Update to 18.20.2
Remove .ps1 files during the build. It prodeced automatic requirement of /usr/bin/pwsh Resolves: RHEL-26531
This commit is contained in:
Filip Janus
parent
38455336c5
commit
7a23f4024b
3
.gitignore
vendored
Normal file → Executable file
3
.gitignore
vendored
Normal file → Executable file
@ -53,3 +53,6 @@
|
||||
/undici-5.26.4.tar.gz
|
||||
/node-v18.19.1-stripped.tar.gz
|
||||
/undici-5.28.3.tar.gz
|
||||
/node-v18.20.2-stripped.tar.gz
|
||||
/icu4c-74_2-src.tgz
|
||||
/undici-5.28.4.tar.gz
|
||||
|
||||
157
CVE-2024-28182.patch
Normal file
157
CVE-2024-28182.patch
Normal file
@ -0,0 +1,157 @@
|
||||
Backport from upstream commits.
|
||||
https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0
|
||||
https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9
|
||||
|
||||
|
||||
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h
|
||||
--- node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h 2024-04-15 14:38:00.000000000 +0200
|
||||
+++ node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h 2024-04-15 14:43:36.000000000 +0200
|
||||
@@ -440,7 +440,12 @@
|
||||
* exhaustion on server side to send these frames forever and does
|
||||
* not read network.
|
||||
*/
|
||||
- NGHTTP2_ERR_FLOODED = -904
|
||||
+ NGHTTP2_ERR_FLOODED = -904,
|
||||
+ /**
|
||||
+ * When a local endpoint receives too many CONTINUATION frames
|
||||
+ * following a HEADER frame.
|
||||
+ */
|
||||
+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905,
|
||||
} nghttp2_error;
|
||||
|
||||
/**
|
||||
@@ -2775,6 +2780,17 @@
|
||||
|
||||
/**
|
||||
* @function
|
||||
+ *
|
||||
+ * This function sets the maximum number of CONTINUATION frames
|
||||
+ * following an incoming HEADER frame. If more than those frames are
|
||||
+ * received, the remote endpoint is considered to be misbehaving and
|
||||
+ * session will be closed. The default value is 8.
|
||||
+ */
|
||||
+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option,
|
||||
+ size_t val);
|
||||
+
|
||||
+/**
|
||||
+ * @function
|
||||
*
|
||||
* Initializes |*session_ptr| for client use. The all members of
|
||||
* |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr|
|
||||
Only in node-v18.19.1/deps/nghttp2/lib/includes/nghttp2: nghttp2.h.orig
|
||||
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c
|
||||
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c 2024-04-15 14:38:00.000000000 +0200
|
||||
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c 2024-04-15 14:41:10.000000000 +0200
|
||||
@@ -336,6 +336,8 @@
|
||||
"closed";
|
||||
case NGHTTP2_ERR_TOO_MANY_SETTINGS:
|
||||
return "SETTINGS frame contained more than the maximum allowed entries";
|
||||
+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS:
|
||||
+ return "Too many CONTINUATION frames following a HEADER frame";
|
||||
default:
|
||||
return "Unknown error code";
|
||||
}
|
||||
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c
|
||||
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c 2024-04-15 14:38:00.000000000 +0200
|
||||
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c 2024-04-15 14:43:36.000000000 +0200
|
||||
@@ -150,3 +150,8 @@
|
||||
option->stream_reset_burst = burst;
|
||||
option->stream_reset_rate = rate;
|
||||
}
|
||||
+
|
||||
+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) {
|
||||
+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS;
|
||||
+ option->max_continuations = val;
|
||||
+}
|
||||
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h
|
||||
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h 2024-04-15 14:38:00.000000000 +0200
|
||||
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h 2024-04-15 14:43:36.000000000 +0200
|
||||
@@ -71,6 +71,7 @@
|
||||
NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13,
|
||||
NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14,
|
||||
NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15,
|
||||
+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16,
|
||||
} nghttp2_option_flag;
|
||||
|
||||
/**
|
||||
@@ -99,6 +100,10 @@
|
||||
*/
|
||||
size_t max_settings;
|
||||
/**
|
||||
+ * NGHTTP2_OPT_MAX_CONTINUATIONS
|
||||
+ */
|
||||
+ size_t max_continuations;
|
||||
+ /**
|
||||
* Bitwise OR of nghttp2_option_flag to determine that which fields
|
||||
* are specified.
