import UBI nodejs-22.19.0-2.module+el8.10.0+23474+222d264a

2025-10-07 07:17:32 +00:00 · 2025-10-07 07:17:32 +00:00 · ca5968eb63
commit ca5968eb63
parent 266f57d480
5 changed files with 100 additions and 11050 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,7 +1,7 @@
 SOURCES/cjs-module-lexer-2.1.0.tar.gz
 SOURCES/icu4c-77_1-data-bin-b.zip
 SOURCES/icu4c-77_1-data-bin-l.zip
-SOURCES/node-v22.16.0-stripped.tar.gz
+SOURCES/node-v22.19.0-stripped.tar.gz
 SOURCES/undici-6.21.2.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-12.tar.gz
 SOURCES/wasi-sdk-wasi-sdk-20.tar.gz
--- a/.nodejs.metadata
+++ b/.nodejs.metadata
@ -1,7 +1,7 @@
 aecfb2810d05c3cef0e65a512dd980d6ba751076 SOURCES/cjs-module-lexer-2.1.0.tar.gz
 c459faa36dedc60af6a0c6d5b9b84b6198389bf0 SOURCES/icu4c-77_1-data-bin-b.zip
 c602459f93a43dfe7440686b46430e93a85dfc06 SOURCES/icu4c-77_1-data-bin-l.zip
-c9013d945eeb65b80fcb17fb2a55eacdbb0db286 SOURCES/node-v22.16.0-stripped.tar.gz
+6e43b5b68ecdff7997552f60f9fc6906e244a63a SOURCES/node-v22.19.0-stripped.tar.gz
 6d6793d539b3ffcfb2924f3f5ad328240031361a SOURCES/undici-6.21.2.tar.gz
 5ea3a1deb65a52a36ceb41324da690f54b2a4805 SOURCES/wasi-sdk-wasi-sdk-12.tar.gz
 da40abcb73a6dddafced6174d24ed49e414cda3c SOURCES/wasi-sdk-wasi-sdk-20.tar.gz
--- a/SOURCES/0001-sqlite-CVE-2025-6965.patch
+++ b/SOURCES/0001-sqlite-CVE-2025-6965.patch
--- a/SOURCES/0002-fips-disable-options.patch
+++ b/SOURCES/0002-fips-disable-options.patch
@ -0,0 +1,84 @@
 From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
 From: Michael Dawson <midawson@redhat.com>
 Date: Fri, 23 Feb 2024 13:43:56 +0100
 Subject: [PATCH] Disable FIPS options
 On RHEL, FIPS should be configured only on system level.
 Additionally, the related options may cause segfault when used on RHEL.
 This patch causes the option processing to end sooner
 than the problematic code gets executed.
 Additionally, the JS-level options to mess with FIPS settings
 are similarly disabled.
