import UBI nodejs22-22.23.1-2.el10_2
This commit is contained in:
parent
588be30779
commit
ac1484b736
2
.gitignore
vendored
2
.gitignore
vendored
@ -1,3 +1,3 @@
|
||||
icu4c-78.2-data-bin-b.zip
|
||||
icu4c-78.2-data-bin-l.zip
|
||||
node-v22.22.2-stripped.tar.gz
|
||||
node-v22.23.1-stripped.tar.gz
|
||||
|
||||
File diff suppressed because it is too large
Load Diff
166
0002-CVE-2026-42338-npm-ip-address-security-fix.patch
Normal file
166
0002-CVE-2026-42338-npm-ip-address-security-fix.patch
Normal file
@ -0,0 +1,166 @@
|
||||
From d98f88cfa68abef0e57ec2b48df0049032e50c85 Mon Sep 17 00:00:00 2001
|
||||
From: Beau Gunderson <beau@beaugunderson.com>
|
||||
Date: Sun, 27 Apr 2026 10:28:29 -0700
|
||||
Subject: [PATCH] CVE-2026-42338 ip-address HTML escaping fix
|
||||
|
||||
Fix HTML escaping in ip-address library to prevent XSS vulnerabilities.
|
||||
This adds proper HTML escaping for IPv6 address components before
|
||||
including them in error HTML output.
|
||||
|
||||
Fixes: CVE-2026-42338
|
||||
Upstream commit: d98f88cfa68abef0e57ec2b48df0049032e50c85
|
||||
---
|
||||
deps/npm/node_modules/ip-address/dist/v6/helpers.js | 9 +++++++++
|
||||
deps/npm/node_modules/ip-address/dist/ipv6.js | 32 ++++++++++++++----------
|
||||
deps/npm/node_modules/ip-address/package.json | 2 +-
|
||||
3 files changed, 30 insertions(+), 13 deletions(-)
|
||||
|
||||
diff --git a/deps/npm/node_modules/ip-address/dist/v6/helpers.js b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/deps/npm/node_modules/ip-address/dist/v6/helpers.js
|
||||
+++ b/deps/npm/node_modules/ip-address/dist/v6/helpers.js
|
||||
@@ -1,14 +1,23 @@
|
||||
"use strict";
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
+exports.escapeHtml = escapeHtml;
|
||||
exports.spanAllZeroes = spanAllZeroes;
|
||||
exports.spanAll = spanAll;
|
||||
exports.spanLeadingZeroes = spanLeadingZeroes;
|
||||
exports.simpleGroup = simpleGroup;
|
||||
+function escapeHtml(s) {
|
||||
+ return s
|
||||
+ .replace(/&/g, '&')
|
||||
+ .replace(/</g, '<')
|
||||
+ .replace(/>/g, '>')
|
||||
+ .replace(/"/g, '"')
|
||||
+ .replace(/'/g, ''');
|
||||
+}
|
||||
/**
|
||||
* @returns {String} the string with all zeroes contained in a <span>
|
||||
*/
|
||||
function spanAllZeroes(s) {
|
||||
- return s.replace(/(0+)/g, '<span class="zero">$1</span>');
|
||||
+ return escapeHtml(s).replace(/(0+)/g, '<span class="zero">$1</span>');
|
||||
}
|
||||
/**
|
||||
* @returns {String} the string with each character contained in a <span>
|
||||
@@ -16,11 +25,11 @@
|
||||
function spanAll(s, offset = 0) {
|
||||
const letters = s.split('');
|
||||
return letters
|
||||
- .map((n, i) => `<span class="digit value-${n} position-${i + offset}">${spanAllZeroes(n)}</span>`)
|
||||
+ .map((n, i) => `<span class="digit value-${escapeHtml(n)} position-${i + offset}">${spanAllZeroes(n)}</span>`)
|
||||
.join('');
|
||||
}
|
||||
function spanLeadingZeroesSimple(group) {
|
||||
- return group.replace(/^(0+)/, '<span class="zero">$1</span>');
|
||||
+ return escapeHtml(group).replace(/^(0+)/, '<span class="zero">$1</span>');
|
||||
}
|
||||
/**
|
||||
* @returns {String} the string with leading zeroes contained in a <span>
|
||||
@@ -42,4 +51,3 @@
|
||||
return `<span class="hover-group group-${i + offset}">${spanLeadingZeroesSimple(g)}</span>`;
|
||||
});
|
||||
}
|
||||
-//# sourceMappingURL=helpers.js.map
|
||||
\ No newline at end of file
|
||||
diff --git a/deps/npm/node_modules/ip-address/dist/ipv6.js b/deps/npm/node_modules/ip-address/dist/ipv6.js
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/deps/npm/node_modules/ip-address/dist/ipv6.js
|
||||
+++ b/deps/npm/node_modules/ip-address/dist/ipv6.js
|
||||
@@ -17,13 +17,23 @@
|
||||
}) : function(o, v) {
|
||||
o["default"] = v;
|
||||
});
|
||||
-var __importStar = (this && this.__importStar) || function (mod) {
|
||||
- if (mod && mod.__esModule) return mod;
|
||||
- var result = {};
|
||||
- if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
|
||||
- __setModuleDefault(result, mod);
|
||||
- return result;
|
||||
-};
|
||||
