From ab2b7ed43c79eb96b68993d4bbba6089491c23a1 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Mon, 12 Jul 2021 14:32:12 +0000 Subject: [PATCH] import nodejs-14.17.3-2.module+el8.4.0+11738+3bd42762 --- .gitignore | 4 +- .nodejs.metadata | 4 +- ...0003-yarn-not-installable-on-aarch64.patch | 92 ------------------- ...8n-prototype-pollution-vulnerability.patch | 13 --- SPECS/nodejs.spec | 62 ++++++++----- 5 files changed, 42 insertions(+), 133 deletions(-) delete mode 100644 SOURCES/0003-yarn-not-installable-on-aarch64.patch delete mode 100644 SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch diff --git a/.gitignore b/.gitignore index 8ece6ed..6d0e110 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/icu4c-67_1-src.tgz -SOURCES/node-v14.16.0-stripped.tar.gz +SOURCES/icu4c-69_1-src.tgz +SOURCES/node-v14.17.3-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 7290645..957a374 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ -6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz -953a6d085899d3c040616a6380fd9e21d2d41003 SOURCES/node-v14.16.0-stripped.tar.gz +620a71c84428758376baa0fb81a581c3daa866ce SOURCES/icu4c-69_1-src.tgz +03c817ff5bbebe21d120a2ddee9a87ff223914db SOURCES/node-v14.17.3-stripped.tar.gz diff --git a/SOURCES/0003-yarn-not-installable-on-aarch64.patch b/SOURCES/0003-yarn-not-installable-on-aarch64.patch deleted file mode 100644 index dd4a3bb..0000000 --- a/SOURCES/0003-yarn-not-installable-on-aarch64.patch +++ /dev/null @@ -1,92 +0,0 @@ - From d4d05ceb418c525b0d07e76b81b8694ac2f5b309 Mon Sep 17 00:00:00 2001 -From: Daniel Bevenius -Date: Wed, 16 Sep 2020 06:12:54 +0200 -Subject: [PATCH] [deps] V8: cherry-pick 71736859756b2bd0444bdb0a87a - -Original commit message: - - [heap] Add large_object_threshold to AllocateRaw - - This commit adds a check in Heap::AllocateRaw when setting the - large_object variable, when the AllocationType is of type kCode, to - take into account the size of the CodeSpace's area size. - - The motivation for this change is that without this check it is - possible that size_in_bytes is less than 128, and hence not considered - a large object, but it might be larger than the available space - in code_space->AreaSize(), which will cause the object to be created - in the CodeLargeObjectSpace. This will later cause a segmentation fault - when calling the following chain of functions: - - if (!large_object) { - MemoryChunk::FromHeapObject(heap_object) - ->GetCodeObjectRegistry() - ->RegisterNewlyAllocatedCodeObject(heap_object.address()); - } - - We (Red Hat) ran into this issue when running Node.js v12.16.1 in - combination with yarn on aarch64 (this was the only architecture that - this happed on). - - Bug: v8:10808 - Change-Id: I0c396b0eb64bc4cc91d9a3be521254f3130eac7b - Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/2390665 - Commit-Queue: Ulan Degenbaev - Reviewed-by: Ulan Degenbaev - Cr-Commit-Position: refs/heads/master@{#69876} - -Refs: https://github.com/v8/v8/commit/71736859756b2bd0444bdb0a87a61a0b090cbba2 ---- - deps/v8/src/heap/heap-inl.h | 13 +++-- - deps/v8/src/heap/heap.h | 6 ++- - 4 files changed, 83 insertions(+), 6 deletions(-) - -diff --git a/deps/v8/src/heap/heap-inl.h b/deps/v8/src/heap/heap-inl.h -index 39f5ec6c66e..b56ebc03d58 100644 ---- a/deps/v8/src/heap/heap-inl.h -+++ b/deps/v8/src/heap/heap-inl.h -@@ -192,7 +192,12 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type, - IncrementObjectCounters(); - #endif - -- bool large_object = size_in_bytes > kMaxRegularHeapObjectSize; -+ size_t large_object_threshold = -+ AllocationType::kCode == type -+ ? std::min(kMaxRegularHeapObjectSize, code_space()->AreaSize()) -+ : kMaxRegularHeapObjectSize; -+ bool large_object = -+ static_cast(size_in_bytes) > large_object_threshold; - - HeapObject object; - AllocationResult allocation; -@@ -225,10 +230,10 @@ AllocationResult Heap::AllocateRaw(int size_in_bytes, AllocationType type, - allocation = old_space_->AllocateRaw(size_in_bytes, alignment, origin); - } - } else if (AllocationType::kCode == type) { -- if (size_in_bytes <= code_space()->AreaSize() && !large_object) { -- allocation = code_space_->AllocateRawUnaligned(size_in_bytes); -- } else { -+ if (large_object) { - allocation = code_lo_space_->AllocateRaw(size_in_bytes); -+ } else { -+ allocation = code_space_->AllocateRawUnaligned(size_in_bytes); - } - } else if (AllocationType::kMap == type) { - allocation = map_space_->AllocateRawUnaligned(size_in_bytes); -diff --git a/deps/v8/src/heap/heap.h b/deps/v8/src/heap/heap.h -index 888d174c02f..0165fa6970f 100644 ---- a/deps/v8/src/heap/heap.h -+++ b/deps/v8/src/heap/heap.h -@@ -1404,8 +1404,10 @@ class Heap { - // Heap object allocation tracking. ========================================== - // =========================================================================== - -- void AddHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker); -- void RemoveHeapObjectAllocationTracker(HeapObjectAllocationTracker* tracker); -+ V8_EXPORT_PRIVATE void AddHeapObjectAllocationTracker( -+ HeapObjectAllocationTracker* tracker); -+ V8_EXPORT_PRIVATE void RemoveHeapObjectAllocationTracker( -+ HeapObjectAllocationTracker* tracker); - bool has_heap_object_allocation_tracker() const { - return !allocation_trackers_.empty(); - } diff --git a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch deleted file mode 100644 index 88a9d75..0000000 --- a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js -index d720681628..727362aac0 100644 ---- a/deps/npm/node_modules/y18n/index.js -+++ b/deps/npm/node_modules/y18n/index.js -@@ -11,7 +11,7 @@ function Y18N (opts) { - this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true - - // internal stuff. -- this.cache = {} -+ this.cache = Object.create(null) - this.writeQueue = [] - } - diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 3d55315..d514358 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -26,8 +26,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 14 -%global nodejs_minor 16 -%global nodejs_patch 0 +%global nodejs_minor 17 +%global nodejs_patch 3 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -45,7 +45,7 @@ %global v8_major 8 %global v8_minor 4 %global v8_build 371 -%global v8_patch 19 +%global v8_patch 23 # V8 presently breaks ABI at least every x.y release while never bumping SONAME %global v8_abi %{v8_major}.%{v8_minor} %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} @@ -54,7 +54,7 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 -%global c_ares_minor 16 +%global c_ares_minor 17 %global c_ares_patch 1 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} @@ -66,18 +66,18 @@ # libuv - from deps/uv/include/uv/version.h %global libuv_major 1 -%global libuv_minor 40 +%global libuv_minor 41 %global libuv_patch 0 %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h %global nghttp2_major 1 -%global nghttp2_minor 41 +%global nghttp2_minor 42 %global nghttp2_patch 0 %global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch} # ICU - from tools/icu/current_ver.dep -%global icu_major 67 +%global icu_major 69 %global icu_minor 1 %global icu_version %{icu_major}.