import UBI nodejs-18.19.1-1.module+el9.3.0+21388+22892fb9
This commit is contained in:
parent
3d308e0487
commit
f5f6ea6550
4
.gitignore
vendored
4
.gitignore
vendored
@ -1,5 +1,5 @@
|
|||||||
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
SOURCES/icu4c-73_2-src.tgz
|
SOURCES/icu4c-73_2-src.tgz
|
||||||
SOURCES/node-v18.19.0-stripped.tar.gz
|
SOURCES/node-v18.19.1-stripped.tar.gz
|
||||||
SOURCES/undici-5.26.4.tar.gz
|
SOURCES/undici-5.28.3.tar.gz
|
||||||
SOURCES/wasi-sdk-11.0-linux.tar.gz
|
SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
b0a91341ecf6c68a9d59a1c57d000fbbcc771679 SOURCES/cjs-module-lexer-1.2.2.tar.gz
|
||||||
3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
|
3d94969b097189bf5479c312d9593d2d252f5a73 SOURCES/icu4c-73_2-src.tgz
|
||||||
86902e7f408e3689e3048ae7ec047fb658be6a6e SOURCES/node-v18.19.0-stripped.tar.gz
|
7962d96e7c1517cf7b34395fc582b32b8acebe3a SOURCES/node-v18.19.1-stripped.tar.gz
|
||||||
d1dde2c4db1554f1f152d98f5fed64ea606be946 SOURCES/undici-5.26.4.tar.gz
|
b598f79f4706fe75c31ff2a214e50acc04c4725a SOURCES/undici-5.28.3.tar.gz
|
||||||
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
|
ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz
|
||||||
|
@ -1,15 +1,75 @@
|
|||||||
FIPS related options cause a segfault, let's end sooner
|
From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Michael Dawson <midawson@redhat.com>
|
||||||
|
Date: Fri, 23 Feb 2024 13:43:56 +0100
|
||||||
|
Subject: [PATCH] Disable FIPS options
|
||||||
|
|
||||||
|
On RHEL, FIPS should be configured only on system level.
|
||||||
|
Additionally, the related options may cause segfault when used on RHEL.
|
||||||
|
|
||||||
|
This patch causes the option processing to end sooner
|
||||||
|
than the problematic code gets executed.
|
||||||
|
Additionally, the JS-level options to mess with FIPS settings
|
||||||
|
are similarly disabled.
|
||||||
|
|
||||||
Upstream report: https://github.com/nodejs/node/pull/48950
|
Upstream report: https://github.com/nodejs/node/pull/48950
|
||||||
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
|
RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
|
||||||
|
Customer case: https://access.redhat.com/support/cases/#/case/03711488
|
||||||
|
---
|
||||||
|
lib/crypto.js | 10 ++++++++++
|
||||||
|
lib/internal/errors.js | 6 ++++++
|
||||||
|
src/crypto/crypto_util.cc | 2 ++
|
||||||
|
3 files changed, 18 insertions(+)
|
||||||
|
|
||||||
This patch makes the part of the code that processes cmd-line options for
|
diff --git a/lib/crypto.js b/lib/crypto.js
|
||||||
FIPS to end sooner before the code gets to the problematic part of the code.
