From 415e0f97b9a62961de3b66532a5fa6419567a1d5 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Thu, 28 Mar 2024 14:21:54 +0000 Subject: [PATCH] import CS nodejs-20.11.0-1.module_el9+825+ff71e88c --- .gitignore | 6 +-- .nodejs.metadata | 6 +-- SOURCES/nodejs-fips-disable-options.patch | 20 ++++++++++ SPECS/nodejs.spec | 46 +++++++++++++++-------- 4 files changed, 56 insertions(+), 22 deletions(-) create mode 100644 SOURCES/nodejs-fips-disable-options.patch diff --git a/.gitignore b/.gitignore index 0064a6c..d156db3 100644 --- a/.gitignore +++ b/.gitignore @@ -1,6 +1,6 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-73_2-src.tgz -SOURCES/node-v20.5.1-stripped.tar.gz -SOURCES/undici-5.22.1.tar.gz +SOURCES/node-v20.11.0-stripped.tar.gz +SOURCES/undici-5.27.2.tar.gz SOURCES/wasi-sdk-11.0-linux.tar.gz -SOURCES/wasi-sdk-14.0-linux.tar.gz +SOURCES/wasi-sdk-16.0-linux.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index fd4091a..08cab3d 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,6 +1,6 @@ b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz 3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz -ff25b892461bb3d6b359dec449e9ef86dd87115c SOURCES/node-v20.5.1-stripped.tar.gz -616384b209d651b7cb7b41a8a7752eb2e923806a SOURCES/undici-5.22.1.tar.gz +8b62ac9e63c605f9942a0bee294c8a98c1ca63ba SOURCES/node-v20.11.0-stripped.tar.gz +af3eca3508a818ea8e5829b2a4104f5ef7ddd5e2 SOURCES/undici-5.27.2.tar.gz ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz -c29e21be754c26cac4bf99848c5b1f4e8564e248 SOURCES/wasi-sdk-14.0-linux.tar.gz +fbe01909bf0e8260fcc3696ec37c9f731b5e356a SOURCES/wasi-sdk-16.0-linux.tar.gz diff --git a/SOURCES/nodejs-fips-disable-options.patch b/SOURCES/nodejs-fips-disable-options.patch new file mode 100644 index 0000000..998fb91 --- /dev/null +++ b/SOURCES/nodejs-fips-disable-options.patch @@ -0,0 +1,20 @@ +FIPS related options cause a segfault, let's end sooner + +Upstream report: https://github.com/nodejs/node/pull/48950 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 + +This patch makes the part of the code that processes cmd-line options for +FIPS to end sooner before the code gets to the problematic part of the code. + +diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc +--- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200 ++++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200 +@@ -111,6 +111,8 @@ bool ProcessFipsOptions() { + /* Override FIPS settings in configuration file, if needed. */ + if (per_process::cli_options->enable_fips_crypto || + per_process::cli_options->force_fips_crypto) { ++ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n"); ++ return false; + #if OPENSSL_VERSION_MAJOR >= 3 + OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips"); + if (fips_provider == nullptr) diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index eaf69b9..0f59f36 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -43,8 +43,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 20 -%global nodejs_minor 5 -%global nodejs_patch 1 +%global nodejs_minor 11 +%global nodejs_patch 0 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 115 @@ -68,7 +68,7 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 -%global c_ares_version 1.19.1 +%global c_ares_version 1.20.1 # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_version 8.1.1 @@ -77,7 +77,7 @@ %global libuv_version 1.46.0 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_version 1.55.1 +%global nghttp2_version 1.58.0 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_version 0.7.0 @@ -105,10 +105,10 @@ %endif # simduft from deps/simdutf/simdutf.h -%global simduft_version 3.2.14 +%global simduft_version 4.0.4 # ada from deps/ada/ada.h -%global ada_version 2.5.1 +%global ada_version 2.7.4 # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -121,7 +121,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 9.8.0 +%global npm_version 10.2.4 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -131,10 +131,10 @@ # Node.js 16.9.1 and later comes with an experimental package management tool # corepack - from deps/corepack/package.json -%global corepack_version 0.19.0 +%global corepack_version 0.23.0 # uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_version 0.0.18 +%global uvwasi_version 0.0.19 # histogram_c - from deps/histogram/include/hdr/hdr_histogram_version.h %global histogram_version 0.11.8 @@ -180,15 +180,15 @@ Source101: cjs-module-lexer-1.2.2.tar.gz Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz # Version: jq '.version' deps/undici/src/package.json -# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.22.1.tar.gz -# Adjustments: rm -f undici-5.22.1/lib/llhttp/llhttp*.wasm -# wasi-sdk version can be found in Dockerfile -# https://github.com/nodejs/undici/blob/v5.22.1/build/Dockerfile -Source102: undici-5.22.1.tar.gz -Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-14/wasi-sdk-14.0-linux.tar.gz +# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.27.2.tar.gz +# Adjustments: rm -f undici-5.27.2/lib/llhttp/llhttp*.wasm +# wasi-sdk version can be found in lib/llhttp/wasm_build_env.txt +Source102: undici-5.27.2.tar.gz +Source112: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-16/wasi-sdk-16.0-linux.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch +Patch3: nodejs-fips-disable-options.patch BuildRequires: make BuildRequires: python3-devel @@ -439,7 +439,7 @@ make BUILDTYPE=Release %{?_smp_mflags} # Extract the ICU data and convert it to the appropriate endianness pushd deps/ -tar xfz %SOURCE3 +tar xfz %{SOURCE3} pushd icu/source @@ -634,6 +634,20 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod %changelog +* Fri Jan 12 2024 Jan Staněk - 1:20.11.0-1 +- Rebase to version 20.11.0 + Resolves: RHEL-21188 + +* Thu Nov 09 2023 Zuzana Svetlikova - 1:20.9.0-1 +- Rebase to LTS +- Resolves: RHEL-16161 + +* Wed Oct 18 2023 Zuzana Svetlikova - 1:20.8.1-1 +- Update node and nghttp +- Add fips patch +- Fixes CVE-2023-44487 (nghttp) +- Fixes CVE-2023-45143, CVE-2023-39331, CVE-2023-39332, CVE-2023-38552, CVE-2023-39333 + * Thu Aug 10 2023 Zuzana Svetlikova - 1:20.5.1-1 - Rebase to new security release - Address CVE-2023-32002, CVE-2023-32004, CVE-2023-32558 (high)