From 95a3bb336154fe26070b3eaf1decc2a34aa305ba Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Thu, 15 Aug 2019 11:18:11 -0400 Subject: [PATCH] Update to 12.8.1 Resolves: CVE-2019-9511 "Data Dribble" Resolves: CVE-2019-9512 "Ping Flood" Resolves: CVE-2019-9513 "Resource Loop" Resolves: CVE-2019-9514 "Reset Flood" Resolves: CVE-2019-9515 "Settings Flood" Resolves: CVE-2019-9516 "0-Length Headers Leak" Resolves: CVE-2019-9517 "Internal Data Buffering" Resolves: CVE-2019-9518 "Empty Frames Flood" https://github.com/nodejs/node/blob/v12.8.1/doc/changelogs/CHANGELOG_V12.md#12.8.1 Signed-off-by: Stephen Gallagher --- 0001-Disable-running-gyp-on-shared-deps.patch | 22 +++++++----- ...ess-NPM-message-to-run-global-update.patch | 4 +-- ...Install-both-binaries-and-use-libdir.patch | 8 ++--- ...uild-include-stubs-in-shared-library.patch | 35 ------------------- nodejs.spec | 25 ++++++++----- package.cfg | 2 +- sources | 2 +- 7 files changed, 38 insertions(+), 60 deletions(-) delete mode 100644 0004-build-include-stubs-in-shared-library.patch diff --git a/0001-Disable-running-gyp-on-shared-deps.patch b/0001-Disable-running-gyp-on-shared-deps.patch index 699d46e..d4c1f1e 100644 --- a/0001-Disable-running-gyp-on-shared-deps.patch +++ b/0001-Disable-running-gyp-on-shared-deps.patch @@ -1,29 +1,33 @@ -From 03ff54a26a47fce13a83094dcfba7840852bf30c Mon Sep 17 00:00:00 2001 +From d8cdfcd680cbd728904c19b2eea7730c61b16c73 Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Thu, 27 Apr 2017 14:25:42 +0200 -Subject: [PATCH 1/4] Disable running gyp on shared deps +Subject: [PATCH 1/3] Disable running gyp on shared deps --- - Makefile | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) + Makefile | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile -index d7427e578f882034895fc44529d3711c621c06b9..a12edd09252202e98aecaca76cb8457ac98d2ad7 100644 +index 1e4915a6d2ebedc8af009d8505b5b8d11a53f5f7..cae1c3c1da9a440d84a6f86fa6353e81db535c71 100644 --- a/Makefile +++ b/Makefile -@@ -139,11 +139,11 @@ with-code-cache: +@@ -139,13 +139,13 @@ with-code-cache: .PHONY: test-code-cache test-code-cache: with-code-cache echo "'test-code-cache' target is a noop" out/Makefile: config.gypi common.gypi node.gyp \ -- deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \ +- deps/uv/uv.gyp deps/http_parser/http_parser.gyp deps/zlib/zlib.gyp \ +- tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ +- tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp + deps/http_parser/http_parser.gyp \ - tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ - tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp ++ tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \ ++ tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp $(PYTHON) tools/gyp_node.py -f make config.gypi: configure configure.py + @if [ -x config.status ]; then \ + ./config.status; \ -- 2.21.0 diff --git a/0002-Suppress-NPM-message-to-run-global-update.patch b/0002-Suppress-NPM-message-to-run-global-update.patch index 7cb8e8e..3c88d35 100644 --- a/0002-Suppress-NPM-message-to-run-global-update.patch +++ b/0002-Suppress-NPM-message-to-run-global-update.patch @@ -1,7 +1,7 @@ -From 18ea2d546f5a384d51aad0e7bd39f5b1daaf6471 Mon Sep 17 00:00:00 2001 +From ef6374e4ed159b719f465ecdb2e273019f134fb0 Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Tue, 1 May 2018 08:05:30 -0400 -Subject: [PATCH 2/4] Suppress NPM message to run global update +Subject: [PATCH 2/3] Suppress NPM message to run global update Signed-off-by: Stephen Gallagher --- diff --git a/0003-Install-both-binaries-and-use-libdir.patch b/0003-Install-both-binaries-and-use-libdir.patch index 85aa7e3..4112e65 100644 --- a/0003-Install-both-binaries-and-use-libdir.patch +++ b/0003-Install-both-binaries-and-use-libdir.patch @@ -1,7 +1,7 @@ -From 5cb76403cf796f548ff4a7ed62d6545acb5febe3 Mon Sep 17 00:00:00 2001 +From bc1d8e49a42cb88d86b2accba6ee1776baba4ca5 Mon Sep 17 00:00:00 2001 From: Elliott Sales de Andrade Date: Tue, 19 Mar 2019 23:22:40 -0400 -Subject: [PATCH 3/4] Install both binaries and use libdir. +Subject: [PATCH 3/3] Install both binaries and use libdir. This allows us to build with a shared library for other users while still providing the normal executable. @@ -13,7 +13,7 @@ Signed-off-by: Elliott Sales de Andrade 2 files changed, 20 insertions(+), 16 deletions(-) diff --git a/configure.py b/configure.py -index a791efebbca128a2138f61713eb2f5d23b8ced98..32eeee090b5248f5236e75f3201177ec446eb41d 100755 +index cc805d3fd165fd2abe4c8581ffdb8829341ad2ba..64f50439bc09827f99786c3b0d574ba454954ca9 100755 --- a/configure.py +++ b/configure.py @@ -550,10 +550,16 @@ parser.add_option('--shared', @@ -33,7 +33,7 @@ index a791efebbca128a2138f61713eb2f5d23b8ced98..32eeee090b5248f5236e75f3201177ec dest='without_v8_platform', default=False, help='do not initialize v8 platform during node.js startup. ' + -@@ -1096,10 +1102,11 @@ def configure_node(o): +@@ -1094,10 +1100,11 @@ def configure_node(o): o['variables']['node_no_browser_globals'] = b(options.no_browser_globals) # TODO(refack): fix this when implementing embedded code-cache when cross-compiling. if o['variables']['want_separate_host_toolset'] == 0: diff --git a/0004-build-include-stubs-in-shared-library.patch b/0004-build-include-stubs-in-shared-library.patch deleted file mode 100644 index 571834c..0000000 --- a/0004-build-include-stubs-in-shared-library.