import CS nodejs-20.11.1-1.module_el8+985+db5db696

This commit is contained in:
eabdullin 2024-03-28 13:59:00 +00:00
parent d1400ad4c9
commit 36baa4db0d
5 changed files with 197 additions and 51 deletions

6
.gitignore vendored
View File

@ -1,6 +1,6 @@
SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/cjs-module-lexer-1.2.2.tar.gz
SOURCES/icu4c-73_2-src.tgz SOURCES/icu4c-73_2-src.tgz
SOURCES/node-v20.5.1-stripped.tar.gz SOURCES/node-v20.11.1-stripped.tar.gz
SOURCES/undici-5.22.1.tar.gz SOURCES/undici-5.28.3.tar.gz
SOURCES/wasi-sdk-wasi-sdk-11.tar.gz SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
SOURCES/wasi-sdk-wasi-sdk-14.tar.gz SOURCES/wasi-sdk-wasi-sdk-16.tar.gz

View File

@ -1,6 +1,6 @@
d879d8062a018d91b007ef6b36f7dd026654b982 SOURCES/cjs-module-lexer-1.2.2.tar.gz 36854f5860acf4b3f8ef8a08cd4240c81c8ae013 SOURCES/cjs-module-lexer-1.2.2.tar.gz
3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
1ecddb27a2e04a7829870f11ffcb6dbd3e859f43 SOURCES/node-v20.5.1-stripped.tar.gz 59aed60100c3d6373c218378ccc8e03eb26cc1e5 SOURCES/node-v20.11.1-stripped.tar.gz
616384b209d651b7cb7b41a8a7752eb2e923806a SOURCES/undici-5.22.1.tar.gz b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz 8979d177dd62e3b167a6fd7dc7185adb0128c439 SOURCES/wasi-sdk-wasi-sdk-11.tar.gz
900a50a32f0079d53c299db92b88bb3c5d2022b8 SOURCES/wasi-sdk-wasi-sdk-14.tar.gz fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-wasi-sdk-16.tar.gz

View File

@ -0,0 +1,83 @@
From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
From: Michael Dawson <midawson@redhat.com>
Date: Fri, 23 Feb 2024 13:43:56 +0100
Subject: [PATCH] Disable FIPS options
On RHEL, FIPS should be configured only on system level.
Additionally, the related options may cause segfault when used on RHEL.
This patch causes the option processing to end sooner
than the problematic code gets executed.
Additionally, the JS-level options to mess with FIPS settings
are similarly disabled.
Upstream report: https://github.com/nodejs/node/pull/48950
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
Signed-off-by: rpm-build <rpm-build>
---
lib/crypto.js | 10 ++++++++++
lib/internal/errors.js | 6 ++++++
src/crypto/crypto_util.cc | 2 ++
3 files changed, 18 insertions(+)
diff --git a/lib/crypto.js b/lib/crypto.js
index 41adecc..b2627ac 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -36,6 +36,9 @@ const {
assertCrypto();
const {
+ // RHEL specific error
+ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
ERR_CRYPTO_FIPS_FORCED,
ERR_WORKER_UNSUPPORTED_OPERATION,
} = require('internal/errors').codes;
@@ -251,6 +254,13 @@ function getFips() {
}
function setFips(val) {
+ // in RHEL FIPS enable/disable should only be done at system level
+ if (getFips() != val) {
+ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+ } else {
+ return;
+ }
+
if (getOptionValue('--force-fips')) {
if (val) return;
throw new ERR_CRYPTO_FIPS_FORCED();
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index a722360..04d8a53 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -1060,6 +1060,12 @@ module.exports = {
//
// Note: Node.js specific errors must begin with the prefix ERR_
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+ Error);
+
E('ERR_ACCESS_DENIED',
'Access to this API has been restricted. Permission: %s',
Error);
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 5734d8f..ef9d1b1 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
/* Override FIPS settings in configuration file, if needed. */
if (per_process::cli_options->enable_fips_crypto ||
per_process::cli_options->force_fips_crypto) {
+ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+ return false;
#if OPENSSL_VERSION_MAJOR >= 3
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
if (fips_provider == nullptr)
--
2.43.2