|
index 41adecc..b2627ac 100644
|
||||||
|
--- a/lib/crypto.js
|
||||||
|
+++ b/lib/crypto.js
|
||||||
|
@@ -36,6 +36,9 @@ const {
|
||||||
|
assertCrypto();
|
||||||
|
|
||||||
diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/crypto/crypto_util.cc
|
const {
|
||||||
--- node-v18.16.1/src/crypto/crypto_util.cc.origfips 2023-07-31 12:09:46.603683081 +0200
|
+ // RHEL specific error
|
||||||
+++ node-v18.16.1/src/crypto/crypto_util.cc 2023-07-31 12:16:16.906617914 +0200
|
+ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
|
||||||
@@ -111,6 +111,8 @@ bool ProcessFipsOptions() {
|
+
|
||||||
|
ERR_CRYPTO_FIPS_FORCED,
|
||||||
|
} = require('internal/errors').codes;
|
||||||
|
const constants = internalBinding('constants').crypto;
|
||||||
|
@@ -251,6 +254,13 @@ function getFips() {
|
||||||
|
}
|
||||||
|
|
||||||
|
function setFips(val) {
|
||||||
|
+ // in RHEL FIPS enable/disable should only be done at system level
|
||||||
|
+ if (getFips() != val) {
|
||||||
|
+ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
|
||||||
|
+ } else {
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
if (getOptionValue('--force-fips')) {
|
||||||
|
if (val) return;
|
||||||
|
throw new ERR_CRYPTO_FIPS_FORCED();
|
||||||
|
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
|
||||||
|
index a722360..04d8a53 100644
|
||||||
|
--- a/lib/internal/errors.js
|
||||||
|
+++ b/lib/internal/errors.js
|
||||||
|
@@ -1060,6 +1060,12 @@ module.exports = {
|
||||||
|
//
|
||||||
|
// Note: Node.js specific errors must begin with the prefix ERR_
|
||||||
|
|
||||||
|
+// insert RHEL specific erro
|
||||||
|
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
|
||||||
|
+ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
|
||||||
|
+ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
|
||||||
|
+ Error);
|
||||||
|
+
|
||||||
|
E('ERR_ACCESS_DENIED',
|
||||||
|
'Access to this API has been restricted. Permission: %s',
|
||||||
|
Error);
|
||||||
|
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
|
||||||
|
index 5734d8f..ef9d1b1 100644
|
||||||
|
--- a/src/crypto/crypto_util.cc
|
||||||
|
+++ b/src/crypto/crypto_util.cc
|
||||||
|
@@ -121,6 +121,8 @@ bool ProcessFipsOptions() {
|
||||||
/* Override FIPS settings in configuration file, if needed. */
|
/* Override FIPS settings in configuration file, if needed. */
|
||||||
if (per_process::cli_options->enable_fips_crypto ||
|
if (per_process::cli_options->enable_fips_crypto ||
|
||||||
per_process::cli_options->force_fips_crypto) {
|
per_process::cli_options->force_fips_crypto) {
|
||||||
@ -18,3 +78,5 @@ diff -up node-v18.16.1/src/crypto/crypto_util.cc.origfips node-v18.16.1/src/cryp
|
|||||||
#if OPENSSL_VERSION_MAJOR >= 3
|
#if OPENSSL_VERSION_MAJOR >= 3
|
||||||
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
|
OSSL_PROVIDER* fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
|
||||||
if (fips_provider == nullptr)
|
if (fips_provider == nullptr)
|
||||||
|
--
|
||||||
|
2.43.2
|
||||||
|
@ -41,7 +41,7 @@
|
|||||||
%global nodejs_epoch 1
|
%global nodejs_epoch 1
|
||||||
%global nodejs_major 18
|
%global nodejs_major 18
|
||||||
%global nodejs_minor 19
|
%global nodejs_minor 19
|
||||||
%global nodejs_patch 0
|
%global nodejs_patch 1
|
||||||
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
%global nodejs_abi %{nodejs_major}.%{nodejs_minor}
|
||||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||||
%global nodejs_soversion 108
|
%global nodejs_soversion 108
|
||||||
@ -68,7 +68,7 @@
|
|||||||
%global c_ares_version 1.20.1
|
%global c_ares_version 1.20.1
|
||||||
|
|
||||||
# llhttp - from deps/llhttp/include/llhttp.h
|
# llhttp - from deps/llhttp/include/llhttp.h
|
||||||
%global llhttp_version 6.0.11
|
%global llhttp_version 6.1.0
|
||||||
|
|
||||||
# libuv - from deps/uv/include/uv/version.h
|
# libuv - from deps/uv/include/uv/version.h
|
||||||
%global libuv_version 1.44.2
|
%global libuv_version 1.44.2
|
||||||
@ -110,11 +110,11 @@
