diff --git a/.gitignore b/.gitignore index b9a9bff..bd64a19 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,5 @@ SOURCES/cjs-module-lexer-1.2.2.tar.gz SOURCES/icu4c-74_2-src.tgz -SOURCES/node-v18.20.2-stripped.tar.gz +SOURCES/node-v18.20.4-stripped.tar.gz SOURCES/undici-5.28.4.tar.gz SOURCES/wasi-sdk-11.0-linux.tar.gz diff --git a/.nodejs.metadata b/.nodejs.metadata index c173ffe..bf14de6 100644 --- a/.nodejs.metadata +++ b/.nodejs.metadata @@ -1,5 +1,5 @@ 164f7f39841415284b0280a648c43bd7ea1615ac SOURCES/cjs-module-lexer-1.2.2.tar.gz 43a8d688a3a6bc8f0f8c5e699d0ef7a905d24314 SOURCES/icu4c-74_2-src.tgz -d3c7f3b4d4aa55e38b0e221ed4f5fdfcf48d1e4c SOURCES/node-v18.20.2-stripped.tar.gz +1865285a5bf26669d5fadbc5eb78e97f4adad612 SOURCES/node-v18.20.4-stripped.tar.gz d38d72bec82e3c41a4de73d6ee56d9c9eff5f403 SOURCES/undici-5.28.4.tar.gz ff114dd45b4efeeae7afe4621bfc6f886a475b4b SOURCES/wasi-sdk-11.0-linux.tar.gz diff --git a/SOURCES/CVE-2024-28182.patch b/SOURCES/CVE-2024-28182.patch deleted file mode 100644 index 5eca31e..0000000 --- a/SOURCES/CVE-2024-28182.patch +++ /dev/null @@ -1,157 +0,0 @@ -Backport from upstream commits. -https://github.com/nghttp2/nghttp2/commit/00201ecd8f982da3b67d4f6868af72a1b03b14e0 -https://github.com/nghttp2/nghttp2/commit/d71a4668c6bead55805d18810d633fbb98315af9 - - -diff -ur node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h ---- node-v18.19.1_orig/deps/nghttp2/lib/includes/nghttp2/nghttp2.h 2024-04-15 14:38:00.000000000 +0200 -+++ node-v18.19.1/deps/nghttp2/lib/includes/nghttp2/nghttp2.h 2024-04-15 14:43:36.000000000 +0200 -@@ -440,7 +440,12 @@ - * exhaustion on server side to send these frames forever and does - * not read network. - */ -- NGHTTP2_ERR_FLOODED = -904 -+ NGHTTP2_ERR_FLOODED = -904, -+ /** -+ * When a local endpoint receives too many CONTINUATION frames -+ * following a HEADER frame. -+ */ -+ NGHTTP2_ERR_TOO_MANY_CONTINUATIONS = -905, - } nghttp2_error; - - /** -@@ -2775,6 +2780,17 @@ - - /** - * @function -+ * -+ * This function sets the maximum number of CONTINUATION frames -+ * following an incoming HEADER frame. If more than those frames are -+ * received, the remote endpoint is considered to be misbehaving and -+ * session will be closed. The default value is 8. -+ */ -+NGHTTP2_EXTERN void nghttp2_option_set_max_continuations(nghttp2_option *option, -+ size_t val); -+ -+/** -+ * @function - * - * Initializes |*session_ptr| for client use. The all members of - * |callbacks| are copied to |*session_ptr|. Therefore |*session_ptr| -Only in node-v18.19.1/deps/nghttp2/lib/includes/nghttp2: nghttp2.h.orig -diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c ---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_helper.c 2024-04-15 14:38:00.000000000 +0200 -+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_helper.c 2024-04-15 14:41:10.000000000 +0200 -@@ -336,6 +336,8 @@ - "closed"; - case NGHTTP2_ERR_TOO_MANY_SETTINGS: - return "SETTINGS frame contained more than the maximum allowed entries"; -+ case NGHTTP2_ERR_TOO_MANY_CONTINUATIONS: -+ return "Too many CONTINUATION frames following a HEADER frame"; - default: - return "Unknown error code"; - } -diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c ---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.c 2024-04-15 14:38:00.000000000 +0200 -+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.c 2024-04-15 14:43:36.000000000 +0200 -@@ -150,3 +150,8 @@ - option->stream_reset_burst = burst; - option->stream_reset_rate = rate; - } -+ -+void nghttp2_option_set_max_continuations(nghttp2_option *option, size_t