View File

@ -135,67 +135,109 @@ rm -f node-v${version}.tar.gz
set +e set +e
# Determine the bundled versions of the various packages # Determine the bundled versions of the various packages
echo "Included software versions"
echo "-------------------------"
echo
echo "Node.js version"
echo "========================="
echo "${version}"
echo
echo "Bundled software versions" echo "Bundled software versions"
echo "-------------------------" echo "-------------------------"
echo echo
echo "libnode shared object version" echo "libnode shared object version (nodejs_soversion)"
echo "=========================" echo "========================="
grep "define NODE_MODULE_VERSION" node-v${version}/src/node_version.h NODE_SOVERSION=$(grep -oP '(?<=#define NODE_MODULE_VERSION )\d+' node-v${version}/src/node_version.h)
echo "${NODE_SOVERSION}"
echo echo
echo "V8" echo "V8"
echo "=========================" echo "========================="
grep "define V8_MAJOR_VERSION" node-v${version}/deps/v8/include/v8-version.h V8_MAJOR=$(grep -oP '(?<=#define V8_MAJOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h)
grep "define V8_MINOR_VERSION" node-v${version}/deps/v8/include/v8-version.h V8_MINOR=$(grep -oP '(?<=#define V8_MINOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h)
grep "define V8_BUILD_NUMBER" node-v${version}/deps/v8/include/v8-version.h V8_BUILD=$(grep -oP '(?<=#define V8_BUILD_NUMBER )\d+' node-v${version}/deps/v8/include/v8-version.h)
grep "define V8_PATCH_LEVEL" node-v${version}/deps/v8/include/v8-version.h V8_PATCH=$(grep -oP '(?<=#define V8_PATCH_LEVEL )\d+' node-v${version}/deps/v8/include/v8-version.h)
echo "${V8_MAJOR}.${V8_MINOR}.${V8_BUILD}.${V8_PATCH}"
echo echo
echo "c-ares" echo "c-ares"
echo "=========================" echo "========================="
grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_version.h C_ARES_VERSION=$(grep -oP '(?<=#define ARES_VERSION_STR ).*\"' node-v${version}/deps/cares/include/ares_version.h |sed -e 's/^"//' -e 's/"$//')
grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h echo $C_ARES_VERSION
grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h
echo echo
echo "llhttp" echo "llhttp"
echo "=========================" echo "========================="
grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h LLHTTP_MAJOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MAJOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h LLHTTP_MINOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MINOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h LLHTTP_PATCH=$(grep -oP '(?<=#define LLHTTP_VERSION_PATCH )\d+' node-v${version}/deps/llhttp/include/llhttp.h)
LLHTTP_VERSION="${LLHTTP_MAJOR}.${LLHTTP_MINOR}.${LLHTTP_PATCH}"
echo $LLHTTP_VERSION
echo echo
echo "libuv" echo "libuv"
echo "=========================" echo "========================="
grep "define UV_VERSION_MAJOR" node-v${version}/deps/uv/include/uv/version.h UV_MAJOR=$(grep -oP '(?<=#define UV_VERSION_MAJOR )\d+' node-v${version}/deps/uv/include/uv/version.h)
grep "define UV_VERSION_MINOR" node-v${version}/deps/uv/include/uv/version.h UV_MINOR=$(grep -oP '(?<=#define UV_VERSION_MINOR )\d+' node-v${version}/deps/uv/include/uv/version.h)
grep "define UV_VERSION_PATCH" node-v${version}/deps/uv/include/uv/version.h UV_PATCH=$(grep -oP '(?<=#define UV_VERSION_PATCH )\d+' node-v${version}/deps/uv/include/uv/version.h)
LIBUV_VERSION="${UV_MAJOR}.${UV_MINOR}.${UV_PATCH}"
echo $LIBUV_VERSION
echo echo
