From f1bbfe74498742a197c357ce327bba49f88451c1 Mon Sep 17 00:00:00 2001 From: CentOS Sources <bugs@centos.org> Date: Tue, 5 Oct 2021 22:00:59 -0400 Subject: [PATCH] import nodejs-12.22.5-1.module+el8.4.0+12242+af52a4c7 --- .gitignore | 2 +- .nodejs.metadata | 2 +- ...03-src-use-getauxval-in-node_main.cc.patch | 70 ++ ...8n-prototype-pollution-vulnerability.patch | 13 - .../0004-always-available-fips-options.patch | 622 ++++++++++++++++++ ...o-not-allow-invalid-hazardous-string.patch | 99 --- ...005-CVE-2021-23343-nodejs-path-parse.patch | 180 +++++ SOURCES/nodejs-tarball.sh | 8 +- SPECS/nodejs.spec | 76 ++- 9 files changed, 933 insertions(+), 139 deletions(-) create mode 100644 SOURCES/0003-src-use-getauxval-in-node_main.cc.patch delete mode 100644 SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch create mode 100644 SOURCES/0004-always-available-fips-options.patch delete mode 100644 SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch create mode 100644 SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch diff --git a/.gitignore b/.gitignore index 3f9ed36..d8fc543 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ SOURCES/icu4c-67_1-src.tgz -SOURCES/node-v12.20.1-stripped.tar.gz +SOURCES/node-v12.22.5-stripped.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index 45b7698..c0867c1 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,2 +1,2 @@ 6822a4a94324d1ba591b3e8ef084e4491af253c1 SOURCES/icu4c-67_1-src.tgz -f9a9058bbd8557bc0ea564d22f4f0d1d6b7ed896 SOURCES/node-v12.20.1-stripped.tar.gz +bb98afb22215e659a77853964f7575da6b1535e3 SOURCES/node-v12.22.5-stripped.tar.gz diff --git a/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch b/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch new file mode 100644 index 0000000..2ecf682 --- /dev/null +++ b/SOURCES/0003-src-use-getauxval-in-node_main.cc.patch @@ -0,0 +1,70 @@ +From 63b2d16ea3985b62be372ea1da7987dc32ddcc3b Mon Sep 17 00:00:00 2001 +From: Daniel Bevenius <daniel.bevenius@gmail.com> +Date: Tue, 2 Jun 2020 05:33:25 +0200 +Subject: [PATCH 3/3] src: use getauxval in node_main.cc + +This commit suggests using getauxval in node_main.cc. + +The motivation for this is that getauxval was introduced in glibc 2.16 +and looking at BUILDING.md, in the 'Platform list' section, it looks +like we now support glibc >= 2.17 and perhaps this change would be +alright now. + +PR-URL: https://github.com/nodejs/node/pull/33693 +Refs: https://github.com/nodejs/node/pull/12548 +Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> +Reviewed-By: David Carlier <devnexen@gmail.com> +Reviewed-By: Anna Henningsen <anna@addaleax.net> +Reviewed-By: Colin Ihrig <cjihrig@gmail.com> +Reviewed-By: James M Snell <jasnell@gmail.com> +--- + src/node_main.cc | 18 ++---------------- + 1 file changed, 2 insertions(+), 16 deletions(-) + +diff --git a/src/node_main.cc b/src/node_main.cc +index e92c0df94297e2ece43dbdf71166e555713ef6f2..70be5b83fafcde596e65086b08305aa89702fd52 100644 +--- a/src/node_main.cc ++++ b/src/node_main.cc +@@ -72,17 +72,11 @@ int wmain(int argc, wchar_t* wargv[]) { + return node::Start(argc, argv); + } + #else + // UNIX + #ifdef __linux__ +-#include <elf.h> +-#ifdef __LP64__ +-#define Elf_auxv_t Elf64_auxv_t +-#else +-#define Elf_auxv_t Elf32_auxv_t +-#endif // __LP64__ +-extern char** environ; ++#include <sys/auxv.h> + #endif // __linux__ + #if defined(__POSIX__) && defined(NODE_SHARED_MODE) + #include <string.h> + #include <signal.h> + #endif +@@ -107,19 +101,11 @@ int main(int argc, char* argv[]) { + sigaction(SIGPIPE, &act, nullptr); + } + #endif + + #if defined(__linux__) +- char** envp = environ; +- while (*envp++ != nullptr) {} +- Elf_auxv_t* auxv = reinterpret_cast<Elf_auxv_t*>(envp); +- for (; auxv->a_type != AT_NULL; auxv++) { +- if (auxv->a_type == AT_SECURE) { +- node::per_process::linux_at_secure = auxv->a_un.a_val; +- break; +- } +- } ++ node::per_process::linux_at_secure = getauxval(AT_SECURE); + #endif + // Disable stdio buffering, it interacts poorly with printf() + // calls elsewhere in the program (e.g., any logging from V8.) + setvbuf(stdout, nullptr, _IONBF, 0); + setvbuf(stderr, nullptr, _IONBF, 0); +-- +2.30.1 + diff --git a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch b/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch deleted file mode 100644 index 88a9d75..0000000 --- a/SOURCES/0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/deps/npm/node_modules/y18n/index.js b/deps/npm/node_modules/y18n/index.js -index d720681628..727362aac0 100644 ---- a/deps/npm/node_modules/y18n/index.js -+++ b/deps/npm/node_modules/y18n/index.js -@@ -11,7 +11,7 @@ function Y18N (opts) { - this.fallbackToLanguage = typeof opts.fallbackToLanguage === 'boolean' ? opts.fallbackToLanguage : true - - // internal stuff. -- this.cache = {} -+ this.cache = Object.create(null) - this.writeQueue = [] - } - diff --git a/SOURCES/0004-always-available-fips-options.patch b/SOURCES/0004-always-available-fips-options.patch new file mode 100644 index 0000000..fb90f8f --- /dev/null +++ b/SOURCES/0004-always-available-fips-options.patch @@ -0,0 +1,622 @@ +From 7bc4111b770ada25cdd6e1b938ca7a914617ea53 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com> +Date: Tue, 25 Aug 2020 14:04:54 +0200 +Subject: [PATCH] crypto: make FIPS related options always awailable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +There is no reason to hide FIPS functionality behind build flags. +OpenSSL always provide the information about FIPS availability via +`FIPS_mode()` function. + +This makes the user experience more consistent, because the OpenSSL +library is always queried and the `crypto.getFips()` always returns +OpenSSL settings. + +Fixes #34903 + +PR-URL: https://github.com/nodejs/node/pull/36341 +Reviewed-By: Anna Henningsen <anna@addaleax.net> +Reviewed-By: Michael Dawson <midawson@redhat.com> +Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> +Signed-off-by: Jan Staněk <jstanek@redhat.com> +--- + doc/api/cli.md | 8 +-- + lib/crypto.js | 22 ++---- + node.gypi | 3 - + src/node.cc | 6 +- + src/node_config.cc | 2 - + src/node_crypto.cc | 45 +++++++----- + src/node_options.cc | 2 - + src/node_options.h | 2 - + test/parallel/test-cli-node-print-help.js | 7 +- + test/parallel/test-crypto-fips.js | 71 +++++++++---------- + ...rocess-env-allowed-flags-are-documented.js | 11 +-- + 11 files changed, 74 insertions(+), 105 deletions(-) + +diff --git a/doc/api/cli.md b/doc/api/cli.md +index 86635f267b..6f14fa6810 100644 +--- a/doc/api/cli.md ++++ b/doc/api/cli.md +@@ -183,8 +183,8 @@ code from strings throw an exception instead. This does not affect the Node.js + added: v6.0.0 + --> + +-Enable FIPS-compliant crypto at startup. (Requires Node.js to be built with +-`./configure --openssl-fips`.) ++Enable FIPS-compliant crypto at startup. (Requires Node.js to be built ++against FIPS-compatible OpenSSL.) + + ### `--enable-source-maps` + <!-- YAML +@@ -550,8 +550,8 @@ added: v6.9.0 + --> + + Load an OpenSSL configuration file on startup. Among other uses, this can be +-used to enable FIPS-compliant crypto if Node.js is built with +-`./configure --openssl-fips`. ++used to enable FIPS-compliant crypto if Node.js is built ++against FIPS-enabled OpenSSL. + + ### `--pending-deprecation` + <!-- YAML +diff --git a/lib/crypto.js b/lib/crypto.js +index b2bcc4d0a4..93d5e21fa0 100644 +--- a/lib/crypto.js ++++ b/lib/crypto.js +@@ -37,12 +37,10 @@ assertCrypto(); + + const { + ERR_CRYPTO_FIPS_FORCED, +- ERR_CRYPTO_FIPS_UNAVAILABLE + } = require('internal/errors').codes; + const constants = internalBinding('constants').crypto; + const { getOptionValue } = require('internal/options'); + const pendingDeprecation = getOptionValue('--pending-deprecation'); +-const { fipsMode } = internalBinding('config'); + const fipsForced = getOptionValue('--force-fips'); + const { + getFipsCrypto, +@@ -191,10 +189,8 @@ module.exports = { + sign: signOneShot, + setEngine, + timingSafeEqual, +- getFips: !fipsMode ? getFipsDisabled : +- fipsForced ? getFipsForced : getFipsCrypto, +- setFips: !fipsMode ? setFipsDisabled : +- fipsForced ? setFipsForced : setFipsCrypto, ++ getFips: fipsForced ? getFipsForced : getFipsCrypto, ++ setFips: fipsForced ? setFipsForced : setFipsCrypto, + verify: verifyOneShot, + + // Classes +@@ -213,19 +209,11 @@ module.exports = { + Verify + }; + +-function setFipsDisabled() { +- throw new ERR_CRYPTO_FIPS_UNAVAILABLE(); +-} +- + function setFipsForced(val) { + if (val) return; + throw new ERR_CRYPTO_FIPS_FORCED(); + } + +-function getFipsDisabled() { +- return 0; +-} +- + function getFipsForced() { + return 1; + } +@@ -247,10 +235,8 @@ ObjectDefineProperties(module.exports, { + }, + // crypto.fips is deprecated. DEP0093. Use crypto.getFips()/crypto.setFips() + fips: { +- get: !fipsMode ? getFipsDisabled : +- fipsForced ? getFipsForced : getFipsCrypto, +- set: !fipsMode ? setFipsDisabled : +- fipsForced ? setFipsForced : setFipsCrypto ++ get: fipsForced ? getFipsForced : getFipsCrypto, ++ set: fipsForced ? setFipsForced : setFipsCrypto + }, + DEFAULT_ENCODING: { + enumerable: false, +diff --git a/node.gypi b/node.gypi +index 116c1c7149..34f385f652 100644 +--- a/node.gypi ++++ b/node.gypi +@@ -320,9 +320,6 @@ + [ 'node_use_openssl=="true"', { + 'defines': [ 'HAVE_OPENSSL=1' ], + 'conditions': [ +- ['openssl_fips != "" or openssl_is_fips=="true"', { +- 'defines': [ 'NODE_FIPS_MODE' ], +- }], + [ 'node_shared_openssl=="false"', { + 'dependencies': [ + './deps/openssl/openssl.gyp:openssl', +diff --git a/src/node.cc b/src/node.cc +index 46e8f74cc2..0a5c3ee8ee 100644 +--- a/src/node.cc ++++ b/src/node.cc +@@ -964,11 +964,11 @@ InitializationResult InitializeOncePerProcess(int argc, char** argv) { + if (credentials::SafeGetenv("NODE_EXTRA_CA_CERTS", &extra_ca_certs)) + crypto::UseExtraCaCerts(extra_ca_certs); + } +-#ifdef NODE_FIPS_MODE + // In the case of FIPS builds we should make sure + // the random source is properly initialized first. +- OPENSSL_init(); +-#endif // NODE_FIPS_MODE ++ if (FIPS_mode()) { ++ OPENSSL_init(); ++ } + // V8 on Windows doesn't have a good source of entropy. Seed it from + // OpenSSL's pool. + V8::SetEntropySource(crypto::EntropySource); +diff --git a/src/node_config.cc b/src/node_config.cc +index 6ee3164a13..e229eee765 100644 +--- a/src/node_config.cc ++++ b/src/node_config.cc +@@ -42,9 +42,7 @@ static void Initialize(Local<Object> target, + READONLY_FALSE_PROPERTY(target, "hasOpenSSL"); + #endif // HAVE_OPENSSL + +-#ifdef NODE_FIPS_MODE + READONLY_TRUE_PROPERTY(target, "fipsMode"); +-#endif + + #ifdef NODE_HAVE_I18N_SUPPORT + +diff --git a/src/node_crypto.cc b/src/node_crypto.cc +index 764dcb8720..f142e625ef 100644 +--- a/src/node_crypto.cc ++++ b/src/node_crypto.cc +@@ -50,6 +50,11 @@ + #include <openssl/hmac.h> + #include <openssl/rand.h> + #include <openssl/pkcs12.h> ++// The FIPS-related functions are only available ++// when the OpenSSL itself was compiled with FIPS support. ++#ifdef OPENSSL_FIPS ++#include <openssl/fips.h> ++#endif // OPENSSL_FIPS + + #include <cerrno> + #include <climits> // INT_MAX +@@ -97,6 +102,7 @@ using v8::Signature; + using v8::String; + using v8::Uint32; + using v8::Undefined; ++using v8::TryCatch; + using v8::Value; + + #ifdef OPENSSL_NO_OCB +@@ -3595,12 +3601,10 @@ void CipherBase::Init(const char* cipher_type, + HandleScope scope(env()->isolate()); + MarkPopErrorOnReturn mark_pop_error_on_return; + +-#ifdef NODE_FIPS_MODE + if (FIPS_mode()) { + return env()->ThrowError( + "crypto.createCipher() is not supported in FIPS mode."); + } +-#endif // NODE_FIPS_MODE + + const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type); + if (cipher == nullptr) +@@ -3786,13 +3790,11 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len, + return false; + } + +-#ifdef NODE_FIPS_MODE + // TODO(tniessen) Support CCM decryption in FIPS mode + if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) { + env()->ThrowError("CCM decryption not supported in FIPS mode"); + return false; + } +-#endif + + // Tell OpenSSL about the desired length. + if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len, +@@ -4712,7 +4714,6 @@ static AllocatedBuffer Node_SignFinal(Environment* env, + } + + static inline bool ValidateDSAParameters(EVP_PKEY* key) { +-#ifdef NODE_FIPS_MODE + /* Validate DSA2 parameters from FIPS 186-4 */ + if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) { + DSA* dsa = EVP_PKEY_get0_DSA(key); +@@ -4728,7 +4729,6 @@ static inline bool ValidateDSAParameters(EVP_PKEY* key) { + (L == 2048 && N == 256) || + (L == 3072 && N == 256); + } +-#endif // NODE_FIPS_MODE + + return true; + } +@@ -6889,7 +6889,6 @@ void InitCryptoOnce() { + settings = nullptr; + #endif + +-#ifdef NODE_FIPS_MODE + /* Override FIPS settings in cnf file, if needed. */ + unsigned long err = 0; // NOLINT(runtime/int) + if (per_process::cli_options->enable_fips_crypto || +@@ -6899,12 +6898,10 @@ void InitCryptoOnce() { + } + } + if (0 != err) { +- fprintf(stderr, +- "openssl fips failed: %s\n", +- ERR_error_string(err, nullptr)); +- UNREACHABLE(); ++ auto* isolate = Isolate::GetCurrent(); ++ auto* env = Environment::GetCurrent(isolate); ++ return ThrowCryptoError(env, err); + } +-#endif // NODE_FIPS_MODE + + + // Turn off compression. Saves memory and protects against CRIME attacks. +@@ -6950,7 +6947,6 @@ void SetEngine(const FunctionCallbackInfo<Value>& args) { + } + #endif // !OPENSSL_NO_ENGINE + +-#ifdef NODE_FIPS_MODE + void GetFipsCrypto(const FunctionCallbackInfo<Value>& args) { + args.GetReturnValue().Set(FIPS_mode() ? 1 : 0); + } +@@ -6968,17 +6964,33 @@ void SetFipsCrypto(const FunctionCallbackInfo<Value>& args) { + return ThrowCryptoError(env, err); + } + } +-#endif /* NODE_FIPS_MODE */ ++ ++void TestFipsCrypto(const v8::FunctionCallbackInfo<v8::Value>& args) { ++#ifdef OPENSSL_FIPS ++ const auto enabled = FIPS_selftest() ? 1 : 0; ++#else // OPENSSL_FIPS ++ const auto enabled = 0; ++#endif // OPENSSL_FIPS ++ ++ args.GetReturnValue().Set(enabled); ++} + + + void Initialize(Local<Object> target, + Local<Value> unused, + Local<Context> context, + void* priv) { ++ Environment* env = Environment::GetCurrent(context); ++ + static uv_once_t init_once = UV_ONCE_INIT; ++ TryCatch try_catch{env->isolate()}; + uv_once(&init_once, InitCryptoOnce); + +- Environment* env = Environment::GetCurrent(context); ++ if (try_catch.HasCaught() && !try_catch.HasTerminated()) { ++ try_catch.ReThrow(); ++ return; ++ } ++ + SecureContext::Initialize(env, target); + target->Set(env->context(), + FIXED_ONE_BYTE_STRING(env->isolate(), "KeyObjectHandle"), +@@ -7007,10 +7019,9 @@ void Initialize(Local<Object> target, + env->SetMethod(target, "setEngine", SetEngine); + #endif // !OPENSSL_NO_ENGINE + +-#ifdef NODE_FIPS_MODE + env->SetMethodNoSideEffect(target, "getFipsCrypto", GetFipsCrypto); + env->SetMethod(target, "setFipsCrypto", SetFipsCrypto); +-#endif ++ env->SetMethodNoSideEffect(target, "testFipsCrypto", TestFipsCrypto); + + env->SetMethod(target, "pbkdf2", PBKDF2); + env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA); +diff --git a/src/node_options.cc b/src/node_options.cc +index 0240b2ef58..d1230da1ad 100644 +--- a/src/node_options.cc ++++ b/src/node_options.cc +@@ -729,7 +729,6 @@ PerProcessOptionsParser::PerProcessOptionsParser( + &PerProcessOptions::ssl_openssl_cert_store); + Implies("--use-openssl-ca", "[ssl_openssl_cert_store]"); + ImpliesNot("--use-bundled-ca", "[ssl_openssl_cert_store]"); +-#if NODE_FIPS_MODE + AddOption("--enable-fips", + "enable FIPS crypto at startup", + &PerProcessOptions::enable_fips_crypto, +@@ -738,7 +737,6 @@ PerProcessOptionsParser::PerProcessOptionsParser( + "force FIPS crypto (cannot be disabled)", + &PerProcessOptions::force_fips_crypto, + kAllowedInEnvironment); +-#endif + #endif + AddOption("--use-largepages", + "Map the Node.js static code to large pages. Options are " +diff --git a/src/node_options.h b/src/node_options.h +index aa138c6970..f5e1e7da57 100644 +--- a/src/node_options.h ++++ b/src/node_options.h +@@ -236,10 +236,8 @@ class PerProcessOptions : public Options { + #endif + bool use_openssl_ca = false; + bool use_bundled_ca = false; +-#if NODE_FIPS_MODE + bool enable_fips_crypto = false; + bool force_fips_crypto = false; +-#endif + #endif + + // Per-process because reports can be triggered outside a known V8 context. +diff --git a/test/parallel/test-cli-node-print-help.js b/test/parallel/test-cli-node-print-help.js +index e115124b04..ed58bf085c 100644 +--- a/test/parallel/test-cli-node-print-help.js ++++ b/test/parallel/test-cli-node-print-help.js +@@ -8,8 +8,6 @@ const common = require('../common'); + + const assert = require('assert'); + const { exec } = require('child_process'); +-const { internalBinding } = require('internal/test/binding'); +-const { fipsMode } = internalBinding('config'); + let stdOut; + + +@@ -29,9 +27,8 @@ function validateNodePrintHelp() { + const cliHelpOptions = [ + { compileConstant: HAVE_OPENSSL, + flags: [ '--openssl-config=...', '--tls-cipher-list=...', +- '--use-bundled-ca', '--use-openssl-ca' ] }, +- { compileConstant: fipsMode, +- flags: [ '--enable-fips', '--force-fips' ] }, ++ '--use-bundled-ca', '--use-openssl-ca', ++ '--enable-fips', '--force-fips' ] }, + { compileConstant: NODE_HAVE_I18N_SUPPORT, + flags: [ '--icu-data-dir=...', 'NODE_ICU_DATA' ] }, + { compileConstant: HAVE_INSPECTOR, +diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js +index eae3134402..a1ed645184 100644 +--- a/test/parallel/test-crypto-fips.js ++++ b/test/parallel/test-crypto-fips.js +@@ -9,27 +9,20 @@ const spawnSync = require('child_process').spawnSync; + const path = require('path'); + const fixtures = require('../common/fixtures'); + const { internalBinding } = require('internal/test/binding'); +-const { fipsMode } = internalBinding('config'); ++const { testFipsCrypto } = internalBinding('crypto'); + + const FIPS_ENABLED = 1; + const FIPS_DISABLED = 0; +-const FIPS_ERROR_STRING = +- 'Error [ERR_CRYPTO_FIPS_UNAVAILABLE]: Cannot set FIPS mode in a ' + +- 'non-FIPS build.'; + const FIPS_ERROR_STRING2 = + 'Error [ERR_CRYPTO_FIPS_FORCED]: Cannot set FIPS mode, it was forced with ' + + '--force-fips at startup.'; +-const OPTION_ERROR_STRING = 'bad option'; ++const FIPS_UNSUPPORTED_ERROR_STRING = 'fips mode not supported'; + + const CNF_FIPS_ON = fixtures.path('openssl_fips_enabled.cnf'); + const CNF_FIPS_OFF = fixtures.path('openssl_fips_disabled.cnf'); + + let num_children_ok = 0; + +-function compiledWithFips() { +- return fipsMode ? true : false; +-} +- + function sharedOpenSSL() { + return process.config.variables.node_shared_openssl; + } +@@ -75,17 +68,17 @@ testHelper( + + // --enable-fips should turn FIPS mode on + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + ['--enable-fips'], +- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").getFips()', + process.env); + + // --force-fips should turn FIPS mode on + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + ['--force-fips'], +- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").getFips()', + process.env); + +@@ -106,7 +99,7 @@ if (!sharedOpenSSL()) { + testHelper( + 'stdout', + [`--openssl-config=${CNF_FIPS_ON}`], +- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").getFips()', + process.env); + +@@ -114,7 +107,7 @@ if (!sharedOpenSSL()) { + testHelper( + 'stdout', + [], +- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").getFips()', + Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_ON })); + +@@ -122,7 +115,7 @@ if (!sharedOpenSSL()) { + testHelper( + 'stdout', + [`--openssl-config=${CNF_FIPS_ON}`], +- compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").getFips()', + Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF })); + } +@@ -136,50 +129,50 @@ testHelper( + + // --enable-fips should take precedence over OpenSSL config file + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`], +- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").getFips()', + process.env); + + // OPENSSL_CONF should _not_ make a difference to --enable-fips + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + ['--enable-fips'], +- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").getFips()', + Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF })); + + // --force-fips should take precedence over OpenSSL config file + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`], +- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").getFips()', + process.env); + + // Using OPENSSL_CONF should not make a difference to --force-fips + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + ['--force-fips'], +- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").getFips()', + Object.assign({}, process.env, { 'OPENSSL_CONF': CNF_FIPS_OFF })); + + // setFipsCrypto should be able to turn FIPS mode on + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + [], +- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + '(require("crypto").setFips(true),' + + 'require("crypto").getFips())', + process.env); + + // setFipsCrypto should be able to turn FIPS mode on and off + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + [], +- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING, ++ testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING, + '(require("crypto").setFips(true),' + + 'require("crypto").setFips(false),' + + 'require("crypto").getFips())', +@@ -187,27 +180,27 @@ testHelper( + + // setFipsCrypto takes precedence over OpenSSL config file, FIPS on + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + [`--openssl-config=${CNF_FIPS_OFF}`], +- compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + '(require("crypto").setFips(true),' + + 'require("crypto").getFips())', + process.env); + + // setFipsCrypto takes precedence over OpenSSL config file, FIPS off + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ 'stdout', + [`--openssl-config=${CNF_FIPS_ON}`], +- compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING, ++ FIPS_DISABLED, + '(require("crypto").setFips(false),' + + 'require("crypto").getFips())', + process.env); + + // --enable-fips does not prevent use of setFipsCrypto API + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + ['--enable-fips'], +- compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_DISABLED : FIPS_UNSUPPORTED_ERROR_STRING, + '(require("crypto").setFips(false),' + + 'require("crypto").getFips())', + process.env); +@@ -216,15 +209,15 @@ testHelper( + testHelper( + 'stderr', + ['--force-fips'], +- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").setFips(false)', + process.env); + + // --force-fips makes setFipsCrypto enable a no-op (FIPS stays on) + testHelper( +- compiledWithFips() ? 'stdout' : 'stderr', ++ testFipsCrypto() ? 'stdout' : 'stderr', + ['--force-fips'], +- compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ENABLED : FIPS_UNSUPPORTED_ERROR_STRING, + '(require("crypto").setFips(true),' + + 'require("crypto").getFips())', + process.env); +@@ -233,7 +226,7 @@ testHelper( + testHelper( + 'stderr', + ['--force-fips', '--enable-fips'], +- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").setFips(false)', + process.env); + +@@ -241,6 +234,6 @@ testHelper( + testHelper( + 'stderr', + ['--enable-fips', '--force-fips'], +- compiledWithFips() ? FIPS_ERROR_STRING2 : OPTION_ERROR_STRING, ++ testFipsCrypto() ? FIPS_ERROR_STRING2 : FIPS_UNSUPPORTED_ERROR_STRING, + 'require("crypto").setFips(false)', + process.env); +diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js +index 0e0af9471c..af10809634 100644 +--- a/test/parallel/test-process-env-allowed-flags-are-documented.js ++++ b/test/parallel/test-process-env-allowed-flags-are-documented.js +@@ -44,17 +44,8 @@ const conditionalOpts = [ + { include: common.hasCrypto, + filter: (opt) => { + return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca', +- '--use-openssl-ca' ].includes(opt); ++ '--use-openssl-ca', '--enable-fips', '--force-fips' ].includes(opt); + } }, +- { +- // We are using openssl_is_fips from the configuration because it could be +- // the case that OpenSSL is FIPS compatible but fips has not been enabled +- // (starting node with --enable-fips). If we use common.hasFipsCrypto +- // that would only tells us if fips has been enabled, but in this case we +- // want to check options which will be available regardless of whether fips +- // is enabled at runtime or not. +- include: process.config.variables.openssl_is_fips, +- filter: (opt) => opt.includes('-fips') }, + { include: common.hasIntl, + filter: (opt) => opt === '--icu-data-dir' }, + { include: process.features.inspector, +-- +2.31.1 + diff --git a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch b/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch deleted file mode 100644 index c2b1f3e..0000000 --- a/SOURCES/0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch +++ /dev/null @@ -1,99 +0,0 @@ -From 3ef951c3e17a56fe7bbb1b9f2c476ad55c52c287 Mon Sep 17 00:00:00 2001 -From: isaacs <i@izs.me> -Date: Tue, 8 Dec 2020 14:21:50 -0800 -Subject: [PATCH] do not allow invalid hazardous string as section name - -Signed-off-by: rpm-build <rpm-build> ---- - deps/npm/node_modules/ini/ini.js | 8 +++++ - deps/npm/node_modules/ini/test/proto.js | 45 +++++++++++++++++++++++++ - 2 files changed, 53 insertions(+) - create mode 100644 deps/npm/node_modules/ini/test/proto.js - -diff --git a/deps/npm/node_modules/ini/ini.js b/deps/npm/node_modules/ini/ini.js -index 590195d..0401258 100644 ---- a/deps/npm/node_modules/ini/ini.js -+++ b/deps/npm/node_modules/ini/ini.js -@@ -80,6 +80,12 @@ function decode (str) { - if (!match) return - if (match[1] !