Rebase to 16.6.2

Resolves: CVE-2021-22931 CVE-2021-22939 CVE-2021-22940
2021-08-12 14:44:40 +02:00 · 2021-08-12 14:44:40 +02:00 · de0701411d
commit de0701411d
parent 94ead171a1
2 changed files with 16 additions and 12 deletions
--- a/nodejs.spec
+++ b/nodejs.spec
@ -9,7 +9,7 @@
 # This is used by both the nodejs package and the npm subpackage thar
 # has a separate version - the name is special so that rpmdev-bumpspec
 # will bump this rather than adding .1 to the end.
-%global baserelease 3
+%global baserelease 1

 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}}

@ -20,8 +20,8 @@
 # than a Fedora release lifecycle.
 %global nodejs_epoch 1
 %global nodejs_major 16
-%global nodejs_minor 5
-%global nodejs_patch 0
+%global nodejs_minor 6
+%global nodejs_patch 2
 %global nodejs_abi %{nodejs_major}.%{nodejs_minor}
 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
 %global nodejs_soversion 93
@ -35,9 +35,9 @@
 # Epoch is set to ensure clean upgrades from the old v8 package
 %global v8_epoch 2
 %global v8_major 9
-%global v8_minor 1
-%global v8_build 269
-%global v8_patch 38
+%global v8_minor 2
+%global v8_build 230
+%global v8_patch 21
 # V8 presently breaks ABI at least every x.y release while never bumping SONAME
 %global v8_abi %{v8_major}.%{v8_minor}
 %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch}
@ -47,7 +47,7 @@
 # https://github.com/nodejs/node/pull/9332
 %global c_ares_major 1
 %global c_ares_minor 17
-%global c_ares_patch 1
+%global c_ares_patch 2
 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch}

 # llhttp - from deps/llhttp/include/llhttp.h
@ -113,8 +113,8 @@
 # npm - from deps/npm/package.json
 %global npm_epoch 1
 %global npm_major 7
-%global npm_minor 19
-%global npm_patch 1
+%global npm_minor 20
+%global npm_patch 3
 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch}

 # uvwasi - from deps/uvwasi/include/uvwasi.h
@ -386,7 +386,6 @@ rm -rf deps/brotli
 pathfix.py -i %{__python3} -pn $(find -type f ! -name "*.js")
 find . -type f -exec sed -i "s~/usr\/bin\/env python~/usr/bin/python3~" {} \;
 find . -type f -exec sed -i "s~/usr\/bin\/python\W~/usr/bin/python3~" {} \;
-sed -i "s~python~python3~" $(find . -type f | grep "gyp$")
 sed -i "s~usr\/bin\/python2~usr\/bin\/python3~" ./deps/v8/tools/gen-inlining-tests.py
 sed -i "s~usr\/bin\/python.*$~usr\/bin\/python3~" ./deps/v8/tools/mb/mb_unittest.py
 find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;
@ -407,6 +406,7 @@ find . -type f -exec sed -i "s~python -c~python3 -c~" {} \;

 export CC='%{__cc}'
 export CXX='%{__cxx}'
+%{?with_python3_fixup:export NODE_GYP_FORCE_PYTHON=%{__python3}}

 # build with debugging symbols and add defines from libuv (#892601)
 # Node's v8 breaks with GCC 6 because of incorrect usage of methods on
@ -694,6 +694,10 @@ end


 %changelog
+* Thu Aug 12 2021 Jan Staněk <jstanek@redhat.com> - 1:16.6.2-1
+- Rebase to 16.6.2
+  Resolves: CVE-2021-22931 CVE-2021-22939 CVE-2021-22940
+
 * Mon Aug 09 2021 Mohan Boddu <mboddu@redhat.com> - 1:16.5.0-3
 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags
  Related: rhbz#1991688
--- a/2
+++ b/2
@ -1,2 +1,2 @@
-SHA512 (node-v16.5.0-stripped.tar.gz) = 6e3bada9d70df7f24621dfa1398c40950d22aaa5bee5668868ae78ce5e8c333c681dc78ed3099da3203c05339904b20aabaff4a87c2ae77a998113a3dbc39720
+SHA512 (node-v16.6.2-stripped.tar.gz) = af3f7a4114fc9600077e21295d8eb764ce56806eb249ac64c91d33ea874ee3f18004d0e7d0dc5cb69546ff0a8c7f4174963db4bb05c19fc28c9b5db63cf4b9c7
 SHA512 (icu4c-69_1-src.tgz) = d4aeb781715144ea6e3c6b98df5bbe0490bfa3175221a1d667f3e6851b7bd4a638fa4a37d4a921ccb31f02b5d15a6dded9464d98051964a86f7b1cde0ff0aab7