Update to version 22.23.1

Resolves: RHEL-176172
Resolves: RHEL-189392
Resolves: RHEL-189368
Resolves: RHEL-189350
Resolves: RHEL-186004

Fixes CVE-2026-12151 by updating deps/undici to version 6.27.0.
Advisory: https://github.com/nodejs/undici/security/advisories/GHSA-vxpw-j846-p89q

Also fixes following CVEs:
CVE-2026-48618 tls: normalize hostname for server identity checks.
CVE-2026-48933 crypto: guard WebCrypto cipher output length.
CVE-2026-48937 deps: fix integration issues with the latest nghttp2.
CVE-2026-48930 dns,net: reject hostnames with embedded NUL bytes.
CVE-2026-48619 http2: cap originSet size to prevent unbounded memory growth.
CVE-2026-48615 lib,test: redact proxy credentials in tunnel errors.
CVE-2026-48934 tls: bind reusable sessions to authenticated host.
CVE-2026-48928 tls: fix case-sensitive SNI context matching.
CVE-2026-48617 permission: handle process.chdir on writereport.
CVE-2026-48931 http: fix response queue poisoning in http.Agent.
CVE-2026-48935 permission: disable FileHandle utimes with permission model.
Update blog: https://nodejs.org/en/blog/release/v22.23.0

Drop downstream nghttp2 patch
This commit is contained in:
tjuhasz 2026-06-22 16:34:04 +02:00 committed by Andrei Radchenko
parent c532e13764
commit c2ec07a455
3 changed files with 9 additions and 7722 deletions

File diff suppressed because it is too large Load Diff

View File

@ -58,8 +58,8 @@
# than a Fedora release lifecycle.
%global nodejs_epoch 1
%global nodejs_major 22
%global nodejs_minor 22
%global nodejs_patch 2
%global nodejs_minor 23
%global nodejs_patch 1
# nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h
%global nodejs_soversion 127
%global nodejs_abi %{nodejs_soversion}
@ -82,20 +82,20 @@
%global v8_release %{nodejs_epoch}.%{nodejs_major}.%{nodejs_minor}.%{nodejs_patch}.%{nodejs_release}
# zlib - from deps/zlib/zlib.h
%global zlib_version 1.3.0.1-motley
%global zlib_version 1.3.1
# c-ares - from deps/cares/include/ares_version.h
# https://github.com/nodejs/node/pull/9332
%global c_ares_version 1.34.6
# llhttp - from deps/llhttp/include/llhttp.h
%global llhttp_version 9.3.0
%global llhttp_version 9.4.2
# libuv - from deps/uv/include/uv/version.h
%global libuv_version 1.51.0
# nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
%global nghttp2_version 1.68.1
%global nghttp2_version 1.69.0
# nghttp3 - from deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
%global nghttp3_version 1.6.0
@ -126,7 +126,7 @@
# npm - from deps/npm/package.json
%global npm_epoch 1
%global npm_version 10.9.7
%global npm_version 10.9.8
# In order to avoid needing to keep incrementing the release version for the
# main package forever, we will just construct one for npm that is guaranteed
@ -143,7 +143,7 @@
%global histogram_version 0.11.9
# sqlite from deps/sqlite/sqlite3.h
%global sqlite_version 3.51.2
%global sqlite_version 3.51.3
Name: nodejs%{nodejs_pkg_major}
@ -178,7 +178,6 @@ Source301: test-should-pass.txt
Patch: 0001-Remove-unused-OpenSSL-config.patch
Patch: 0001-fips-disable-options.patch
Patch: 0001-deps-update-nghttp2-to-1.68.1.patch
Patch: 0001-CVE-2026-25547-braces-expansion.patch
%if 0%{?nodejs_default}
@ -363,7 +362,7 @@ Requires: nodejs-cjs-module-lexer
%endif
%if %{with bundled_undici}
Provides: bundled(nodejs-undici) = 6.24.1
Provides: bundled(nodejs-undici) = 6.27.0
%else
BuildRequires: nodejs-undici
Requires: nodejs-undici

View File

@ -1,3 +1,3 @@
SHA512 (node-v22.22.2-stripped.tar.gz) = 82c3357cce10a3fe89373ec4e3460af5992d853f28a7339358a3f910959e7b17987c8eb1748d9c3033d4c642701d321e2265cc0ac004a218860da4eda2971226
SHA512 (node-v22.23.1-stripped.tar.gz) = dee26039e7a6f5d740c9f022ff702699748901c72d77ec41b91f4d9cc295d79596435d3e74446074bee1b34bd18b34f09144cd63266bf68858c975bb9e6339a3
SHA512 (icu4c-78.2-data-bin-b.zip) = 032a1e519bf92dfa7936ef85ebed697550dbcb4e32c6ecd28ffecb158a403eeff6c0a3545b2551eba73f288e31693be6880e202a38cd86c129dffa395e8ab625
SHA512 (icu4c-78.2-data-bin-l.zip) = c0b46de115332940d3276763904caa6257eb516edce4382632f4b96a5b010fee4cb06a5e10ef5eee2f881515c1ee8277d9ae59015f6de6fe1d175b9d00dbb1ca