== undefined) { - section = unsafe(match[1]) -+ if (section === '__proto__') { -+ // not allowed -+ // keep parsing the section, but don't attach it. -+ p = {} -+ return -+ } - p = out[section] = out[section] || {} - return - } -@@ -94,6 +100,7 @@ function decode (str) { - // Convert keys with '[]' suffix to an array - if (key.length > 2 && key.slice(-2) === '[]') { - key = key.substring(0, key.length - 2) -+ if (key === '__proto__') return - if (!p[key]) { - p[key] = [] - } else if (!Array.isArray(p[key])) { -@@ -125,6 +132,7 @@ function decode (str) { - var l = parts.pop() - var nl = l.replace(/\\\./g, '.') - parts.forEach(function (part, _, __) { -+ if (part === '__proto__') return - if (!p[part] || typeof p[part] !== 'object') p[part] = {} - p = p[part] - }) -diff --git a/deps/npm/node_modules/ini/test/proto.js b/deps/npm/node_modules/ini/test/proto.js -new file mode 100644 -index 0000000..ab35533 ---- /dev/null -+++ b/deps/npm/node_modules/ini/test/proto.js -@@ -0,0 +1,45 @@ -+var ini = require('../') -+var t = require('tap') -+ -+var data = ` -+__proto__ = quux -+foo = baz -+[__proto__] -+foo = bar -+[other] -+foo = asdf -+[kid.__proto__.foo] -+foo = kid -+[arrproto] -+hello = snyk -+__proto__[] = you did a good job -+__proto__[] = so you deserve arrays -+thanks = true -+` -+var res = ini.parse(data) -+t.deepEqual(res, { -+ foo: 'baz', -+ other: { -+ foo: 'asdf', -+ }, -+ kid: { -+ foo: { -+ foo: 'kid', -+ }, -+ }, -+ arrproto: { -+ hello: 'snyk', -+ thanks: true, -+ }, -+}) -+t.equal(res.__proto__, Object.prototype) -+t.equal(res.kid.__proto__, Object.prototype) -+t.equal(res.kid.foo.__proto__, Object.prototype) -+t.equal(res.arrproto.__proto__, Object.prototype) -+t.equal(Object.prototype.foo, undefined) -+t.equal(Object.prototype[0], undefined) -+t.equal(Object.prototype['0'], undefined) -+t.equal(Object.prototype[1], undefined) -+t.equal(Object.prototype['1'], undefined) -+t.equal(Array.prototype[0], undefined) -+t.equal(Array.prototype[1], undefined) --- -2.29.2 - diff --git a/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch b/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch new file mode 100644 index 0000000..201721d --- /dev/null +++ b/SOURCES/0005-CVE-2021-23343-nodejs-path-parse.patch @@ -0,0 +1,180 @@ +https://github.com/jbgutierrez/path-parse/pull/10 + +From 72c38e3a36b8ed2ec03960ac659aa114cbe6a420 Mon Sep 17 00:00:00 2001 +From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com> +Date: Thu, 13 May 2021 10:53:50 -0400 +Subject: [PATCH 1/2] fixed regexes to avoid ReDoS attacks + +Signed-off-by: rpm-build <rpm-build> +--- + deps/npm/node_modules/path-parse/index.js | 6 +++--- + deps/npm/node_modules/path-parse/redos.js | 20 ++++++++++++++++++++ + 2 files changed, 23 insertions(+), 3 deletions(-) + create mode 100644 deps/npm/node_modules/path-parse/redos.js + +diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js +index 3b7601f..e6b2af1 100644 +--- a/deps/npm/node_modules/path-parse/index.js ++++ b/deps/npm/node_modules/path-parse/index.js +@@ -5,11 +5,11 @@ var isWindows = process.platform === 'win32'; + // Regex to split a windows path into three parts: [*, device, slash, + // tail] windows-only + var splitDeviceRe = +- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?([\s\S]*?)$/; ++ /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; + + // Regex to split the tail part of the above into [*, dir, basename, ext] + var splitTailRe = +- /^([\s\S]*?)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; ++ /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; + + var win32 = {}; + +@@ -51,7 +51,7 @@ win32.parse = function(pathString) { + // Split a filename into [root, dir, basename, ext], unix version + // 'root' is just a slash, or nothing. + var splitPathRe = +- /^(\/?|)([\s\S]*?)