From fd717eb4cc4fc932f93280bd7a3819b2c219abfe Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Wed, 9 Aug 2023 16:13:26 -0400 Subject: [PATCH] Update to 20.5.1 ** 2023-08-09, Version 20.5.1 (Current), @RafaelGSS This is a security release. *** Notable Changes The following CVEs are fixed in this release: * [CVE-2023-32002](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32002): Policies can be bypassed via Module.\_load (High) * [CVE-2023-32558](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32558): process.binding() can bypass the permission model through path traversal (High) * [CVE-2023-32004](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32004): Permission model can be bypassed by specifying a path traversal sequence in a Buffer (High) * [CVE-2023-32006](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32006): Policies can be bypassed by module.constructor.createRequire (Medium) * [CVE-2023-32559](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32559): Policies can be bypassed via process.binding (Medium) * [CVE-2023-32005](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32005): fs.statfs can bypass the permission model (Low) * [CVE-2023-32003](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32003): fs.mkdtemp() and fs.mkdtempSync() can bypass the permission model (Low) * OpenSSL Security Releases * [OpenSSL security advisory 14th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000264.html). * [OpenSSL security advisory 19th July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000265.html). * [OpenSSL security advisory 31st July](https://mta.openssl.org/pipermail/openssl-announce/2023-July/000267.html) More detailed information on each of the vulnerabilities can be found in [August 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/august-2023-security-releases/) blog post. ** 2023-07-18, Version 20.5.0 (Current), @juanarbol *** Notable Changes * \[[`45be29d89f`](https://github.com/nodejs/node/commit/45be29d89f)] - **doc**: add atlowChemi to collaborators (atlowChemi) [#48757](https://github.com/nodejs/node/pull/48757) * \[[`a316808136`](https://github.com/nodejs/node/commit/a316808136)] - **(SEMVER-MINOR)** **events**: allow safely adding listener to abortSignal (Chemi Atlow) [#48596](https://github.com/nodejs/node/pull/48596) * \[[`986b46a567`](https://github.com/nodejs/node/commit/986b46a567)] - **fs**: add a fast-path for readFileSync utf-8 (Yagiz Nizipli) [#48658](https://github.com/nodejs/node/pull/48658) * \[[`0ef73ff6f0`](https://github.com/nodejs/node/commit/0ef73ff6f0)] - **(SEMVER-MINOR)** **test\_runner**: add shards support (Raz Luvaton) [#48639](https://github.com/nodejs/node/pull/48639) Signed-off-by: Stephen Gallagher --- nodejs20.spec | 8 ++++---- sources | 6 +++--- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/nodejs20.spec b/nodejs20.spec index 608f2df..1c3e8bd 100644 --- a/nodejs20.spec +++ b/nodejs20.spec @@ -26,8 +26,8 @@ # than a Fedora release lifecycle. %global nodejs_epoch 1 %global nodejs_major 20 -%global nodejs_minor 4 -%global nodejs_patch 0 +%global nodejs_minor 5 +%global nodejs_patch 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 115 %global nodejs_abi %{nodejs_soversion} @@ -74,7 +74,7 @@ %global libuv_version 1.46.0 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_version 1.53.0 +%global nghttp2_version 1.55.1 # ICU - from tools/icu/current_ver.dep %global icu_major 73 @@ -97,7 +97,7 @@ # npm - from deps/npm/package.json %global npm_epoch 1 -%global npm_version 9.7.2 +%global npm_version 9.8.0 # In order to avoid needing to keep incrementing the release version for the # main package forever, we will just construct one for npm that is guaranteed diff --git a/sources b/sources index 2752e8c..10a3829 100644 --- a/sources +++ b/sources @@ -1,7 +1,7 @@ -SHA512 (node-v20.4.0-stripped.tar.gz) = 8d433dc42da92acc5a34f5bb2ac0de55087679f2f3b1010ebee768fb5eefef5b5e072e3b8d91f37d141116bf69e64567a44fe3d95989f32621015adcfa68233b +SHA512 (node-v20.5.1-stripped.tar.gz) = b32d85d88ca37b5db2f7d82165ea92c8998a7a5a8db45a15d05e75a01f9da8e9747bea4ff1ec053f86fd9d6979e79ac584f4ffb4dfc59df058a35c0cf778fe18 SHA512 (icu4c-73_2-data-bin-b.zip) = 8512947da7b2a927627abed6bd7e04218cd4fcd02d44eb72a82ffa87aedabfc3be5d3152e9fba33a769ef35e2db55764c2ab8f5bd65b4e89aa9c15b33392e078 SHA512 (icu4c-73_2-data-bin-l.zip) = 420c2f5090927dab13f5449da3b0ec7bf86a91ea8723f177aca2907a8eea9bcb4c3475b66c54355ae320001813db57a00afdab00bd85b8c36d39adedcab80bfc -SHA512 (cjs-module-lexer-1.2.2-stripped.tar.gz) = acd020f4a8f3b0a88d0ddc326d1ec7ec09dc81d7739d2a6776da2049029a7317e61a925db4635e6ea1ae197ab18fcec068d98a1225e4a6a5189ef70937c99932 +SHA512 (cjs-module-lexer-1.2.2-stripped.tar.gz) = 0e1cf8cd4960036b8ccf9bcbd87c837e3686515be00bb06e7980ff6c5384a5287182df31303754a22d8af040ee635e9c0e7ed7a86fde4e4d538621a253b7a612 SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20 -SHA512 (undici-5.22.1-stripped.tar.gz) = 38a103692de0d642031825b8d975946aa4f2c01cf7a2de085f22fa993457d73d695ea528cf2b6d7544246dc702a514e2f0d5740b0a2d1dbe03b165297436bd79 +SHA512 (undici-5.22.1-stripped.tar.gz) = 8806f0425ddc0eb0e66f85bf2c7cbe7d555ef7740e28ec4eb90e3fa88f507287a7c4bc956b504dad4da8065d3d2ae4b9a0a1e700f57a57e389e2621d1af0dfe9 SHA512 (wasi-sdk-20.0-linux.tar.gz) = ff3d368267526887534f50767ff010bd368e9c24178ab2f0cf57a8ed0b3a82fbf85986d620ab2327ac6bb3f456c65adc6edb80626a1289e630dde7e43b191b42