echo "nghttp2" echo "nghttp2"
echo "=========================" echo "========================="
grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h NGHTTP2_VERSION=$(grep -oP '(?<=#define NGHTTP2_VERSION ).*\"' node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h |sed -e 's/^"//' -e 's/"$//')
echo $NGHTTP2_VERSION
echo echo
echo "nghttp3" echo "nghttp3"
echo "=========================" echo "========================="
grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h NGHTTP3_VERSION=$(grep -oP '(?<=#define NGHTTP3_VERSION ).*\"' node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h |sed -e 's/^"//' -e 's/"$//')
echo $NGHTTP3_VERSION
echo echo
echo "ngtcp2" echo "ngtcp2"
echo "=========================" echo "========================="
grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h NGTCP2_VERSION=$(grep -oP '(?<=#define NGTCP2_VERSION ).*\"' node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h |sed -e 's/^"//' -e 's/"$//')
echo $NGTCP2_VERSION
echo echo
echo "ICU" echo "ICU"
echo "=========================" echo "========================="
grep "url" node-v${version}/tools/icu/current_ver.dep ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g')
ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g')
echo "${ICU_MAJOR}.${ICU_MINOR}"
echo
echo "simdutf"
echo "========================="
SIMDUTF_VERSION=$(grep -oP '(?<=#define SIMDUTF_VERSION ).*\"' node-v${version}/deps/simdutf/simdutf.h |sed -e 's/^"//' -e 's/"$//')
echo $SIMDUTF_VERSION
echo
echo "ada"
echo "========================="
ADA_VERSION=$(grep -osP '(?<=#define ADA_VERSION ).*\"' node-v${version}/deps/ada/ada.h |sed -e 's/^"//' -e 's/"$//')
ADA_VERSION=${ADA_VERSION:-0}
echo "${ADA_VERSION}"
echo echo
echo "punycode" echo "punycode"
echo "=========================" echo "========================="
grep "'version'" node-v${version}/lib/punycode.js PUNYCODE_VERSION=$(grep -oP "'version': '\K[^']+" ./node-v${version}/lib/punycode.js)
echo echo $PUNYCODE_VERSION
echo "uvwasi"
echo "========================="
grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h
grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h
grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h
echo echo
echo "npm" echo "npm"
echo "=========================" echo "========================="
grep "\"version\":" node-v${version}/deps/npm/package.json NPM_VERSION=$(jq -r .version ./node-v${version}/deps/npm/package.json)
echo $NPM_VERSION
echo
echo "corepack"
echo "========================="
COREPACK_VERSION=$(jq -r .version ./node-v${version}/deps/corepack/package.json)
echo $COREPACK_VERSION
echo
echo "uvwasi"
echo "========================="
UVWASI_MAJOR=$(grep -oP '(?<=#define UVWASI_VERSION_MAJOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
UVWASI_MINOR=$(grep -oP '(?<=#define UVWASI_VERSION_MINOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
UVWASI_PATCH=$(grep -oP '(?<=#define UVWASI_VERSION_PATCH )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h)
UVWASI_VERSION="${UVWASI_MAJOR}.${UVWASI_MINOR}.${UVWASI_PATCH}"
echo $UVWASI_VERSION
echo
echo "histogram_c"
echo "========================="
HISTOGRAM_VERSION=$(grep -oP '(?<=#define HDR_HISTOGRAM_VERSION ).*\"' node-v${version}/deps/histogram/include/hdr/hdr_histogram_version.h|sed -e 's/^"//' -e 's/"$//')
echo $HISTOGRAM_VERSION
echo echo
echo "Make sure these versions match what is in the RPM spec file" echo "Make sure these versions match what is in the RPM spec file"

