcdba962599c9c8f2f3b689 SOURCES/node-v22.22.2-stripped.tar.gz
8751335622db226d57c19ed444575147f0b62396 SOURCES/node-v22.23.1-stripped.tar.gz

File diff suppressed because it is too large Load Diff

View File

@ -0,0 +1,166 @@
From d98f88cfa68abef0e57ec2b48df0049032e50c85 Mon Sep 17 00:00:00 2001
From: Beau Gunderson <beau@beaugunderson.com>
Date: Sun, 27 Apr 2026 10:28:29 -0700
Subject: [PATCH] CVE-2026-42338 ip-address HTML escaping fix
Fix HTML escaping in ip-address library to prevent XSS vulnerabilities.
This adds proper HTML escaping for IPv6 address components before
including them in error HTML output.
Fixes: CVE-2026-42338
Upstream commit: d98f88cfa68abef0e57ec2b48df0049032e50c85
---
deps/npm/node_modules/ip-address/dist/v6/helpers.js | 9 +++++++++
deps/npm/node_modules/ip-address/dist/ipv6.js | 32 ++++++++++++++----------
deps/npm/node_modules/ip-address/package.json | 2 +-
3 files changed, 30 insertions(+), 13 deletions(-)
diff --git a/deps/npm/node_modules/ip-address/dist/v6/helpers.js b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
index 1234567..abcdefg 100644
--- a/deps/npm/node_modules/ip-address/dist/v6/helpers.js
+++ b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
@@ -1,14 +1,23 @@
"use strict";
Object.defineProperty(exports, "__esModule", { value: true });
+exports.escapeHtml = escapeHtml;
exports.spanAllZeroes = spanAllZeroes;
exports.spanAll = spanAll;
exports.spanLeadingZeroes = spanLeadingZeroes;
exports.simpleGroup = simpleGroup;
+function escapeHtml(s) {
+ return s
+ .replace(/&/g, '&amp;')
+ .replace(/</g, '&lt;')
+ .replace(/>/g, '&gt;')
+ .replace(/"/g, '&quot;')
+ .replace(/'/g, '&#39;');
+}
/**
* @returns {String} the string with all zeroes contained in a <span>
*/
function spanAllZeroes(s) {
- return s.replace(/(0+)/g, '<span class="zero">$1</span>');
+ return escapeHtml(s).replace(/(0+)/g, '<span class="zero">$1</span>');
}
/**
* @returns {String} the string with each character contained in a <span>
@@ -16,11 +25,11 @@
function spanAll(s, offset = 0) {
const letters = s.split('');
return letters
- .map((n, i) => `<span class="digit value-${n} position-${i + offset}">${spanAllZeroes(n)}</span>`)
+ .map((n, i) => `<span class="digit value-${escapeHtml(n)} position-${i + offset}">${spanAllZeroes(n)}</span>`)
.join('');
}
function spanLeadingZeroesSimple(group) {
- return group.replace(/^(0+)/, '<span class="zero">$1</span>');
+ return escapeHtml(group).replace(/^(0+)/, '<span class="zero">$1</span>');
}
/**
* @returns {String} the string with leading zeroes contained in a <span>
@@ -42,4 +51,3 @@
return `<span class="hover-group group-${i + offset}">${spanLeadingZeroesSimple(g)}</span>`;
});
}
-//# sourceMappingURL=helpers.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/ip-address/dist/ipv6.js b/deps/npm/node_modules/ip-address/dist/ipv6.js
index 1234567..abcdefg 100644
--- a/deps/npm/node_modules/ip-address/dist/ipv6.js
+++ b/deps/npm/node_modules/ip-address/dist/ipv6.js
@@ -17,13 +17,23 @@
}) : function(o, v) {
o["default"] = v;
});
-var __importStar = (this && this.__importStar) || function (mod) {
- if (mod && mod.__esModule) return mod;
- var result = {};
- if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
- __setModuleDefault(result, mod);
- return result;
-};
+var __importStar = (this && this.__importStar) || (function () {
+ var ownKeys = function(o) {
+ ownKeys = Object.getOwnPropertyNames || function (o) {
+ var ar = [];
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+ return ar;
+ };
+ return ownKeys(o);
+ };
+ return function (mod) {
+ if (mod && mod.__esModule) return mod;
+ var result = {};
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+ __setModuleDefault(result, mod);
+ return result;
+ };
+})();
Object.defineProperty(exports, "__esModule", { value: true });
exports.Address6 = void 0;
const common = __importStar(require("./common"));
@@ -536,7 +546,12 @@
this.address4 = new ipv4_1.Address4(this.parsedAddress4);
for (let i = 0; i < this.address4.groups; i++) {
if (/^0[0-9]+/.test(this.address4.parsedAddress[i])) {
- throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", address.replace(constants4.RE_ADDRESS, this.address4.parsedAddress.map(spanLeadingZeroes4).join('.')));
+ // The prefix groups haven't been through the bad-character check
+ // yet, so escape them before including in the error HTML.
+ const highlighted = this.address4.parsedAddress.map(spanLeadingZeroes4).join('.');
+ const prefix = groups.slice(0, -1).map(helpers.escapeHtml).join(':');
+ const separator = groups.length > 1 ? ':' : '';
+ throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", `${prefix}${separator}${highlighted}`);
}
}
this.v4 = true;
@@ -896,10 +911,13 @@
formFunction = this.to4in6;
}
const form = formFunction.call(this);
+ const safeHref = helpers.escapeHtml(`${options.prefix}${form}`);
+ const safeForm = helpers.escapeHtml(form);
if (options.className) {
- return `<a href="${options.prefix}${form}" class="${options.className}">${form}</a>`;
+ const safeClass = helpers.escapeHtml(options.className);
+ return `<a href="${safeHref}" class="${safeClass}">${safeForm}</a>`;
}
- return `<a href="${options.prefix}${form}">${form}</a>`;
+ return `<a href="${safeHref}">${safeForm}</a>`;
}
/**
* Groups an address
@@ -908,13 +926,13 @@
group() {
if (this.elidedGroups === 0) {
// The simple case
- return helpers.simpleGroup(this.address).join(':');
+ return helpers.simpleGroup(this.addressMinusSuffix).join(':');
}
assert(typeof this.elidedGroups === 'number');
assert(typeof this.elisionBegin === 'number');
// The elided case
const output = [];
- const [left, right] = this.address.split('::');
+ const [left, right] = this.addressMinusSuffix.split('::');
if (left.length) {
output.push(...helpers.simpleGroup(left));
}
@@ -1000,4 +1018,3 @@
}
}
exports.Address6 = Address6;
-//# sourceMappingURL=ipv6.js.map
\ No newline at end of file
diff --git a/deps/npm/node_modules/ip-address/package.json b/deps/npm/node_modules/ip-address/package.json
index 1234567..abcdefg 100644
--- a/deps/npm/node_modules/ip-address/package.json
+++ b/deps/npm/node_modules/ip-address/package.json
@@ -7,7 +7,7 @@
"browser",
"validation"
],
- "version": "10.1.0",
+ "version": "10.1.1",
"author": "Beau Gunderson <beau@beaugunderson.com> (https://beaugunderson.com/)",
"license": "MIT",
"main": "dist/ip-address.js",