+var __importStar = (this && this.__importStar) || (function () {
|
||||
+ var ownKeys = function(o) {
|
||||
+ ownKeys = Object.getOwnPropertyNames || function (o) {
|
||||
+ var ar = [];
|
||||
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
||||
+ return ar;
|
||||
+ };
|
||||
+ return ownKeys(o);
|
||||
+ };
|
||||
+ return function (mod) {
|
||||
+ if (mod && mod.__esModule) return mod;
|
||||
+ var result = {};
|
||||
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
||||
+ __setModuleDefault(result, mod);
|
||||
+ return result;
|
||||
+ };
|
||||
+})();
|
||||
Object.defineProperty(exports, "__esModule", { value: true });
|
||||
exports.Address6 = void 0;
|
||||
const common = __importStar(require("./common"));
|
||||
@@ -536,7 +546,12 @@
|
||||
this.address4 = new ipv4_1.Address4(this.parsedAddress4);
|
||||
for (let i = 0; i < this.address4.groups; i++) {
|
||||
if (/^0[0-9]+/.test(this.address4.parsedAddress[i])) {
|
||||
- throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", address.replace(constants4.RE_ADDRESS, this.address4.parsedAddress.map(spanLeadingZeroes4).join('.')));
|
||||
+ // The prefix groups haven't been through the bad-character check
|
||||
+ // yet, so escape them before including in the error HTML.
|
||||
+ const highlighted = this.address4.parsedAddress.map(spanLeadingZeroes4).join('.');
|
||||
+ const prefix = groups.slice(0, -1).map(helpers.escapeHtml).join(':');
|
||||
+ const separator = groups.length > 1 ? ':' : '';
|
||||
+ throw new address_error_1.AddressError("IPv4 addresses can't have leading zeroes.", `${prefix}${separator}${highlighted}`);
|
||||
}
|
||||
}
|
||||
this.v4 = true;
|
||||
@@ -896,10 +911,13 @@
|
||||
formFunction = this.to4in6;
|
||||
}
|
||||
const form = formFunction.call(this);
|
||||
+ const safeHref = helpers.escapeHtml(`${options.prefix}${form}`);
|
||||
+ const safeForm = helpers.escapeHtml(form);
|
||||
if (options.className) {
|
||||
- return `<a href="${options.prefix}${form}" class="${options.className}">${form}</a>`;
|
||||
+ const safeClass = helpers.escapeHtml(options.className);
|
||||
+ return `<a href="${safeHref}" class="${safeClass}">${safeForm}</a>`;
|
||||
}
|
||||
- return `<a href="${options.prefix}${form}">${form}</a>`;
|
||||
+ return `<a href="${safeHref}">${safeForm}</a>`;
|
||||
}
|
||||
/**
|
||||
* Groups an address
|
||||
@@ -908,13 +926,13 @@
|
||||
group() {
|
||||
if (this.elidedGroups === 0) {
|
||||
// The simple case
|
||||
- return helpers.simpleGroup(this.address).join(':');
|
||||
+ return helpers.simpleGroup(this.addressMinusSuffix).join(':');
|
||||
}
|
||||
assert(typeof this.elidedGroups === 'number');
|
||||
assert(typeof this.elisionBegin === 'number');
|
||||
// The elided case
|
||||
const output = [];
|
||||
- const [left, right] = this.address.split('::');
|
||||
+ const [left, right] = this.addressMinusSuffix.split('::');
|
||||
if (left.length) {
|
||||
output.push(...helpers.simpleGroup(left));
|
||||
}
|
||||
@@ -1000,4 +1018,3 @@
|
||||
}
|
||||
}
|
||||
exports.Address6 = Address6;
|
||||
-//# sourceMappingURL=ipv6.js.map
|
||||
\ No newline at end of file
|
||||
diff --git a/deps/npm/node_modules/ip-address/package.json b/deps/npm/node_modules/ip-address/package.json
|
||||
index 1234567..abcdefg 100644
|
||||
--- a/deps/npm/node_modules/ip-address/package.json
|
||||
+++ b/deps/npm/node_modules/ip-address/package.json
|
||||
@@ -7,7 +7,7 @@
|
||||
"browser",
|
||||
"validation"
|
||||
],
|
||||
- "version": "10.1.0",
|
||||
+ "version": "10.1.1",
|
||||
"author": "Beau Gunderson <beau@beaugunderson.com> (https://beaugunderson.com/)",
|
||||
"license": "MIT",
|
||||
"main": "dist/ip-address.js",
|
||||
@ -1,8 +1,8 @@
|
||||
## START: Set by rpmautospec
|
||||
## (rpmautospec version 0.6.5)
|
||||
## (rpmautospec version 0.8.4)
|
||||
## RPMAUTOSPEC: autorelease, autochangelog
|
||||
%define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
|
||||
release_number = 1;
|
||||
release_number = 2;
|
||||
base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
|
||||
print(release_number + base_release_number - 1);
