Update to version 24.6.0

Include back patch to prevent usage of currently unsupported fips flags Resolves: RHEL-109813 RHEL-109661
2025-08-19 10:27:28 +02:00 · 2025-08-19 10:27:28 +02:00 · 13e5baaf49
commit 13e5baaf49
parent 6056a16817
4 changed files with 109 additions and 25 deletions
--- a/.gitignore
+++ b/.gitignore
@ -2,3 +2,4 @@
 /icu4c-77_1-data-bin-l.zip
 /node-v24.4.1-stripped.tar.gz
 /packaging-scripts.tar.gz
+/node-v24.6.0-stripped.tar.gz
--- a/0001-fips-disable-options.patch
+++ b/0001-fips-disable-options.patch
@ -0,0 +1,82 @@
+From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001
+From: Michael Dawson <midawson@redhat.com>
+Date: Fri, 23 Feb 2024 13:43:56 +0100
+Subject: [PATCH] Disable FIPS options
+
+On RHEL, FIPS should be configured only on system level.
+Additionally, the related options may cause segfault when used on RHEL.
+
+This patch causes the option processing to end sooner
+than the problematic code gets executed.
+Additionally, the JS-level options to mess with FIPS settings
+are similarly disabled.
+
+Upstream report: https://github.com/nodejs/node/pull/48950
+RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726
+---
+ lib/crypto.js             | 10 ++++++++++
+ lib/internal/errors.js    |  6 ++++++
+ src/crypto/crypto_util.cc |  2 ++
+ 3 files changed, 18 insertions(+)
+
+diff --git a/lib/crypto.js b/lib/crypto.js
+index 41adecc..b2627ac 100644
+--- a/lib/crypto.js
+++ b/lib/crypto.js
+@@ -36,7 +36,10 @@ const {
+ assertCrypto();
+
+ const {
+  // RHEL specific error
+  ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED,
+
+   ERR_CRYPTO_FIPS_FORCED,
+   ERR_WORKER_UNSUPPORTED_OPERATION,
+ } = require('internal/errors').codes;
+ const constants = internalBinding('constants').crypto;
+@@ -251,6 +254,13 @@ function getFips() {
+ }
+ 
+ function setFips(val) {
+  // in RHEL FIPS enable/disable should only be done at system level
+  if (getFips() != val) {
+    throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED();
+  } else {
+    return;
+  }
+
+   if (getOptionValue('--force-fips')) {
+     if (val) return;
+     throw new ERR_CRYPTO_FIPS_FORCED();
+diff --git a/lib/internal/errors.js b/lib/internal/errors.js
+index a722360..04d8a53 100644
+--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
+@@ -1111,6 +1111,12 @@ module.exports = {
+ //
+ // Note: Node.js specific errors must begin with the prefix ERR_
+ 
+// insert RHEL specific erro
+E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED',
+  'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' +
+  'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n',
+  Error);
+
+ E('ERR_ACCESS_DENIED',
+   function(msg, permission = '', resource = '') {
+     this.permission = permission;
+diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
+index 5734d8f..ef9d1b1 100644
+--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
+@@ -86,6 +86,8 @@ bool ProcessFipsOptions() {
+   /* Override FIPS settings in configuration file, if needed. */
+   if (per_process::cli_options->enable_fips_crypto ||
+       per_process::cli_options->force_fips_crypto) {
+      fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n");
+      return false;
+ #if OPENSSL_VERSION_MAJOR >= 3
+     if (!ncrypto::testFipsEnabled()) return false;
+     return ncrypto::setFipsEnabled(true, nullptr);
+-- 
+2.43.2
--- a/nodejs24.spec
+++ b/nodejs24.spec
@ -3,50 +3,50 @@
 %{load:%{_sourcedir}/nodejs.srpm.macros}

 # === Versions of any software shipped in the main nodejs tarball
-%nodejs_define_version node 1:24.4.1-%{autorelease} -p
+%nodejs_define_version node 1:24.6.0-%{autorelease} -p

 # The following ones are generated via script;
 # expect anything between the markers to be overwritten on any update.

 # BEGIN automatic-version-macros  # DO NOT REMOVE THIS LINE!
-# Version from node-v24.4.1/src/node_version.h
+# Version from node-v24.6.0/src/node_version.h
 %global node_soversion 137