 Upstream report: https://github.com/nodejs/node/pull/48950
 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
 ---
 lib/crypto.js             | 10 ++++++++++
 lib/internal/errors.js    |  6 ++++++
 src/crypto/crypto_util.cc |  2 ++
 3 files changed, 18 insertions(+)
 diff --git a/lib/crypto.js b/lib/crypto.js
 index 41adecc..b2627ac 100644
 --- a/lib/crypto.js
 +++ b/lib/crypto.js
@@ -36,7 +36,10 @@ const {
 assertCrypto();
 const {
 +  // RHEL specific error
 +  ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
 +
   ERR_CRYPTO_FIPS_FORCED,
   ERR_WORKER_UNSUPPORTED_OPERATION,
 } = require('internal/errors').codes;
 const constants = internalBinding('constants').crypto;
@@ -251,6 +254,13 @@ function getFips() {
 }
 function setFips(val) {
 +  // in RHEL FIPS enable/disable should only be done at system level
 +  if (getFips() != val) {
 +    throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
 +  } else {
 +    return;
 +  }
 +
   if (getOptionValue('--force-fips')) {
     if (val) return;
     throw new ERR_CRYPTO_FIPS_FORCED();
 diff --git a/lib/internal/errors.js b/lib/internal/errors.js
 index a722360..04d8a53 100644
 --- a/lib/internal/errors.js
 +++ b/lib/internal/errors.js
@@ -1111,6 +1111,12 @@ module.exports = {
 //
 // Note: Node.js specific errors must begin with the prefix ERR_
 +// insert RHEL specific erro
 +E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
 +  'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
 +  'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
 +  Error);
 +
 E('ERR_ACCESS_DENIED',
   function(msg, permission = '', resource = '') {
     this.permission = permission;
 diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
 index 5734d8f..ef9d1b1 100644
 --- a/src/crypto/crypto_util.cc
 +++ b/src/crypto/crypto_util.cc
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
   /* Override FIPS settings in configuration file, if needed. */
   if (per_process::cli_options->enable_fips_crypto ||
       per_process::cli_options->force_fips_crypto) {
 +      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
 +      return false;
 #if OPENSSL_VERSION_MAJOR >= 3
     OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
     if (fips_provider == nullptr)
 -- 
 2.43.2
--- a/SPECS/nodejs.spec
+++ b/SPECS/nodejs.spec
@ -78,7 +78,7 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 22
-%global nodejs_minor 16
+%global nodejs_minor 19
 %global nodejs_patch 0
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 127
@ -102,17 +102,17 @@
 %global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
 # zlib - from deps/zlib/zlib.h
-%global zlib_version 1.3.0.1-motley
+%global zlib_version 1.3.1
 # c-ares - from deps/cares/include/ares_version.h
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_version 1.34.5
 # llhttp - from deps/llhttp/include/llhttp.h
-%global llhttp_version 9.2.1
+%global llhttp_version 9.3.0
 # libuv - from deps/uv/include/uv/version.h
-%global libuv_version 1.49.2
+%global libuv_version 1.51.0
 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
 %global nghttp2_version 1.64.0
@ -146,7 +146,7 @@
 # npm - from deps/npm/package.json
 %global npm_epoch 1
-%global npm_version 10.9.2
+%global npm_version 10.9.3
 # In order to avoid needing to keep incrementing the release version for the
 # main package forever, we will just construct one for npm that is guaranteed
@ -163,7 +163,7 @@
 %global histogram_version 0.11.8
 # sqlite - from deps/sqlite/sqlite3.h
-%global sqlite_version 3.50.3
+%global sqlite_version 3.50.4
 Name: nodejs
@ -218,7 +218,7 @@ Source212: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-20/wasi-sdk-
 Source300: test-runner.sh
 Source301: test-should-pass.txt
 Patch1: 0001-Remove-unused-OpenSSL-config.patch
-Patch2: 0001-sqlite-CVE-2025-6965.patch
+Patch2: 0002-fips-disable-options.patch
 %global pkgname nodejs
@ -626,7 +626,8 @@ export PATH="${PWD}/.bin:$PATH"
           --with-intl=small-icu \
           --with-icu-default-data-dir=%{icudatadir} \
           --without-corepack \
-           --openssl-use-def-ca-store
+           --openssl-use-def-ca-store \
           --use-prefix-to-find-headers
 %ninja_build -C out/Release
@ -949,11 +950,15 @@ end
 %changelog
 * Fri Aug 29 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.19.0-1
 - Update to 22.19.0
  Resolves: RHEL-100424
 * Thu Jul 17 2025 Andrei Radchenko <aradchen@redhat.com> - 1:22.16.0-2
 - Patch fix for sqlite CVE-2025-6965
  Resolves: RHEL-103835
-* Tue May 20 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.15-1-1
+* Tue May 20 2025 Tomas Juhasz <tjuhasz@redhat.com> - 1:22.16.0-1
 - Update to 22.16.0
  Fixes: CVE-2025-23166
 - Resolves: RHEL-91596 RHEL-92859