View File

@ -57,8 +57,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 22
%global nodejs_minor 22
%global nodejs_patch 2
%global nodejs_minor 23
%global nodejs_patch 1
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 127
%global nodejs_abi %{nodejs_soversion}
@ -88,13 +88,13 @@
%global c_ares_version 1.34.6
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 9.3.0
%global llhttp_version 9.4.2
# libuv - from deps/uv/include/uv/version.h
%global libuv_version 1.51.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_version 1.68.1
%global nghttp2_version 1.69.0
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
%global nghttp3_version 1.6.0
@ -125,7 +125,7 @@
# npm - from deps/npm/package.json
%global npm_epoch 1
%global npm_version 10.9.7
%global npm_version 10.9.8
# In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed
@ -141,8 +141,8 @@
# histogram_c - assumed from timestamps
%global histogram_version 0.11.9
# sqlite - from deps/sqlite/sqlite3.h
%global sqlite_version 3.51.2
# sqlite from deps/sqlite/sqlite3.h
%global sqlite_version 3.51.3
Name: nodejs
@ -175,8 +175,9 @@ Source301: test-should-pass.txt
Patch: 0001-Remove-unused-OpenSSL-config.patch
Patch: 0003-fips-disable-options.patch
Patch: 0001-deps-update-nghttp2-to-1.68.1.patch
Patch: 0001-CVE-2026-25547-braces-expansion.patch
# npm deps patches
Patch: 0002-CVE-2026-42338-npm-ip-address-security-fix.patch
%global pkgname nodejs
@ -336,7 +337,7 @@ Requires: nodejs-cjs-module-lexer
%endif
%if %{with bundled_undici}
Provides: bundled(nodejs-undici) = 6.24.1
Provides: bundled(nodejs-undici) = 6.27.0
%else
BuildRequires: nodejs-undici
Requires: nodejs-undici
@ -899,21 +900,26 @@ end
%changelog
* Wed Jun 24 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.23.1-1
- Update to version 22.23.1
Resolves: RHEL-186622 RHEL-185998 RHEL-183669
Fixes: CVE-2026-12151 CVE-2026-48618 CVE-2026-48933 CVE-2026-48937 CVE-2026-48930 CVE-2026-48619 CVE-2026-48615 CVE-2026-48934 CVE-2026-48928 CVE-2026-48617 CVE-2026-48931 CVE-2026-48935 CVE-2026-42338
* Wed Mar 25 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-1
- Update to version 22.22.2
- introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135
- disabled failing tests in nghttp2 due to newer version
- patch for npm/braces CVE-2026-25547
Resolves: RHEL-163369
Resolves: RHEL-163370
Fixes: CVE-2026-1528 CVE-2026-2229 CVE-2026-1526 CVE-2026-1525 CVE-2026-27135 CVE-2026-27904 CVE-2026-26996 CVE-2026-25547
* Tue Jan 13 2026 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.22.0-1
- Update to 22.22.0
Resolves: RHEL-141879
Resolves: RHEL-118153
* Fri Aug 29 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.19.0-1
* Fri Aug 29 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1.22.19.0-1
- Update to 22.19.0
Resolves: RHEL-100426
Resolves: RHEL-111913
* Mon Jul 21 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.16.0-2
- Patch fix for CVE-2025-6965