-# Version from node-v24.4.1/deps/ada/ada.h
-%nodejs_define_version ada 3.2.4
-# Version from node-v24.4.1/deps/brotli/c/common/version.h
+# Version from node-v24.6.0/deps/ada/ada.h
+%nodejs_define_version ada 3.2.7
+# Version from node-v24.6.0/deps/brotli/c/common/version.h
 %nodejs_define_version brotli 1.1.0
-# Version from node-v24.4.1/deps/cares/include/ares_version.h
+# Version from node-v24.6.0/deps/cares/include/ares_version.h
 %nodejs_define_version c_ares 1.34.5
-# Version from node-v24.4.1/deps/histogram/include/hdr/hdr_histogram_version.h
+# Version from node-v24.6.0/deps/histogram/include/hdr/hdr_histogram_version.h
 %nodejs_define_version histogram 0.11.8
-# Version from node-v24.4.1/tools/icu/current_ver.dep
+# Version from node-v24.6.0/tools/icu/current_ver.dep
 %nodejs_define_version icu 77.1 -p
-# Version from node-v24.4.1/deps/uv/include/uv/version.h
+# Version from node-v24.6.0/deps/uv/include/uv/version.h
 %nodejs_define_version libuv 1.51.0
-# Version from node-v24.4.1/deps/llhttp/include/llhttp.h
+# Version from node-v24.6.0/deps/llhttp/include/llhttp.h
 %nodejs_define_version llhttp 9.3.0
-# Version from node-v24.4.1/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
+# Version from node-v24.6.0/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h
 %nodejs_define_version nghttp2 1.66.0
-# Version from node-v24.4.1/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
+# Version from node-v24.6.0/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h
 %nodejs_define_version nghttp3 1.6.0
-# Version from node-v24.4.1/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
+# Version from node-v24.6.0/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h
 %nodejs_define_version ngtcp2 1.11.0
-# Version from node-v24.4.1/deps/cjs-module-lexer/src/package.json
+# Version from node-v24.6.0/deps/cjs-module-lexer/src/package.json
 %nodejs_define_version nodejs-cjs-module-lexer 2.1.0
-# Version from node-v24.4.1/lib/punycode.js
+# Version from node-v24.6.0/lib/punycode.js
 %nodejs_define_version nodejs-punycode 2.1.0
-# Version from node-v24.4.1/deps/undici/src/package.json
-%nodejs_define_version nodejs-undici 7.11.0
-# Version from node-v24.4.1/deps/npm/package.json
-%nodejs_define_version npm 1:11.4.2
-# Version from node-v24.4.1/deps/sqlite/sqlite3.h
-%nodejs_define_version sqlite 3.50.2
-# Version from node-v24.4.1/deps/uvwasi/include/uvwasi.h
+# Version from node-v24.6.0/deps/undici/src/package.json
+%nodejs_define_version nodejs-undici 7.13.0
+# Version from node-v24.6.0/deps/npm/package.json
+%nodejs_define_version npm 1:11.5.1
+# Version from node-v24.6.0/deps/sqlite/sqlite3.h
+%nodejs_define_version sqlite 3.50.4
+# Version from node-v24.6.0/deps/uvwasi/include/uvwasi.h
 %nodejs_define_version uvwasi 0.0.21
-# Version from node-v24.4.1/deps/v8/include/v8-version.h
+# Version from node-v24.6.0/deps/v8/include/v8-version.h
 %nodejs_define_version v8 3:13.6.233.10 -p
-# Version from node-v24.4.1/deps/zlib/zlib.h
+# Version from node-v24.6.0/deps/zlib/zlib.h
 %nodejs_define_version zlib 1.3.1
 # END automatic-version-macros  # DO NOT REMOVE THIS LINE!

@ -152,6 +152,7 @@ Source101:      nodejs.srpm.macros
 %patchlist
 0001-Remove-unused-OpenSSL-config.patch
 0005-v8-highway-Fix-for-GCC-15-compiler-error-on-PPC8-PPC.patch
+0001-fips-disable-options.patch

 %description
 Node.js is a platform built on Chrome's JavaScript runtime
--- a/2
+++ b/2
@ -1,4 +1,4 @@
+SHA512 (node-v24.6.0-stripped.tar.gz) = baec00c7d9bc1d86552736541d024983aa1591c7f8a26445113c8346c6699c16e0bd79a6772084fcb4a01ac01988f03beba85b3647f485a12ef6416bad57a1d1
 SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e
 SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e
-SHA512 (node-v24.4.1-stripped.tar.gz) = 9da4e8f8b5c87d2ab7b826109dc18910b2c42fbc43058251b5488be1d34625896944a54800d995175aba698010a537eb60b22ec546edcfc53295343ad395fed8
 SHA512 (packaging-scripts.tar.gz) = 5123c6fa3eb89e37a300914184eee10268568efc662a1c5b107900438b35e43c4222c4a31cf02b9d605c693f7e652420fdaf7209e41ba666ff428c3c0d340b7b