%{icu_minor} @@ -110,7 +110,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 11 +%global npm_patch 13 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -166,11 +166,7 @@ Patch2: 0002-Install-both-binaries-and-use-libdir.patch %endif # RHBZ#1915296 - yarn install crashes with nodejs:14 on aarch64 -Patch3: 0003-yarn-not-installable-on-aarch64.patch - -# CVE-2020-7774 -Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch - +# Patch3: 0003-yarn-not-installable-on-aarch64.patch BuildRequires: make BuildRequires: python3-devel @@ -184,12 +180,12 @@ BuildRequires: gcc-c++ >= 6.3.0 BuildRequires: nodejs-packaging BuildRequires: chrpath BuildRequires: libatomic +BuildRequires: systemtap-sdt-devel %if %{with bootstrap} Provides: bundled(libuv) = %{libuv_version} Provides: bundled(nghttp2) = %{nghttp2_version} %else -BuildRequires: systemtap-sdt-devel BuildRequires: libuv-devel >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version} BuildRequires: libnghttp2-devel >= %{nghttp2_version} @@ -443,7 +439,8 @@ export LDFLAGS="%{build_ldflags}" --shared-brotli \ --without-dtrace \ --with-intl=small-icu \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %else %{__python3} configure.py --prefix=%{_prefix} \ --shared \ @@ -456,7 +453,8 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=small-icu \ --with-icu-default-data-dir=%{icudatadir} \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %endif %else %if %{with bootstrap} @@ -466,7 +464,8 @@ export LDFLAGS="%{build_ldflags}" --shared-brotli \ --without-dtrace \ --with-intl=small-icu \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %else %{__python3} configure.py --prefix=%{_prefix} \ --shared-openssl \ @@ -477,7 +476,8 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=small-icu \ --with-icu-default-data-dir=%{icudatadir} \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %endif %endif @@ -825,27 +825,41 @@ end %changelog +* Thu Jul 08 2021 Zuzana Svetlikova - 1:14.17.3-2 +- Resolves: RHBZ#1980032, RHBZ#1978203 +- Resolves RHBZ#1842826 +- Don't use patch3 + +* Thu Jul 08 2021 Zuzana Svetlikova - 1:14.17.3-1 +- Resolves: RHBZ#1980032, RHBZ#1978203 +- Resolves RHBZ#1842826 +- Resolves CVE-2021-22918(libuv), use system cipher list + +* Wed Mar 10 2021 Zuzana Svetlikova - 1:14.16.0-3 +- Resolves: RHBZ#1930775 +- Always build with systemtap + * Mon Mar 01 2021 Zuzana Svetlikova - 1:14.16.0-2 -- Resolves: RHBZ#1932427 +- Resolves: RHBZ#1930775 - remove --debug-nghttp2 option * Mon Mar 01 2021 Zuzana Svetlikova - 1:14.16.0-1 -- Resolves: RHBZ#1932317, RHBZ#1932425 +- Resolves: RHBZ#1932318, RHBZ#1932366 - Rebase, remove ini patch * Tue Jan 26 2021 Zuzana Svetlikova - 1:14.15.4-2 - Add patch for yarn crash -- Resolves: RHBZ#1916465 +- Resolves: RHBZ#1915296 * Tue Jan 19 2021 Zuzana Svetlikova - 1:14.15.4-1 - Security rebase to 14.15.4 - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ -- Resolves: RHBZ#1916463, RHBZ#1914788 -- Resolves: RHBZ#1914785, RHBZ#1916387, RHBZ#1916389, RHBZ#1916390, RHBZ#1916690 +- Resolves: RHBZ#1913001, RHBZ#1912953 +- Resolves: RHBZ#1912636, RHBZ#1898602, RHBZ#1898768, RHBZ#1893987, RHBZ#1893184 * Thu Oct 29 2020 Zuzana Svetlikova - 1:14.15.0-1 +- Resolves: RHBZ#1858864 - Update to LTS release -- Rebase: RHBZ#1891809 * Mon Sep 21 2020 Jan Staněk - 1:14.11.0-1 - Security update to 14.11.0