|
||||
*/
|
||||
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c
|
||||
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c 2024-04-15 14:38:00.000000000 +0200
|
||||
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c 2024-04-15 14:43:36.000000000 +0200
|
||||
@@ -496,6 +496,7 @@
|
||||
(*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN;
|
||||
(*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM;
|
||||
(*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS;
|
||||
+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS;
|
||||
|
||||
if (option) {
|
||||
if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) &&
|
||||
@@ -584,6 +585,10 @@
|
||||
option->stream_reset_burst,
|
||||
option->stream_reset_rate);
|
||||
}
|
||||
+
|
||||
+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) {
|
||||
+ (*session_ptr)->max_continuations = option->max_continuations;
|
||||
+ }
|
||||
}
|
||||
|
||||
rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater,
|
||||
@@ -6778,6 +6783,8 @@
|
||||
}
|
||||
}
|
||||
session_inbound_frame_reset(session);
|
||||
+
|
||||
+ session->num_continuations = 0;
|
||||
}
|
||||
break;
|
||||
}
|
||||
@@ -6899,6 +6906,10 @@
|
||||
}
|
||||
#endif /* DEBUGBUILD */
|
||||
|
||||
+ if (++session->num_continuations > session->max_continuations) {
|
||||
+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS;
|
||||
+ }
|
||||
+
|
||||
readlen = inbound_frame_buf_read(iframe, in, last);
|
||||
in += readlen;
|
||||
|
||||
Only in node-v18.19.1/deps/nghttp2/lib: nghttp2_session.c.orig
|
||||
diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h
|
||||
--- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h 2024-04-15 14:38:00.000000000 +0200
|
||||
+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h 2024-04-15 14:41:10.000000000 +0200
|
||||
@@ -110,6 +110,10 @@
|
||||
#define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000
|
||||
#define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33
|
||||
|
||||
+/* The default max number of CONTINUATION frames following an incoming
|
||||
+ HEADER frame. */
|
||||
+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8
|
||||
+
|
||||
/* Internal state when receiving incoming frame */
|
||||
typedef enum {
|
||||
/* Receiving frame header */
|
||||
@@ -290,6 +294,12 @@
|
||||
size_t max_send_header_block_length;
|
||||
/* The maximum number of settings accepted per SETTINGS frame. */
|
||||
size_t max_settings;
|
||||
+ /* The maximum number of CONTINUATION frames following an incoming
|
||||
+ HEADER frame. */
|
||||
+ size_t max_continuations;
|
||||
+ /* The number of CONTINUATION frames following an incoming HEADER
|
||||
+ frame. This variable is reset when END_HEADERS flag is seen. */
|
||||
+ size_t num_continuations;
|
||||
/* Next Stream ID. Made unsigned int to detect >= (1 << 31). */
|
||||
uint32_t next_stream_id;
|
||||
/* The last stream ID this session initiated. For client session,
|
||||
43
nodejs.spec
43
nodejs.spec
@ -29,7 +29,7 @@
|
||||
# This is used by both the nodejs package and the npm subpackage that
|
||||
# has a separate version - the name is special so that rpmdev-bumpspec
|
||||
# will bump this rather than adding .1 to the end.
|
||||
%global baserelease 1
|
||||
%global baserelease 2
|
||||
|
||||
%{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}
|
||||
|
||||
@ -40,8 +40,8 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 18
|
||||
%global nodejs_minor 19
|
||||
%global nodejs_patch 1
|
||||
%global nodejs_minor 20
|
||||
%global nodejs_patch 2
|
||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
%global nodejs_soversion 108
|
||||
@ -65,10 +65,10 @@
|
||||
|
||||
# c-ares - from deps/cares/include/ares_version.h
|
||||
# https://github.com/nodejs/node/pull/9332
|
||||
%global c_ares_version 1.20.1
|
||||
%global c_ares_version 1.27.0
|
||||
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
%global llhttp_version 6.1.0
|
||||
%global llhttp_version 6.1.1
|
||||
|
||||
# libuv - from deps/uv/include/uv/version.h
|
||||
%global libuv_version 1.44.2
|
||||
@ -89,7 +89,7 @@
|
||||
%global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch}
|
||||
|
||||
# ICU - from tools/icu/current_ver.dep
|
||||
%global icu_major 73
|
||||
%global icu_major 74
|
||||
%global icu_minor 2
|
||||
%global icu_version %{icu_major}.%{icu_minor}
|
||||
|
||||
@ -108,13 +108,13 @@
|
||||
%endif
|
||||
|
||||
# simduft from deps/simdutf/simdutf.h
|
||||
%global simduft_major 3
|
||||
%global simduft_minor 2
