diff --git a/.gitignore b/.gitignore index d583ab1..3d28a66 100644 --- a/.gitignore +++ b/.gitignore @@ -2,3 +2,4 @@ /icu4c-77_1-data-bin-l.zip /node-v24.4.1-stripped.tar.gz /packaging-scripts.tar.gz +/node-v24.6.0-stripped.tar.gz diff --git a/0001-fips-disable-options.patch b/0001-fips-disable-options.patch new file mode 100644 index 0000000..ebd90ae --- /dev/null +++ b/0001-fips-disable-options.patch @@ -0,0 +1,82 @@ +From 98738d27288bd9ca634e29181ef665e812e7bbd3 Mon Sep 17 00:00:00 2001 +From: Michael Dawson +Date: Fri, 23 Feb 2024 13:43:56 +0100 +Subject: [PATCH] Disable FIPS options + +On RHEL, FIPS should be configured only on system level. +Additionally, the related options may cause segfault when used on RHEL. + +This patch causes the option processing to end sooner +than the problematic code gets executed. +Additionally, the JS-level options to mess with FIPS settings +are similarly disabled. + +Upstream report: https://github.com/nodejs/node/pull/48950 +RHBZ: https://bugzilla.redhat.com/show_bug.cgi?id=2226726 +--- + lib/crypto.js | 10 ++++++++++ + lib/internal/errors.js | 6 ++++++ + src/crypto/crypto_util.cc | 2 ++ + 3 files changed, 18 insertions(+) + +diff --git a/lib/crypto.js b/lib/crypto.js +index 41adecc..b2627ac 100644 +--- a/lib/crypto.js ++++ b/lib/crypto.js +@@ -36,7 +36,10 @@ const { + assertCrypto(); + + const { ++ // RHEL specific error ++ ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED, ++ + ERR_CRYPTO_FIPS_FORCED, + ERR_WORKER_UNSUPPORTED_OPERATION, + } = require('internal/errors').codes; + const constants = internalBinding('constants').crypto; +@@ -251,6 +254,13 @@ function getFips() { + } + + function setFips(val) { ++ // in RHEL FIPS enable/disable should only be done at system level ++ if (getFips() != val) { ++ throw new ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED(); ++ } else { ++ return; ++ } ++ + if (getOptionValue('--force-fips')) { + if (val) return; + throw new ERR_CRYPTO_FIPS_FORCED(); +diff --git a/lib/internal/errors.js b/lib/internal/errors.js +index a722360..04d8a53 100644 +--- a/lib/internal/errors.js ++++ b/lib/internal/errors.js +@@ -1111,6 +1111,12 @@ module.exports = { + // + // Note: Node.js specific errors must begin with the prefix ERR_ + ++// insert RHEL specific erro ++E('ERR_CRYPTO_FIPS_SYSTEM_CONTROLLED', ++ 'Cannot set FIPS mode. FIPS should be enabled/disabled at system level. See' + ++ 'https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n', ++ Error); ++ + E('ERR_ACCESS_DENIED', + function(msg, permission = '', resource = '') { + this.permission = permission; +diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc +index 5734d8f..ef9d1b1 100644 +--- a/src/crypto/crypto_util.cc ++++ b/src/crypto/crypto_util.cc +@@ -86,6 +86,8 @@ bool ProcessFipsOptions() { + /* Override FIPS settings in configuration file, if needed. */ + if (per_process::cli_options->enable_fips_crypto || + per_process::cli_options->force_fips_crypto) { ++ fprintf(stderr, "ERROR: Using options related to FIPS is not recommended, configure FIPS in openssl instead. See https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/9/html/security_hardening/assembly_installing-the-system-in-fips-mode_security-hardening for more details.\n"); ++ return false; + #if OPENSSL_VERSION_MAJOR >= 3 + if (!ncrypto::testFipsEnabled()) return false; + return ncrypto::setFipsEnabled(true, nullptr); +-- +2.43.2 diff --git a/nodejs24.spec b/nodejs24.spec index 8e59df8..c19230e 100644 --- a/nodejs24.spec +++ b/nodejs24.spec @@ -3,50 +3,50 @@ %{load:%{_sourcedir}/nodejs.srpm.macros} # === Versions of any software shipped in the main nodejs tarball -%nodejs_define_version node 1:24.4.1-%{autorelease} -p +%nodejs_define_version node 1:24.6.0-%{autorelease} -p # The following ones are generated via script; # expect anything between the markers to be overwritten on any update. # BEGIN automatic-version-macros # DO NOT REMOVE THIS LINE! -# Version from node-v24.4.1/src/node_version.h +# Version from node-v24.6.0/src/node_version.h %global node_soversion 137 -# Version from node-v24.4.1/deps/ada/ada.h -%nodejs_define_version ada 3.2.4 -# Version from node-v24.4.1/deps/brotli/c/common/version.h +# Version from node-v24.6.0/deps/ada/ada.h +%nodejs_define_version ada 3.2.7 +# Version from node-v24.6.0/deps/brotli/c/common/version.h %nodejs_define_version brotli 1.1.0 -# Version from node-v24.4.1/deps/cares/include/ares_version.h +# Version from node-v24.6.0/deps/cares/include/ares_version.h %nodejs_define_version c_ares 1.34.5 -# Version from node-v24.4.1/deps/histogram/include/hdr/hdr_histogram_version.h +# Version from node-v24.6.0/deps/histogram/include/hdr/hdr_histogram_version.h %nodejs_define_version histogram 0.11.8 -# Version from node-v24.4.1/tools/icu/current_ver.dep +# Version from node-v24.6.0/tools/icu/current_ver.dep %nodejs_define_version icu 77.1 -p -# Version from node-v24.4.1/deps/uv/include/uv/version.h +# Version from node-v24.6.0/deps/uv/include/uv/version.h %nodejs_define_version libuv 1.51.0 -# Version from node-v24.4.1/deps/llhttp/include/llhttp.h +# Version from node-v24.6.0/deps/llhttp/include/llhttp.h %nodejs_define_version llhttp 9.3.0 -# Version from node-v24.4.1/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h +# Version from node-v24.6.0/deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h %nodejs_define_version nghttp2 1.66.0 -# Version from node-v24.4.1/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h +# Version from node-v24.6.0/deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h %nodejs_define_version nghttp3 1.6.0 -# Version from node-v24.4.1/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h +# Version from node-v24.6.0/deps/ngtcp2/ngtcp2/lib/includes/ngtcp2/version.h %nodejs_define_version ngtcp2 1.11.0 -# Version from node-v24.4.1/deps/cjs-module-lexer/src/package.json +# Version from node-v24.6.0/deps/cjs-module-lexer/src/package.json %nodejs_define_version nodejs-cjs-module-lexer 2.1.0 -# Version from node-v24.4.1/lib/punycode.js +# Version from node-v24.6.0/lib/punycode.js %nodejs_define_version nodejs-punycode 2.1.0 -# Version from node-v24.4.1/deps/undici/src/package.json -%nodejs_define_version nodejs-undici 7.11.0 -# Version from node-v24.4.1/deps/npm/package.json -%nodejs_define_version npm 1:11.4.2 -# Version from node-v24.4.1/deps/sqlite/sqlite3.h -%nodejs_define_version sqlite 3.50.2 -# Version from node-v24.4.1/deps/uvwasi/include/uvwasi.h +# Version from node-v24.6.0/deps/undici/src/package.json +%nodejs_define_version nodejs-undici 7.13.0 +# Version from node-v24.6.0/deps/npm/package.json +%nodejs_define_version npm 1:11.5.1 +# Version from node-v24.6.0/deps/sqlite/sqlite3.h +%nodejs_define_version sqlite 3.50.4 +# Version from node-v24.6.0/deps/uvwasi/include/uvwasi.h %nodejs_define_version uvwasi 0.0.21 -# Version from node-v24.4.1/deps/v8/include/v8-version.h +# Version from node-v24.6.0/deps/v8/include/v8-version.h %nodejs_define_version v8 3:13.6.233.10 -p -# Version from node-v24.4.1/deps/zlib/zlib.h +# Version from node-v24.6.0/deps/zlib/zlib.h %nodejs_define_version zlib 1.3.1 # END automatic-version-macros # DO NOT REMOVE THIS LINE! @@ -152,6 +152,7 @@ Source101: nodejs.srpm.macros %patchlist 0001-Remove-unused-OpenSSL-config.patch 0005-v8-highway-Fix-for-GCC-15-compiler-error-on-PPC8-PPC.patch +0001-fips-disable-options.patch %description Node.js is a platform built on Chrome's JavaScript runtime diff --git a/sources b/sources index e41db35..4fa4709 100644 --- a/sources +++ b/sources @@ -1,4 +1,4 @@ +SHA512 (node-v24.6.0-stripped.tar.gz) = baec00c7d9bc1d86552736541d024983aa1591c7f8a26445113c8346c6699c16e0bd79a6772084fcb4a01ac01988f03beba85b3647f485a12ef6416bad57a1d1 SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e -SHA512 (node-v24.4.1-stripped.tar.gz) = 9da4e8f8b5c87d2ab7b826109dc18910b2c42fbc43058251b5488be1d34625896944a54800d995175aba698010a537eb60b22ec546edcfc53295343ad395fed8 SHA512 (packaging-scripts.tar.gz) = 5123c6fa3eb89e37a300914184eee10268568efc662a1c5b107900438b35e43c4222c4a31cf02b9d605c693f7e652420fdaf7209e41ba666ff428c3c0d340b7b