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; ++ /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; + var posix = {}; + + +diff --git a/deps/npm/node_modules/path-parse/redos.js b/deps/npm/node_modules/path-parse/redos.js +new file mode 100644 +index 0000000..261947f +--- /dev/null ++++ b/deps/npm/node_modules/path-parse/redos.js +@@ -0,0 +1,20 @@ ++var pathParse = require('.'); ++ ++function build_attack(n) { ++ var ret = "" ++ for (var i = 0; i < n; i++) { ++ ret += "/" ++ } ++ return ret + "◎"; ++} ++ ++for(var i = 1; i <= 5000000; i++) { ++ if (i % 10000 == 0) { ++ var time = Date.now(); ++ var attack_str = build_attack(i) ++ pathParse.posix(attack_str); ++ pathParse.win32(attack_str); ++ var time_cost = Date.now() - time; ++ console.log("attack_str.length: " + attack_str.length + ": " + time_cost+" ms") ++ } ++} +-- +2.31.1 + + +From 44d1c9cd047988bb819707c726d9640f8aabe04d Mon Sep 17 00:00:00 2001 +From: Jeffrey Pinyan <jeffrey.pinyan@ithreat.com> +Date: Thu, 13 May 2021 11:51:45 -0400 +Subject: [PATCH 2/2] streamlined regexes, simplified parse() returns + +Signed-off-by: rpm-build <rpm-build> +--- + deps/npm/node_modules/path-parse/index.js | 52 ++++++++--------------- + 1 file changed, 17 insertions(+), 35 deletions(-) + +diff --git a/deps/npm/node_modules/path-parse/index.js b/deps/npm/node_modules/path-parse/index.js +index e6b2af1..f062d0a 100644 +--- a/deps/npm/node_modules/path-parse/index.js ++++ b/deps/npm/node_modules/path-parse/index.js +@@ -2,29 +2,14 @@ + + var isWindows = process.platform === 'win32'; + +-// Regex to split a windows path into three parts: [*, device, slash, +-// tail] windows-only +-var splitDeviceRe = +- /^([a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?([\\\/])?(.*)$/s; +- +-// Regex to split the tail part of the above into [*, dir, basename, ext] +-var splitTailRe = +- /^((?:[^\\\/]*[\\\/])*)((?:\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))(?:[\\\/]*)$/; ++// Regex to split a windows path into into [dir, root, basename, name, ext] ++var splitWindowsRe = ++ /^(((?:[a-zA-Z]:|[\\\/]{2}[^\\\/]+[\\\/]+[^\\\/]+)?[\\\/]?)(?:[^\\\/]*[\\\/])*)((\.{1,2}|[^\\\/]+?|)(\.[^.\/\\]*|))[\\\/]*$/; + + var win32 = {}; + +-// Function to split a filename into [root, dir, basename, ext] + function win32SplitPath(filename) { +- // Separate device+slash from tail +- var result = splitDeviceRe.exec(filename), +- device = (result[1] || '') + (result[2] || ''), +- tail = result[3] || ''; +- // Split the tail into dir, basename and extension +- var result2 = splitTailRe.exec(tail), +- dir = result2[1], +- basename = result2[2], +- ext = result2[3]; +- return [device, dir, basename, ext]; ++ return splitWindowsRe.exec(filename).slice(1); + } + + win32.parse = function(pathString) { +@@ -34,24 +19,24 @@ win32.parse = function(pathString) { + ); + } + var allParts = win32SplitPath(pathString); +- if (!allParts || allParts.length !== 4) { ++ if (!allParts || allParts.length !== 5) { + throw new TypeError("Invalid path '" + pathString + "'"); + } + return { +- root: allParts[0], +- dir: allParts[0] + allParts[1].slice(0, -1), ++ root: allParts[1], ++ dir: allParts[0] === allParts[1] ? allParts[0] : allParts[0].slice(0, -1), + base: allParts[2], +- ext: allParts[3], +- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) ++ ext: allParts[4], ++ name: allParts[3] + }; + }; + + + +-// Split a filename into [root, dir, basename, ext], unix version ++// Split a filename into [dir, root, basename, name, ext], unix version + // 'root' is just a slash, or nothing. + var splitPathRe = +- /^(\/?|)((?:[^\/]*\/)*)((?:\.{1,2}|[^\/]+?|)(\.[^.\/]*|))(?:[\/]*)$/; ++ /^((\/?)(?:[^\/]*\/)*)((\.{1,2}|[^\/]+?|)(\.[^.\/]*|))[\/]*$/; + var posix = {}; + + +@@ -67,19 +52,16 @@ posix.parse = function(pathString) { + ); + } + var allParts = posixSplitPath(pathString); +- if (!allParts || allParts.length !== 4) { ++ if (!allParts || allParts.length !== 5) { + throw new TypeError("Invalid path '" + pathString + "'"); + } +- allParts[1] = allParts[1] || ''; +- allParts[2] = allParts[2] || ''; +- allParts[3] = allParts[3] || ''; +- ++ + return { +- root: allParts[0], +- dir: allParts[0] + allParts[1].slice(0, -1), ++ root: allParts[1], ++ dir: allParts[0].slice(0, -1), + base: allParts[2], +- ext: allParts[3], +- name: allParts[2].slice(0, allParts[2].length - allParts[3].length) ++ ext: allParts[4], ++ name: allParts[3], + }; + }; + +-- +2.31.1 + diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh index f3f3298..2ed756a 100755 --- a/SOURCES/nodejs-tarball.sh +++ b/SOURCES/nodejs-tarball.sh @@ -185,15 +185,19 @@ echo "punycode" echo "=========================" grep "'version'" node-v${version}/lib/punycode.js echo +echo "npm" +echo "=========================" +grep "\"version\":" node-v${version}/deps/npm/package.json +echo echo "uvwasi" echo "=========================" grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h echo -echo "npm" +echo "brotli" echo "=========================" -grep "\"version\":" node-v${version}/deps/npm/package.json +grep "#define BROTLI_VERSION" node-v${version}/deps/brotli/c/common/version.h echo echo "Make sure these versions match what is in the RPM spec file" diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index fc6939a..28a459a 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -29,8 +29,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 12 -%global nodejs_minor 20 -%global nodejs_patch 1 +%global nodejs_minor 22 +%global nodejs_patch 5 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} %if %{?with_libs} == 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h @@ -57,8 +57,8 @@ # c-ares - from deps/cares/include/ares_version.h # https://github.com/nodejs/node/pull/9332 %global c_ares_major 1 -%global c_ares_minor 16 -%global c_ares_patch 1 +%global c_ares_minor 17 +%global c_ares_patch 2 %global c_ares_version %{c_ares_major}.