|
||||
}%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
|
||||
@ -38,6 +38,12 @@
|
||||
%bcond_with bundled_zlib
|
||||
%endif
|
||||
|
||||
# 2026-05-05: Currently libuv up to date, but if it no longer the case - switch to 1
|
||||
%bcond bundled_libuv 0
|
||||
|
||||
# 2026-05-05: Currently c-ares up to date, but if it no longer the case - switch to 1
|
||||
%bcond bundled_cares 0
|
||||
|
||||
%bcond bundled_sqlite %{with bootstrap}
|
||||
|
||||
# LTO is currently broken on Node.js builds
|
||||
@ -62,8 +68,8 @@
|
||||
# than a Fedora release lifecycle.
|
||||
%global nodejs_epoch 1
|
||||
%global nodejs_major 22
|
||||
%global nodejs_minor 22
|
||||
%global nodejs_patch 2
|
||||
%global nodejs_minor 23
|
||||
%global nodejs_patch 1
|
||||
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
|
||||
%global nodejs_soversion 127
|
||||
%global nodejs_abi %{nodejs_soversion}
|
||||
@ -86,20 +92,20 @@
|
||||
%global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
|
||||
|
||||
# zlib - from deps/zlib/zlib.h
|
||||
%global zlib_version 1.3.0.1-motley
|
||||
%global zlib_version 1.3.1
|
||||
|
||||
# c-ares - from deps/cares/include/ares_version.h
|
||||
# https://github.com/nodejs/node/pull/9332
|
||||
%global c_ares_version 1.34.6
|
||||
|
||||
# llhttp - from deps/llhttp/include/llhttp.h
|
||||
%global llhttp_version 9.3.0
|
||||
%global llhttp_version 9.4.2
|
||||
|
||||
# libuv - from deps/uv/include/uv/version.h
|
||||
%global libuv_version 1.51.0
|
||||
|
||||
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
|
||||
%global nghttp2_version 1.68.1
|
||||
%global nghttp2_version 1.69.0
|
||||
|
||||
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
|
||||
%global nghttp3_version 1.6.0
|
||||
@ -130,7 +136,7 @@
|
||||
|
||||
# npm - from deps/npm/package.json
|
||||
%global npm_epoch 1
|
||||
%global npm_version 10.9.7
|
||||
%global npm_version 10.9.8
|
||||
|
||||
# In order to avoid needing to keep incrementing the release version for the
|
||||
# main package forever, we will just construct one for npm that is guaranteed
|
||||
@ -147,7 +153,7 @@
|
||||
%global histogram_version 0.11.9
|
||||
|
||||
# sqlite – from deps/sqlite/sqlite3.h
|
||||
%global sqlite_version 3.51.2
|
||||
%global sqlite_version 3.51.3
|
||||
|
||||
|
||||
Name: nodejs%{nodejs_pkg_major}
|
||||
@ -182,8 +188,9 @@ Source301: test-should-pass.txt
|
||||
|
||||
Patch: 0001-Remove-unused-OpenSSL-config.patch