val) { -+ option->opt_set_mask |= NGHTTP2_OPT_MAX_CONTINUATIONS; -+ option->max_continuations = val; -+} -diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h ---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_option.h 2024-04-15 14:38:00.000000000 +0200 -+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_option.h 2024-04-15 14:43:36.000000000 +0200 -@@ -71,6 +71,7 @@ - NGHTTP2_OPT_SERVER_FALLBACK_RFC7540_PRIORITIES = 1 << 13, - NGHTTP2_OPT_NO_RFC9113_LEADING_AND_TRAILING_WS_VALIDATION = 1 << 14, - NGHTTP2_OPT_STREAM_RESET_RATE_LIMIT = 1 << 15, -+ NGHTTP2_OPT_MAX_CONTINUATIONS = 1 << 16, - } nghttp2_option_flag; - - /** -@@ -99,6 +100,10 @@ - */ - size_t max_settings; - /** -+ * NGHTTP2_OPT_MAX_CONTINUATIONS -+ */ -+ size_t max_continuations; -+ /** - * Bitwise OR of nghttp2_option_flag to determine that which fields - * are specified. - */ -diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c ---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.c 2024-04-15 14:38:00.000000000 +0200 -+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.c 2024-04-15 14:43:36.000000000 +0200 -@@ -496,6 +496,7 @@ - (*session_ptr)->max_send_header_block_length = NGHTTP2_MAX_HEADERSLEN; - (*session_ptr)->max_outbound_ack = NGHTTP2_DEFAULT_MAX_OBQ_FLOOD_ITEM; - (*session_ptr)->max_settings = NGHTTP2_DEFAULT_MAX_SETTINGS; -+ (*session_ptr)->max_continuations = NGHTTP2_DEFAULT_MAX_CONTINUATIONS; - - if (option) { - if ((option->opt_set_mask & NGHTTP2_OPT_NO_AUTO_WINDOW_UPDATE) && -@@ -584,6 +585,10 @@ - option->stream_reset_burst, - option->stream_reset_rate); - } -+ -+ if (option->opt_set_mask & NGHTTP2_OPT_MAX_CONTINUATIONS) { -+ (*session_ptr)->max_continuations = option->max_continuations; -+ } - } - - rv = nghttp2_hd_deflate_init2(&(*session_ptr)->hd_deflater, -@@ -6778,6 +6783,8 @@ - } - } - session_inbound_frame_reset(session); -+ -+ session->num_continuations = 0; - } - break; - } -@@ -6899,6 +6906,10 @@ - } - #endif /* DEBUGBUILD */ - -+ if (++session->num_continuations > session->max_continuations) { -+ return NGHTTP2_ERR_TOO_MANY_CONTINUATIONS; -+ } -+ - readlen = inbound_frame_buf_read(iframe, in, last); - in += readlen; - -Only in node-v18.19.1/deps/nghttp2/lib: nghttp2_session.c.orig -diff -ur node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h ---- node-v18.19.1_orig/deps/nghttp2/lib/nghttp2_session.h 2024-04-15 14:38:00.000000000 +0200 -+++ node-v18.19.1/deps/nghttp2/lib/nghttp2_session.h 2024-04-15 14:41:10.000000000 +0200 -@@ -110,6 +110,10 @@ - #define NGHTTP2_DEFAULT_STREAM_RESET_BURST 1000 - #define NGHTTP2_DEFAULT_STREAM_RESET_RATE 33 - -+/* The default max number of CONTINUATION frames following an incoming -+ HEADER frame. */ -+#define NGHTTP2_DEFAULT_MAX_CONTINUATIONS 8 -+ - /* Internal state when receiving incoming frame */ - typedef enum { - /* Receiving frame header */ -@@ -290,6 +294,12 @@ - size_t max_send_header_block_length; - /* The maximum number of settings accepted per SETTINGS frame. */ - size_t max_settings; -+ /* The maximum number of CONTINUATION frames following an incoming -+ HEADER frame. */ -+ size_t max_continuations; -+ /* The number of CONTINUATION frames following an incoming HEADER -+ frame. This variable is reset when END_HEADERS flag is seen. */ -+ size_t num_continuations; - /* Next Stream ID. Made unsigned int to detect >= (1 << 31). */ - uint32_t next_stream_id; - /* The last stream ID this session initiated. For client session, diff --git a/SOURCES/nodejs-fips-disable-options.patch b/SOURCES/nodejs-fips-disable-options.patch index 07f8d92..ada1ce3 