%{c_ares_minor}.%{c_ares_patch} # http-parser - from deps/http_parser/http_parser.h @@ -106,7 +106,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 14 -%global npm_patch 10 +%global npm_patch 14 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # uvwasi - from deps/uvwasi/include/uvwasi.h @@ -167,12 +167,16 @@ Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch2: 0002-Install-both-binaries-and-use-libdir.patch %endif -# CVE-2020-7774 -Patch4: 0004-CVE-2020-7774-nodejs-y18n-prototype-pollution-vulnerability.patch +# Upstream patch to use getauxval +Patch3: 0003-src-use-getauxval-in-node_main.cc.patch -# CVE-2020-7788 -Patch5: 0005-CVE-2020-7788-ini-do-not-allow-invalid-hazardous-string.patch +# Make FIPS always available +# https://github.com/nodejs/node/issues/34903 +Patch4: 0004-always-available-fips-options.patch +Patch5: 0005-CVE-2021-23343-nodejs-path-parse.patch + +BuildRequires: make BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -184,13 +188,13 @@ BuildRequires: gcc-c++ >= 6.3.0 BuildRequires: nodejs-packaging BuildRequires: chrpath BuildRequires: libatomic +BuildRequires: systemtap-sdt-devel %if %{with bootstrap} Provides: bundled(http-parser) = %{http_parser_version} Provides: bundled(libuv) = %{libuv_version} Provides: bundled(nghttp2) = %{nghttp2_version} %else -BuildRequires: systemtap-sdt-devel BuildRequires: libuv-devel >= 1:%{libuv_version} Requires: libuv >= 1:%{libuv_version} BuildRequires: libnghttp2-devel >= %{nghttp2_version} @@ -454,7 +458,6 @@ export LDFLAGS="%{build_ldflags}" # --shared-brotli \ # --without-dtrace \ # --with-intl=small-icu \ -# --debug-nghttp2 \ # --openssl-use-def-ca-store #%else #./configure --prefix=%{_prefix} \ @@ -464,7 +467,6 @@ export LDFLAGS="%{build_ldflags}" # --shared-zlib \ # --shared-brotli \ # --shared-libuv \ -# --shared-nghttp2 \ # --with-dtrace \ # --with-intl=%{icu_flag} \ # --with-icu-default-data-dir=%{icudatadir} \ @@ -481,8 +483,8 @@ export LDFLAGS="%{build_ldflags}" --shared-brotli \ --without-dtrace \ --with-intl=small-icu \ - --debug-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %else ./configure --prefix=%{_prefix} \ --shared-openssl \ @@ -493,8 +495,8 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=%{icu_flag} \ --with-icu-default-data-dir=%{icudatadir} \ - --debug-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %endif %else @@ -505,8 +507,8 @@ export LDFLAGS="%{build_ldflags}" --shared-zlib \ --without-dtrace \ --with-intl=small-icu \ - --debug-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %else ./configure --prefix=%{_prefix} \ --shared-openssl \ @@ -516,8 +518,8 @@ export LDFLAGS="%{build_ldflags}" --with-dtrace \ --with-intl=%{icu_flag} \ --with-icu-default-data-dir=%{icudatadir} \ - --debug-nghttp2 \ - --openssl-use-def-ca-store + --openssl-use-def-ca-store \ + --openssl-default-cipher-list=PROFILE=SYSTEM %endif %endif @@ -870,14 +872,42 @@ end %changelog +* Mon Aug 16 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.5-1 +- Resolves CVE-2021-22930, CVE-2021-22931, CVE-2021-22939, CVE-2021-22940, +- CVE-2021-23343, CVE-2021-32803, CVE-2021-32804, CVE-2021-3672 +- Resolves RHBZ#1951621 (make FIPS always available) +- Resolves: RHBZ#1988595, RHBZ#1993992, RHBZ#1993989, RHBZ#1993093 +- Resolves: RHBZ#1994025, RHBZ#1994403, RHBZ#1994407, RHBZ#1994399 +- Resolves: RHBZ#1993927 (make FIPS always available) + +* Mon Aug 09 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-3 +- Resolves CVE-2021-23362 CVE-2021-27290 +- Resolves: RHBZ#1991584, RHBZ#1991578 +- Add missing CVE trackers + +* Thu Jul 08 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-2 +- Resolves: RHBZ#1980031, RHBZ#1978201 +- Fix typo, BR systemtap-sdt-level always, remove y18n patch + +* Wed Jul 07 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.22.3-1 +- Resolves: RHBZ#1980031, RHBZ#1978201 +- Resolves #1952915 +- Resolves CVE-2021-22918(libuv), use system cipher list + +* Tue Mar 02 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.21.0-1 +- Resolves: RHBZ#1932316, RHBZ#1932365 +- remove --debug-nghttp2 option +- remove ini patch +- Backport patch to use getauxval + * Mon Jan 18 2021 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.20.1-1 - Security rebase for January security release - https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/ -- Resolves: RHBZ#1916460, RHBZ#1914786 -- Resolves: RHBZ#1914784, RHBZ#1916396 +- Resolves: RHBZ#1913000, RHBZ#1912952 +- Resolves: RHBZ#1912635, RHBZ#1893984 * Tue Nov 24 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.19.1-1 -- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047 +- Resolves: RHBZ#1861602, #1874302, #1898598, #1898765 - c-ares, ajv and y18n CVEs and yarn installability issues * Mon Oct 05 2020 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:12.18.4-2