|
||||
Patch: 0001-fips-disable-options.patch
|
||||
Patch: 0001-deps-update-nghttp2-to-1.68.1.patch
|
||||
Patch: 0001-CVE-2026-25547-braces-expansion.patch
|
||||
# npm deps patches
|
||||
Patch: 0002-CVE-2026-42338-npm-ip-address-security-fix.patch
|
||||
|
||||
%if 0%{?nodejs_default}
|
||||
%global pkgname nodejs
|
||||
@ -222,6 +229,11 @@ BuildRequires: jq
|
||||
# https://pagure.io/nodejs-packaging/pull-request/10
|
||||
BuildRequires: nodejs-packaging
|
||||
|
||||
%if %{with bundled_cares}
|
||||
Provides: bundled(c-ares) = %{c_ares_version}
|
||||
%else
|
||||
BuildRequires: c-ares-devel >= %{c_ares_version}
|
||||
%endif
|
||||
BuildRequires: chrpath
|
||||
BuildRequires: libatomic
|
||||
BuildRequires: ninja-build
|
||||
@ -251,7 +263,7 @@ Provides: nodejs%{nodejs_pkg_major}%{?1:-%{1}} = %{nodejs_envr}\
|
||||
%define unversioned_obsoletes_of_nodejsXX_if_default() %{nil}
|
||||
%endif
|
||||
|
||||
%if %{with bundled}
|
||||
%if %{with bundled_libuv}
|
||||
Provides: bundled(libuv) = %{libuv_version}
|
||||
%else
|
||||
BuildRequires: libuv-devel >= 1:%{libuv_version}
|
||||
@ -330,11 +342,6 @@ Conflicts: node <= 0.3.2-12
|
||||
Provides: nodejs-punycode = %{punycode_version}
|
||||
Provides: npm(punycode) = %{punycode_version}
|
||||
|
||||
# Node.js has forked c-ares from upstream in an incompatible way, so we need
|
||||
# to carry the bundled version internally.
|
||||
# See https://github.com/nodejs/node/commit/766d063e0578c0f7758c3a965c971763f43fec85
|
||||
Provides: bundled(c-ares) = %{c_ares_version}
|
||||
|
||||
# Node.js is closely tied to the version of v8 that is used with it. It makes
|
||||
# sense to use the bundled version because upstream consistently breaks ABI
|
||||
# even in point releases. Node.js upstream has now removed the ability to build
|
||||
@ -367,7 +374,7 @@ Requires: nodejs-cjs-module-lexer
|
||||
%endif
|
||||
|
||||
%if %{with bundled_undici}
|
||||
Provides: bundled(nodejs-undici) = 6.24.1
|
||||
Provides: bundled(nodejs-undici) = 6.27.0
|
||||
%else
|
||||
BuildRequires: nodejs-undici
|
||||
Requires: nodejs-undici
|
||||
@ -407,7 +414,7 @@ Requires: zlib-devel%{?_isa}
|
||||
Requires: brotli-devel%{?_isa}
|
||||
Requires: nodejs-packaging
|
||||
|
||||
%if %{without bundled}
|
||||
%if %{without bundled_libuv}
|
||||
Requires: libuv-devel%{?_isa}
|
||||
%endif
|
||||
|
||||
@ -536,6 +543,14 @@ The API documentation for the Node.js JavaScript runtime.
