Message ID | 20240716094305.1646641-1-buildroot@bubu1.eu |
---|---|
State | Accepted |
Headers | show |
Series | package/nodejs: security bump to v20.15.1 | expand |
On Tue, 16 Jul 2024 11:43:05 +0200 Marcus Hoffmann via buildroot <buildroot@buildroot.org> wrote: > Release Notes: https://nodejs.org/en/blog/release/v20.15.1 > > Fixes the following CVE's: > > CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High) > CVE-2024-22020 - Bypass network import restriction via data URL (Medium) > CVE-2024-22018 - fs.lstat bypasses permission model (Low) > CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low) > CVE-2024-37372 - Permission model improperly processes UNC paths (Low) > > Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]: > > CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) > CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) > CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows > > NodeJS tests are passing: > $ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl > 12:02:58 TestNodeJSModuleHostSrc Starting > 12:02:58 TestNodeJSModuleHostSrc Building > 13:17:15 TestNodeJSModuleHostSrc Building done > 13:17:23 TestNodeJSModuleHostSrc Cleaning up > .13:17:23 TestNodeJSModuleHostBin Starting > 13:17:23 TestNodeJSModuleHostBin Building > 14:06:15 TestNodeJSModuleHostBin Building done > 14:06:20 TestNodeJSModuleHostBin Cleaning up > .14:06:20 TestNodeJSBasic Starting > 14:06:20 TestNodeJSBasic Building > 14:55:40 TestNodeJSBasic Building done > 14:55:45 TestNodeJSBasic Cleaning up > > LICENSE hash changed due to changes in vendored components: > > * copyright year update and adding spdx identifier [1] > > [1] https://nodejs.org/en/blog/release/v20.12.1 > [2] https://nodejs.org/en/blog/release/v20.12.2 > [3] https://github.com/nodejs/node/commit/d5a316f5ea3fade3140c2ae35c144b500fb5d758 > > Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu> > --- > package/nodejs/nodejs.hash | 14 +++++++------- > package/nodejs/nodejs.mk | 2 +- > 2 files changed, 8 insertions(+), 8 deletions(-) Applied to master, thanks. Thomas
>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes: > Release Notes: https://nodejs.org/en/blog/release/v20.15.1 > Fixes the following CVE's: > CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High) > CVE-2024-22020 - Bypass network import restriction via data URL (Medium) > CVE-2024-22018 - fs.lstat bypasses permission model (Low) > CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low) > CVE-2024-37372 - Permission model improperly processes UNC paths (Low) > Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]: > CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) > CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) > CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows > NodeJS tests are passing: > $ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl > 12:02:58 TestNodeJSModuleHostSrc Starting > 12:02:58 TestNodeJSModuleHostSrc Building > 13:17:15 TestNodeJSModuleHostSrc Building done > 13:17:23 TestNodeJSModuleHostSrc Cleaning up > .13:17:23 TestNodeJSModuleHostBin Starting > 13:17:23 TestNodeJSModuleHostBin Building > 14:06:15 TestNodeJSModuleHostBin Building done > 14:06:20 TestNodeJSModuleHostBin Cleaning up > .14:06:20 TestNodeJSBasic Starting > 14:06:20 TestNodeJSBasic Building > 14:55:40 TestNodeJSBasic Building done > 14:55:45 TestNodeJSBasic Cleaning up > LICENSE hash changed due to changes in vendored components: > * copyright year update and adding spdx identifier [1] > [1] https://nodejs.org/en/blog/release/v20.12.1 > [2] https://nodejs.org/en/blog/release/v20.12.2 > [3] https://github.com/nodejs/node/commit/d5a316f5ea3fade3140c2ae35c144b500fb5d758 > Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu> Committed to 2024.02.x and 2024.05.x, thanks.
diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash index 2cbbf766f5..61bda55098 100644 --- a/package/nodejs/nodejs.hash +++ b/package/nodejs/nodejs.hash @@ -1,8 +1,8 @@ -# From https://nodejs.org/dist/v20.12.0/SHASUMS256.txt.asc -sha256 007ca2699cf6e84290e5bed844ed66ef9d707d23561dfaf117212b7dce216ba7 node-v20.12.0-linux-arm64.tar.xz -sha256 668fb421a24be596c98f00a31049fbf6ada14d221b7382e0f1caa55ab421431a node-v20.12.0-linux-armv7l.tar.xz -sha256 78dc3b7ad993c332684802e35c1f0de2b76193d13394bc89e3bab216828587c7 node-v20.12.0-linux-ppc64le.tar.xz -sha256 0a126adf5b6a5eb11a37bad76a0c626a18f20b6811322e68aae0e3cf9bf580bd node-v20.12.0-linux-x64.tar.xz -sha256 76e5346cebfd581528f699f764f4d1a6e87cb818b696708f235ddcb625a0f78d node-v20.12.0.tar.xz +# From https://nodejs.org/dist/v20.15.1/SHASUMS256.txt.asc +sha256 10d47a46ef208b3e4b226e4d595a82659123b22397ed77b7975d989114ec317e node-v20.15.1-linux-arm64.tar.xz +sha256 7bc120efdd8018f6915471b963d9b80adf4ed406d6dc9edb4ae944b85f505c4c node-v20.15.1-linux-armv7l.tar.xz +sha256 b33e684802251397ad62ad3f8a1836267ee8b7723f87f669470018ad0035287b node-v20.15.1-linux-ppc64le.tar.xz +sha256 26700f8d3e78112ad4a2618a9c8e2816e38a49ecf0213ece80e54c38cb02563f node-v20.15.1-linux-x64.tar.xz +sha256 fdd53a5729d936691a2a1151046fb4897721cb8b0fca2af957823a9b40fe0c34 node-v20.15.1.tar.xz # Locally calculated -sha256 d3a9fbfe0a1fb78627ee296cd5ca5b498822d4d1c5da3b8e8100c41bd7b791fd LICENSE +sha256 49cd410e0fe6a8879a40d0764092d1e6114cc85fe41d4efed990d028eec25582 LICENSE diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk index 9ed51fbe9b..104d2cf258 100644 --- a/package/nodejs/nodejs.mk +++ b/package/nodejs/nodejs.mk @@ -5,7 +5,7 @@ ################################################################################ # _VERSION, _SOURCE and _SITE must be kept empty to avoid downloading anything -NODEJS_COMMON_VERSION = 20.12.0 +NODEJS_COMMON_VERSION = 20.15.1 NODEJS_COMMON_SOURCE = node-v$(NODEJS_COMMON_VERSION).tar.xz NODEJS_COMMON_SITE = http://nodejs.org/dist/v$(NODEJS_COMMON_VERSION)
Release Notes: https://nodejs.org/en/blog/release/v20.15.1 Fixes the following CVE's: CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High) CVE-2024-22020 - Bypass network import restriction via data URL (Medium) CVE-2024-22018 - fs.lstat bypasses permission model (Low) CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low) CVE-2024-37372 - Permission model improperly processes UNC paths (Low) Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]: CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows NodeJS tests are passing: $ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl 12:02:58 TestNodeJSModuleHostSrc Starting 12:02:58 TestNodeJSModuleHostSrc Building 13:17:15 TestNodeJSModuleHostSrc Building done 13:17:23 TestNodeJSModuleHostSrc Cleaning up .13:17:23 TestNodeJSModuleHostBin Starting 13:17:23 TestNodeJSModuleHostBin Building 14:06:15 TestNodeJSModuleHostBin Building done 14:06:20 TestNodeJSModuleHostBin Cleaning up .14:06:20 TestNodeJSBasic Starting 14:06:20 TestNodeJSBasic Building 14:55:40 TestNodeJSBasic Building done 14:55:45 TestNodeJSBasic Cleaning up LICENSE hash changed due to changes in vendored components: * copyright year update and adding spdx identifier [1] [1] https://nodejs.org/en/blog/release/v20.12.1 [2] https://nodejs.org/en/blog/release/v20.12.2 [3] https://github.com/nodejs/node/commit/d5a316f5ea3fade3140c2ae35c144b500fb5d758 Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu> --- package/nodejs/nodejs.hash | 14 +++++++------- package/nodejs/nodejs.mk | 2 +- 2 files changed, 8 insertions(+), 8 deletions(-)