|
|||||||
# simduft from deps/simdutf/simdutf.h
|
# simduft from deps/simdutf/simdutf.h
|
||||||
%global simduft_major 3
|
%global simduft_major 3
|
||||||
%global simduft_minor 2
|
%global simduft_minor 2
|
||||||
%global simduft_patch 18
|
%global simduft_patch 14
|
||||||
%global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
|
%global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch}
|
||||||
|
|
||||||
# ada from deps/ada/ada.h
|
# ada from deps/ada/ada.h
|
||||||
%global ada_version 2.7.2
|
%global ada_version 2.6.0
|
||||||
|
|
||||||
# OpenSSL minimum version
|
# OpenSSL minimum version
|
||||||
%global openssl_minimum 1:1.1.1
|
%global openssl_minimum 1:1.1.1
|
||||||
@ -126,7 +126,7 @@
|
|||||||
|
|
||||||
# npm - from deps/npm/package.json
|
# npm - from deps/npm/package.json
|
||||||
%global npm_epoch 1
|
%global npm_epoch 1
|
||||||
%global npm_version 10.2.3
|
%global npm_version 10.2.4
|
||||||
|
|
||||||
# In order to avoid needing to keep incrementing the release version for the
|
# In order to avoid needing to keep incrementing the release version for the
|
||||||
# main package forever, we will just construct one for npm that is guaranteed
|
# main package forever, we will just construct one for npm that is guaranteed
|
||||||
@ -138,7 +138,7 @@
|
|||||||
%global uvwasi_version 0.0.19
|
%global uvwasi_version 0.0.19
|
||||||
|
|
||||||
# histogram_c - assumed from timestamps
|
# histogram_c - assumed from timestamps
|
||||||
%global histogram_version 0.11.2
|
%global histogram_version 0.11.8
|
||||||
|
|
||||||
Name: nodejs
|
Name: nodejs
|
||||||
Epoch: %{nodejs_epoch}
|
Epoch: %{nodejs_epoch}
|
||||||
@ -181,10 +181,10 @@ Source101: cjs-module-lexer-1.2.2.tar.gz
|
|||||||
Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
|
Source111: https://github.com/WebAssembly/wasi-sdk/archive/wasi-sdk-11/wasi-sdk-11.0-linux.tar.gz
|
||||||
|
|
||||||
# Version: jq '.version' deps/undici/src/package.json
|
# Version: jq '.version' deps/undici/src/package.json
|
||||||
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.26.4.tar.gz
|
# Original: https://github.com/nodejs/undici/archive/refs/tags/v5.28.3.tar.gz
|
||||||
# Adjustments: rm -f undici-5.26.4/lib/llhttp/llhttp*.wasm
|
# Adjustments: rm -f undici-5.28.3/lib/llhttp/llhttp*.wasm
|
||||||
# Build uses alpine image, see alpine for sources for wasi-sdk
|
# Build uses alpine image, see alpine for sources for wasi-sdk
|
||||||
Source102: undici-5.26.4.tar.gz
|
Source102: undici-5.28.3.tar.gz
|
||||||
|
|
||||||
# Disable running gyp on bundled deps we don't use
|
# Disable running gyp on bundled deps we don't use
|
||||||
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
Patch1: 0001-Disable-running-gyp-on-shared-deps.patch
|
||||||
@ -628,9 +628,19 @@ NODE_PATH=%{buildroot}%{_prefix}/lib/node_modules:%{buildroot}%{_prefix}/lib/nod
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Feb 29 2024 Lukas Javorsky <ljavorsk@redhat.com> - 1:18.19.1-1
|
||||||
|
- Rebase to version 18.19.1
|
||||||
|
- Fix FIPS handling of the cmd-line options (RHBZ#2226726)
|
||||||
|
- Resolves: RHEL-26695 RHEL-26009 RHEL-26690
|
||||||
|
|
||||||
* Thu Jan 18 2024 Jan Staněk <jstanek@redhat.com> - 1:18.19.0-1
|
* Thu Jan 18 2024 Jan Staněk <jstanek@redhat.com> - 1:18.19.0-1
|
||||||
- Rebase to version 18.19.0
|
- Rebase to version 18.19.0
|
||||||
Resolves: RHEL-21436
|
Resolves: RHEL-21438
|
||||||
|
|
||||||
|
* Sat Oct 14 2023 Zuzana Svetlikova <zsvetlik@redhat.com> - 1:18.18.2-1
|
||||||
|
- Rebase to 18.18.2 (Security release)
|
||||||
|
- Switch icu from zip to tgz
|
||||||
|
- Fixes #2228925, CVE-2023-45143, CVE-2023-44487, CVE-2023-38552, CVE-2023-39333
|
||||||
|
|
||||||
* Wed Aug 23 2023 Jan Staněk <jstanek@redhat.com> - 1:18.17.1-1
|
* Wed Aug 23 2023 Jan Staněk <jstanek@redhat.com> - 1:18.17.1-1
|
||||||
- Rebase to version 18.17.1
|
- Rebase to version 18.17.1
|
||||||
|
Loading…
Reference in New Issue
Block a user