100644 --- a/SOURCES/nodejs-fips-disable-options.patch +++ b/SOURCES/nodejs-fips-disable-options.patch @@ -13,7 +13,6 @@ are similarly disabled. Upstream report: https://github.com/nodejs/node/pull/48950 RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 -Customer case: https://access.redhat.com/support/cases/#/case/03711488 --- lib/crypto.js | 10 ++++++++++ lib/internal/errors.js | 6 ++++++ @@ -80,4 +79,3 @@ index 5734d8f..ef9d1b1 100644 if (fips_provider == nullptr) -- 2.43.2 - diff --git a/SOURCES/nodejs-tarball.sh b/SOURCES/nodejs-tarball.sh index f59d5c2..66f5ca2 100755 --- a/SOURCES/nodejs-tarball.sh +++ b/SOURCES/nodejs-tarball.sh @@ -135,67 +135,109 @@ rm -f node-v${version}.tar.gz set +e # Determine the bundled versions of the various packages +echo "Included software versions" +echo "-------------------------" +echo +echo "Node.js version" +echo "=========================" +echo "${version}" +echo echo "Bundled software versions" echo "-------------------------" echo -echo "libnode shared object version" +echo "libnode shared object version (nodejs_soversion)" echo "=========================" -grep "define NODE_MODULE_VERSION" node-v${version}/src/node_version.h +NODE_SOVERSION=$(grep -oP '(?<=#define NODE_MODULE_VERSION )\d+' node-v${version}/src/node_version.h) +echo "${NODE_SOVERSION}" echo echo "V8" echo "=========================" -grep "define V8_MAJOR_VERSION" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_MINOR_VERSION" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_BUILD_NUMBER" node-v${version}/deps/v8/include/v8-version.h -grep "define V8_PATCH_LEVEL" node-v${version}/deps/v8/include/v8-version.h +V8_MAJOR=$(grep -oP '(?<=#define V8_MAJOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_MINOR=$(grep -oP '(?<=#define V8_MINOR_VERSION )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_BUILD=$(grep -oP '(?<=#define V8_BUILD_NUMBER )\d+' node-v${version}/deps/v8/include/v8-version.h) +V8_PATCH=$(grep -oP '(?<=#define V8_PATCH_LEVEL )\d+' node-v${version}/deps/v8/include/v8-version.h) +echo "${V8_MAJOR}.${V8_MINOR}.${V8_BUILD}.${V8_PATCH}" echo echo "c-ares" echo "=========================" -grep "define ARES_VERSION_MAJOR" node-v${version}/deps/cares/include/ares_version.h -grep "define ARES_VERSION_MINOR" node-v${version}/deps/cares/include/ares_version.h -grep "define ARES_VERSION_PATCH" node-v${version}/deps/cares/include/ares_version.h +C_ARES_VERSION=$(grep -oP '(?<=#define ARES_VERSION_STR ).*\"' node-v${version}/deps/cares/include/ares_version.h |sed -e 's/^"//' -e 's/"$//') +echo $C_ARES_VERSION echo echo "llhttp" echo "=========================" -grep "define LLHTTP_VERSION_MAJOR" node-v${version}/deps/llhttp/include/llhttp.h -grep "define LLHTTP_VERSION_MINOR" node-v${version}/deps/llhttp/include/llhttp.h -grep "define LLHTTP_VERSION_PATCH" node-v${version}/deps/llhttp/include/llhttp.h +LLHTTP_MAJOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MAJOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_MINOR=$(grep -oP '(?<=#define LLHTTP_VERSION_MINOR )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_PATCH=$(grep -oP '(?<=#define LLHTTP_VERSION_PATCH )\d+' node-v${version}/deps/llhttp/include/llhttp.h) +LLHTTP_VERSION="${LLHTTP_MAJOR}.${LLHTTP_MINOR}.${LLHTTP_PATCH}" +echo $LLHTTP_VERSION echo echo "libuv" echo "=========================" -grep "define UV_VERSION_MAJOR" node-v${version}/deps/uv/include/uv/version.h -grep "define UV_VERSION_MINOR" node-v${version}/deps/uv/include/uv/version.h -grep "define UV_VERSION_PATCH" node-v${version}/deps/uv/include/uv/version.h +UV_MAJOR=$(grep -oP '(?