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 6d3a39df826c88e4ab12b937bef06c5905c08ab7 Mon Sep 17 00:00:00 2001 -From: Jeroen Ooms -Date: Mon, 29 Jul 2019 20:15:14 +0200 -Subject: [PATCH 4/4] build: include stubs in shared library - -This is needed for external applications that link to shared libnode. -Fixes #27431 ---- - node.gyp | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/node.gyp b/node.gyp -index 55b7da02ccaf1835b5fd986aaa320d72f8b7fbf2..4eae262a61e77bb8a9556e42a241b83eda3f0eba 100644 ---- a/node.gyp -+++ b/node.gyp -@@ -684,10 +684,16 @@ - # - "C4244: conversion from 'type1' to 'type2', possible loss of data" - # Ususaly safe. Disable for `dep`, enable for `src` - 'msvs_disabled_warnings!': [4244], - - 'conditions': [ -+ [ 'node_shared=="true"', { -+ 'sources': [ -+ 'src/node_snapshot_stub.cc', -+ 'src/node_code_cache_stub.cc', -+ ] -+ }], - [ 'node_shared=="true" and node_module_version!="" and OS!="win"', { - 'product_extension': '<(shlib_suffix)', - 'xcode_settings': { - 'LD_DYLIB_INSTALL_NAME': - '@rpath/lib<(node_core_target_name).<(shlib_suffix)' --- -2.21.0 - diff --git a/nodejs.spec b/nodejs.spec index e3f5bb9..029c423 100644 --- a/nodejs.spec +++ b/nodejs.spec @@ -8,7 +8,7 @@ # This is used by both the nodejs package and the npm subpackage thar # has a separate version - the name is special so that rpmdev-bumpspec # will bump this rather than adding .1 to the end. -%global baserelease 3 +%global baserelease 1 %{?!_pkgdocdir:%global _pkgdocdir %{_docdir}/%{name}-%{version}} @@ -19,8 +19,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 12 -%global nodejs_minor 7 -%global nodejs_patch 0 +%global nodejs_minor 8 +%global nodejs_patch 1 %global nodejs_abi %{nodejs_major}.%{nodejs_minor} # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 72 @@ -68,7 +68,7 @@ # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h %global nghttp2_major 1 %global nghttp2_minor 39 -%global nghttp2_patch 1 +%global nghttp2_patch 2 %global nghttp2_version %{nghttp2_major}.%{nghttp2_minor}.%{nghttp2_patch} # ICU - from tools/icu/current_ver.dep @@ -102,7 +102,7 @@ %global npm_epoch 1 %global npm_major 6 %global npm_minor 10 -%global npm_patch 0 +%global npm_patch 2 %global npm_version %{npm_major}.%{npm_minor}.%{npm_patch} # In order to avoid needing to keep incrementing the release version for the @@ -144,9 +144,6 @@ Patch2: 0002-Suppress-NPM-message-to-run-global-update.patch # Patch to install both node and libnode.so, using the correct libdir Patch3: 0003-Install-both-binaries-and-use-libdir.patch -# Upstream patch to include stubs in libnode. Drop in 12.8.0 -Patch4: 0004-build-include-stubs-in-shared-library.patch - BuildRequires: python2-devel BuildRequires: python3-devel BuildRequires: zlib-devel @@ -622,6 +619,18 @@ end %{_pkgdocdir}/npm/doc %changelog +* Thu Aug 15 2019 Stephen Gallagher - 1:12.8.2-1 +- Update to 12.8.1 +- Resolves: CVE-2019-9511 "Data Dribble" +- Resolves: CVE-2019-9512 "Ping Flood" +- Resolves: CVE-2019-9513 "Resource Loop" +- Resolves: CVE-2019-9514 "Reset Flood" +- Resolves: CVE-2019-9515 "Settings Flood" +- Resolves: CVE-2019-9516 "0-Length Headers Leak" +- Resolves: CVE-2019-9517 "Internal Data Buffering" +- Resolves: CVE-2019-9518 "Empty Frames Flood" +- https://github.com/nodejs/node/blob/v12.8.1/doc/changelogs/CHANGELOG_V12.md#12.8.1 + * Mon Aug 05 2019 Stephen Gallagher - 1:12.7.0-3 - Fix epoch dependencies - Carry data files for ICU diff --git a/package.cfg b/package.cfg index 77d2a9c..2255bcd 100644 --- a/package.cfg +++ b/package.cfg @@ -1,2 +1,2 @@ [koji] -targets = master f30 f29 +targets = master f31 diff --git a/sources b/sources index ad425a8..4359bda 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (node-v12.7.0-stripped.tar.gz) = 267c9a8883b5264d2679dc9306b00533e8cc072e7b59d8b6c9440a6daab0e89fde78f625796f8349210a9b0aafd69ba1f596de32615ae674b8d04f8e185ca311 +SHA512 (node-v12.8.1-stripped.tar.gz) = b7c007e7a0c92303893a389d345f1040d43a0c8eb1ed46f250476ddfae368dbf5a708a81a6bf9f30411684aeabb436371451ebab9decaf2b8e192ea8a342784f