View File

@ -44,7 +44,7 @@
# than a Fedora release lifecycle. # than a Fedora release lifecycle.
%global nodejs_epoch 1 %global nodejs_epoch 1
%global nodejs_major 20 %global nodejs_major 20
%global nodejs_minor 5 %global nodejs_minor 11
%global nodejs_patch 1 %global nodejs_patch 1
%global nodejs_abi %{nodejs_major}.%{nodejs_minor} %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
@ -69,7 +69,7 @@
# c-ares - from deps/cares/include/ares_version.h # c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332 # https://github.com/nodejs/node/pull/9332
%global c_ares_version 1.19.1 %global c_ares_version 1.20.1
# llhttp - from deps/llhttp/include/llhttp.h # llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 8.1.1 %global llhttp_version 8.1.1
@ -78,7 +78,7 @@
%global libuv_version 1.46.0 %global libuv_version 1.46.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_version 1.55.1 %global nghttp2_version 1.58.0
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
%global nghttp3_version 0.7.0 %global nghttp3_version 0.7.0
@ -106,10 +106,10 @@
%endif %endif
# simduft from deps/simdutf/simdutf.h # simduft from deps/simdutf/simdutf.h
%global simduft_version 3.2.14 %global simduft_version 4.0.4
# ada from deps/ada/ada.h # ada from deps/ada/ada.h
%global ada_version 2.5.1 %global ada_version 2.7.4
# OpenSSL minimum version # OpenSSL minimum version
%global openssl_minimum 1:1.1.1 %global openssl_minimum 1:1.1.1
@ -122,7 +122,7 @@
# npm - from deps/npm/package.json # npm - from deps/npm/package.json
%global npm_epoch 1 %global npm_epoch 1
%global npm_version 9.8.0 %global npm_version 10.2.4
# In order to avoid needing to keep incrementing the release version for the # In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed # main package forever, we will just construct one for npm that is guaranteed
@ -132,10 +132,10 @@
# Node.js 16.9.1 and later comes with an experimental package management tool # Node.js 16.9.1 and later comes with an experimental package management tool
# corepack - from deps/corepack/package.json # corepack - from deps/corepack/package.json
%global corepack_version 0.19.0 %global corepack_version 0.23.0
# uvwasi - from deps/uvwasi/include/uvwasi.h # uvwasi - from deps/uvwasi/include/uvwasi.h
%global uvwasi_version 0.0.18 %global uvwasi_version 0.0.19
# histogram_c - from deps/histogram/include/hdr/hdr_histogram_version.h # histogram_c - from deps/histogram/include/hdr/hdr_histogram_version.h
%global histogram_version 0.11.8 %global histogram_version 0.11.8
@ -177,19 +177,21 @@ Source8: npmrc.builtin.in
# Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm # Adjustments: rm -f cjs-module-lexer-1.2.2/lib/lexer.wasm
Source101: cjs-module-lexer-1.2.2.tar.gz Source101: cjs-module-lexer-1.2.2.tar.gz
# The WASM blob was made using wasi-sdk v11; compiler libraries are linked in. # The WASM blob was made using wasi-sdk v11; compiler libraries are linked in.
# Version source: Makefile # Version source (cjs-module-lexer tarball): Makefile
Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz Source102: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-wasi-sdk-11.tar.gz
# Version: jq '.version' deps/undici/src/package.json # Version: jq '.version' deps/undici/src/package.json
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz # Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
# Adjustments: rm -f undici-5.21.0/lib/llhttp/llhttp*.wasm* # Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm*
Source111: undici-5.22.1.tar.gz Source111: undici-5.28.3.tar.gz
# The WASM blob was made using wasi-sdk v14; compiler libraries are linked in. # The WASM blob was made using wasi-sdk v16; compiler libraries are linked in.
# Version source: build/Dockerfile # Version source: deps/undici/src/lib/llhttp/wasm_build_env.txt
Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-wasi-sdk-14.tar.gz # Also check (undici tarball): lib/llhttp/wasm_build_env.txt
Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk-wasi-sdk-16.tar.gz
# Disable running gyp on bundled deps we don't use # Disable running gyp on bundled deps we don't use
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
Patch3: nodejs-fips-disable-options.patch
BuildRequires: make BuildRequires: make
BuildRequires: python3-devel BuildRequires: python3-devel
@ -432,7 +434,7 @@ export CFLAGS="%{optflags} ${extra_cflags[*]}" CXXFLAGS="%{optflags} ${extra_cfl
export LDFLAGS="%{build_ldflags}" export LDFLAGS="%{build_ldflags}"
%{__python3} configure.py --prefix=%{_prefix} --verbose \ %{__python3} configure.py --prefix=%{_prefix} --verbose \
--shared-openssl \ --shared-openssl --openssl-conf-name=openssl_conf \
--shared-zlib \ --shared-zlib \
--shared-brotli \ --shared-brotli \
%{!?with_bundled:--shared-libuv} \ %{!?with_bundled:--shared-libuv} \
@ -452,7 +454,7 @@ make BUILDTYPE=Release %{?_smp_mflags}
# Extract the ICU data and convert it to the appropriate endianness # Extract the ICU data and convert it to the appropriate endianness
pushd deps/ pushd deps/
tar xfz %SOURCE3 tar xfz %{SOURCE3}
pushd icu/source pushd icu/source
@ -720,6 +722,25 @@ end
%changelog %changelog
* Wed Feb 21 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.1-1
- Rebase to version 20.11.1
- Fixes: CVE-2024-21892 CVE-2024-21896 CVE-2024-22017 CVE-2024-22019 (high)
- Fixes: CVE-2023-46809 CVE-2024-21890 CVE-2024-21891 (medium)
* Fri Jan 19 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:20.11.0-1
- Rebase to version 20.11.0
- Resolves: RHEL-21434
* Thu Nov 09 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.9.0-1
- Rebase to LTS
- Resolves: RHEL-16159
* Wed Oct 18 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.8.1-1
- Update node and nghttp
- Add fips patch
- Fixes CVE-2023-44487 (nghttp)
- Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333
* Thu Aug 10 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.5.1-1 * Thu Aug 10 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:20.5.1-1
- Rebase to new security release - Rebase to new security release
- Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high) - Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high)