<=#define UV_VERSION_MAJOR )\d+' node-v${version}/deps/uv/include/uv/version.h) +UV_MINOR=$(grep -oP '(?<=#define UV_VERSION_MINOR )\d+' node-v${version}/deps/uv/include/uv/version.h) +UV_PATCH=$(grep -oP '(?<=#define UV_VERSION_PATCH )\d+' node-v${version}/deps/uv/include/uv/version.h) +LIBUV_VERSION="${UV_MAJOR}.${UV_MINOR}.${UV_PATCH}" +echo $LIBUV_VERSION echo echo "nghttp2" echo "=========================" -grep "define NGHTTP2_VERSION " node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h +NGHTTP2_VERSION=$(grep -oP '(?<=#define NGHTTP2_VERSION ).*\"' node-v${version}/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h |sed -e 's/^"//' -e 's/"$//') +echo $NGHTTP2_VERSION echo echo "nghttp3" echo "=========================" -grep "define NGHTTP3_VERSION " node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h +NGHTTP3_VERSION=$(grep -oP '(?<=#define NGHTTP3_VERSION ).*\"' node-v${version}/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h |sed -e 's/^"//' -e 's/"$//') +echo $NGHTTP3_VERSION echo echo "ngtcp2" echo "=========================" -grep "define NGTCP2_VERSION " node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h +NGTCP2_VERSION=$(grep -oP '(?<=#define NGTCP2_VERSION ).*\"' node-v${version}/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h |sed -e 's/^"//' -e 's/"$//') +echo $NGTCP2_VERSION echo echo "ICU" echo "=========================" -grep "url" node-v${version}/tools/icu/current_ver.dep +ICU_MAJOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\1/g') +ICU_MINOR=$(jq -r '.[0].url' node-v${version}/tools/icu/current_ver.dep | sed --expression='s/.*release-\([[:digit:]]\+\)-\([[:digit:]]\+\).*/\2/g') +echo "${ICU_MAJOR}.${ICU_MINOR}" +echo +echo "simdutf" +echo "=========================" +SIMDUTF_VERSION=$(grep -oP '(?<=#define SIMDUTF_VERSION ).*\"' node-v${version}/deps/simdutf/simdutf.h |sed -e 's/^"//' -e 's/"$//') +echo $SIMDUTF_VERSION +echo +echo "ada" +echo "=========================" +ADA_VERSION=$(grep -osP '(?<=#define ADA_VERSION ).*\"' node-v${version}/deps/ada/ada.h |sed -e 's/^"//' -e 's/"$//') +ADA_VERSION=${ADA_VERSION:-0} +echo "${ADA_VERSION}" echo echo "punycode" echo "=========================" -grep "'version'" node-v${version}/lib/punycode.js -echo -echo "uvwasi" -echo "=========================" -grep "define UVWASI_VERSION_MAJOR" node-v${version}/deps/uvwasi/include/uvwasi.h -grep "define UVWASI_VERSION_MINOR" node-v${version}/deps/uvwasi/include/uvwasi.h -grep "define UVWASI_VERSION_PATCH" node-v${version}/deps/uvwasi/include/uvwasi.h +PUNYCODE_VERSION=$(grep -oP "'version': '\K[^']+" ./node-v${version}/lib/punycode.js) +echo $PUNYCODE_VERSION echo echo "npm" echo "=========================" -grep "\"version\":" node-v${version}/deps/npm/package.json +NPM_VERSION=$(jq -r .version ./node-v${version}/deps/npm/package.json) +echo $NPM_VERSION +echo +echo "corepack" +echo "=========================" +COREPACK_VERSION=$(jq -r .version ./node-v${version}/deps/corepack/package.json) +echo $COREPACK_VERSION +echo +echo "uvwasi" +echo "=========================" +UVWASI_MAJOR=$(grep -oP '(?<=#define UVWASI_VERSION_MAJOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_MINOR=$(grep -oP '(?<=#define UVWASI_VERSION_MINOR )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_PATCH=$(grep -oP '(?<=#define UVWASI_VERSION_PATCH )\d+' node-v${version}/deps/uvwasi/include/uvwasi.h) +UVWASI_VERSION="${UVWASI_MAJOR}.${UVWASI_MINOR}.${UVWASI_PATCH}" +echo $UVWASI_VERSION +echo +echo "histogram_c" +echo "=========================" +HISTOGRAM_VERSION=$(grep -oP '(?