|
||||
%autosetup -p1 -n node-v%{nodejs_version}
|
||||
|
||||
# remove bundled dependencies that we aren't building
|
||||
%if %{without bundled_libuv}
|
||||
rm -rf deps/uv
|
||||
%endif
|
||||
|
||||
%if %{without bundled_cares}
|
||||
rm -rf deps/cares
|
||||
%endif
|
||||
|
||||
%if !%{with bundled_zlib}
|
||||
rm -rf deps/zlib
|
||||
%endif
|
||||
@ -620,7 +635,8 @@ export PATH="${cwd}/.bin:$PATH"
|
||||
%{!?with_bundled_undici:--shared-builtin-undici/undici-path %{nodejs_private_sitelib}/undici/loader.js} \
|
||||
%{!?with_bundled_sqlite:--shared-sqlite} \
|
||||
--shared-brotli \
|
||||
--shared-libuv \
|
||||
%{!?with_bundled_cares:--shared-cares} \
|
||||
%{!?with_bundled_libuv:--shared-libuv} \
|
||||
--with-intl=small-icu \
|
||||
--with-icu-default-data-dir=%{icudatadir} \
|
||||
--without-corepack \
|
||||
@ -974,6 +990,17 @@ end
|
||||
|
||||
%changelog
|
||||
## START: Generated by rpmautospec
|
||||
* Wed Jun 24 2026 tjuhasz <tjuhasz@redhat.com> - 1:22.23.1-2
|
||||
- CVE-2026-42338 ip-address HTML escaping fix.
|
||||
|
||||
* Wed Jun 24 2026 tjuhasz <tjuhasz@redhat.com> - 1:22.23.1-1
|
||||
- Update to version 22.23.1
|
||||
|
||||
* Tue May 05 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-2
|
||||
- De-bundle c-ares, libuv
|
||||
- we waited for c-ares for about 4 months, so added conditional flag in
|
||||
case it falls behind in future again, same for libuv
|
||||
|
||||
* Mon Mar 30 2026 Andrei Radchenko <aradchen@redhat.com> - 1:22.22.2-1
|
||||
- Update to version 22.22.2
|
||||
- introduced patch updating deps/nghttp2 to v 1.68.1 for CVE-2026-27135
|
||||
|
||||
2
sources
2
sources
@ -1,3 +1,3 @@
|
||||
SHA512 (icu4c-78.2-data-bin-b.zip) = 032a1e519bf92dfa7936ef85ebed697550dbcb4e32c6ecd28ffecb158a403eeff6c0a3545b2551eba73f288e31693be6880e202a38cd86c129dffa395e8ab625
|
||||
SHA512 (icu4c-78.2-data-bin-l.zip) = c0b46de115332940d3276763904caa6257eb516edce4382632f4b96a5b010fee4cb06a5e10ef5eee2f881515c1ee8277d9ae59015f6de6fe1d175b9d00dbb1ca
|
||||
SHA512 (node-v22.22.2-stripped.tar.gz) = 82c3357cce10a3fe89373ec4e3460af5992d853f28a7339358a3f910959e7b17987c8eb1748d9c3033d4c642701d321e2265cc0ac004a218860da4eda2971226
|
||||
SHA512 (node-v22.23.1-stripped.tar.gz) = dee26039e7a6f5d740c9f022ff702699748901c72d77ec41b91f4d9cc295d79596435d3e74446074bee1b34bd18b34f09144cd63266bf68858c975bb9e6339a3
|
||||
|
||||
Loading…
Reference in New Issue
Block a user