|
||||
%global simduft_patch 18
|
||||
%global simduft_major 4
|
||||
%global simduft_minor 0
|
||||
%global simduft_patch 8
|
||||
%global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
|
||||
|
||||
# ada from deps/ada/ada.h
|
||||
%global ada_version 2.7.2
|
||||
%global ada_version 2.7.6
|
||||
|
||||
# OpenSSL minimum version
|
||||
%global openssl_minimum 1:1.1.1
|
||||
@ -126,7 +126,7 @@
|
||||
|
||||
# npm - from deps/npm/package.json
|
||||
%global npm_epoch 1
|
||||
%global npm_version 10.2.4
|
||||
%global npm_version 10.5.0
|
||||
|
||||
# In order to avoid needing to keep incrementing the release version for the
|
||||
# main package forever, we will just construct one for npm that is guaranteed
|
||||
@ -138,7 +138,7 @@
|
||||
%global uvwasi_version 0.0.19
|
||||
|
||||
# histogram_c - assumed from timestamps
|
||||
%global histogram_version 0.11.2
|
||||
%global histogram_version 0.11.8
|
||||
|
||||
Name: nodejs
|
||||
Epoch: %{nodejs_epoch}
|
||||
@ -181,14 +181,15 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
|
||||
Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
|
||||
|
||||
# Version: jq '.version' deps/undici/src/package.json
|
||||
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
|
||||
# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm
|
||||
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.4.tar.gz
|
||||
# Adjustments: rm -f undici-5.28.4/lib/llhttp/llhttp*.wasm
|
||||
# Build uses alpine image, see alpine for sources for wasi-sdk
|
||||
Source102: undici-5.28.3.tar.gz
|
||||
Source102: undici-5.28.4.tar.gz
|
||||
|
||||
# Disable running gyp on bundled deps we don't use
|
||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||
Patch3: nodejs-fips-disable-options.patch
|
||||
Patch4: CVE-2024-28182.patch
|
||||
|
||||
BuildRequires: make
|
||||
BuildRequires: python3-devel
|
||||
@ -530,6 +531,11 @@ find %{buildroot}%{_prefix}/lib/node_modules/npm \
|
||||
-executable -type f \
|
||||
-exec chmod -x {} \;
|
||||
|
||||
# NPM bundle dep contain powershell files
|
||||
# These files are not useful for linux
|
||||
# systems and create /usr/bin/pwsh requirement, so the files are deleted
|
||||
find %{buildroot}%{_prefix}/lib/node_modules/npm/bin/*.ps1 -executable -type f -exec rm {} \;
|
||||
|
||||
# The above command is a little overzealous. Add a few permissions back.
|
||||
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/@npmcli/run-script/lib/node-gyp-bin/node-gyp
|
||||
chmod 0755 %{buildroot}%{_prefix}/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js
|
||||
@ -628,6 +634,13 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon Apr 22 2024 Filip Janus <fjanus@redhat.com> - 1:18.20.2-2
|
||||
- Removes .ps1 files
|
||||
|
||||
* Mon Apr 15 2024 Filip Janus <fjanus@redhat.com> - 1:18.20.2-1
|
||||
- Rebase to 18.20.2
|
||||
- Fix: CVE-2024-27983, CVE-2024-28182, CVE-2024-27982, CVE-2024-25629
|
||||
|
||||
* Tue Mar 05 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.1-1
|
||||
- Rebase to version 18.19.1
|
||||
- Fixes: CVE-2024-21892 CVE-2024-22019 (high)
|
||||
|
||||
6
sources
Normal file → Executable file
6
sources
Normal file → Executable file
@ -1,5 +1,5 @@
|
||||
SHA512 (node-v18.19.1-stripped.tar.gz) = 9cba0054d8be1e024f69c1e6d9d6931b4168ca3752fa421154f62243086786837016edd512de8a7839560f01ecad95bd4137521f4a2b52f0466e5a963b6d3e05
|
||||
SHA512 (icu4c-73_2-src.tgz) = 76dd782db6205833f289d7eb68b60860dddfa3f614f0ba03fe7ec13117077f82109f0dc1becabcdf4c8a9c628b94478ab0a46134bdb06f4302be55f74027ce62
|
||||
SHA512 (undici-5.28.3.tar.gz) = 1626128b41411447f519a605c3570c875a4c26b493cc3175b04ec54836450d23635813c93758b229f971a4b26096c0d497e13c91da4a40134536fece964ebb0b
|
||||
SHA512 (node-v18.20.2-stripped.tar.gz) = 4979a4089137c46f4502951b7db5fd3842a51b6d1eea817c25cf0a99dc39b6f136f0c9ba694498dbdcf357dfab134824a6eaf6d7f7099565c10bc0b677e9e0a5
|
||||
SHA512 (icu4c-74_2-src.tgz) = e6c7876c0f3d756f3a6969cad9a8909e535eeaac352f3a721338b9cbd56864bf7414469d29ec843462997815d2ca9d0dab06d38c37cdd4d8feb28ad04d8781b0
|
||||
SHA512 (undici-5.28.4.tar.gz) = b5d718fa37a92f04d9e6c3054f330622b4886ee11e8e756288cf1b002718a1b65170a8766cf70c3a49ee2a40a8fbde382f097649adf48ae2b853167fc61bd3b0
|
||||
SHA512 (cjs-module-lexer-1.2.2.tar.gz) = 0437378a087a43044b64e6b2e66426e429d87ed3f24a225d20ddc8fedda25917ba7db04a9d41207c59d20f0e6764837dad09393e5b8f92e361941a60ac5edd80
|
||||
SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20
|
||||
|
||||
Loading…
Reference in New Issue
Block a user