<=#define HDR_HISTOGRAM_VERSION ).*\"' node-v${version}/deps/histogram/include/hdr/hdr_histogram_version.h|sed -e 's/^"//' -e 's/"$//') +echo $HISTOGRAM_VERSION echo echo "Make sure these versions match what is in the RPM spec file" diff --git a/SPECS/nodejs.spec b/SPECS/nodejs.spec index 09b3f33..c679774 100644 --- a/SPECS/nodejs.spec +++ b/SPECS/nodejs.spec @@ -42,7 +42,7 @@ %global nodejs_epoch 1 %global nodejs_major 18 %global nodejs_minor 20 -%global nodejs_patch 2 +%global nodejs_patch 4 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 108 @@ -65,7 +65,8 @@ %global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release} # c-ares - from deps/cares/include/ares_version.h -%global c_ares_version 1.27.0 +# https://github.com/nodejs/node/pull/9332 +%global c_ares_version 1.28.1 # llhttp - from deps/llhttp/include/llhttp.h %global llhttp_version 6.1.1 @@ -77,7 +78,7 @@ %global libuv_version %{libuv_major}.%{libuv_minor}.%{libuv_patch} # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_version 1.57.0 +%global nghttp2_version 1.61.0 # nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %global nghttp3_major 0 @@ -86,9 +87,9 @@ %global nghttp3_version %{nghttp3_major}.%{nghttp3_minor}.%{nghttp3_patch} # ngtcp2 from deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h -%global ngtcp2_major 0 -%global ngtcp2_minor 8 -%global ngtcp2_patch 1 +%global ngtcp2_major 1 +%global ngtcp2_minor 3 +%global ngtcp2_patch 0 %global ngtcp2_version %{ngtcp2_major}.%{ngtcp2_minor}.%{ngtcp2_patch} # ICU - from tools/icu/current_ver.dep @@ -111,13 +112,13 @@ %endif # simduft from deps/simdutf/simdutf.h -%global simduft_major 4 -%global simduft_minor 0 -%global simduft_patch 8 +%global simduft_major 5 +%global simduft_minor 2 +%global simduft_patch 4 %global simduft_version %{simduft_major}.%{simduft_minor}.%{simduft_patch} # ada from deps/ada/ada.h -%global ada_version 2.7.6 +%global ada_version 2.7.8 # OpenSSL minimum version %global openssl_minimum 1:1.1.1 @@ -132,7 +133,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 10.5.0 +%global npm_version 10.7.0 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed @@ -198,7 +199,6 @@ Source111: undici-5.28.4.tar.gz # Disable running gyp on bundled deps we don't use Patch1: 0001-Disable-running-gyp-on-shared-deps.patch Patch2: nodejs-fips-disable-options.patch -Patch3: CVE-2024-28182.patch BuildRequires: make BuildRequires: python3-devel @@ -463,7 +463,7 @@ make BUILDTYPE=Release %{?_smp_mflags} # Extract the ICU data and convert it to the appropriate endianness pushd deps/ -tar xzf %{SOURCE3} +tar xfz %{SOURCE3} pushd icu/source @@ -739,6 +739,10 @@ end %changelog +* Mon Aug 05 2024 Honza Horak - 1:18.20.4-1 +- Update to 18.20.4 + Fixes: CVE-2024-22020 CVE-2024-28863 + * Wed Apr 24 2024 Filip Janus - 1:18.20.2-1 - Removes .ps1 files - Rebase to 18.20.2 @@ -746,18 +750,13 @@ end * Wed Feb 21 2024 Lukas Javorsky - 1:18.19.1-1 - Rebase to version 18.19.1 -- Fix FIPS handling of the cmd-line options (RHBZ#2226726) -- Resolves: RHEL-26691 RHEL-26016 RHEL-26648 +- Fixes: CVE-2024-21892 CVE-2024-22019 (high) +- Fixes: CVE-2023-46809 (medium) * Fri Jan 19 2024 Lukas Javorsky - 1:18.19.0-1 - Rebase to version 18.19.0 - Resolves: RHEL-21439 -* Sat Oct 14 2023 Zuzana Svetlikova - 1:18.18.2-1 -- Rebase to 18.18.2 (Security release) -- Switch icu from zip to tgz -- Fixes #2228925, CVE-2023-45143, CVE-2023-44487, CVE-2023-38552, CVE-2023-39333 - * Wed Aug 23 2023 Jan Staněk - 1:18.17.1-1 - Rebase to version 18.17.1 Resolves: rhbz#2228939