-
Notifications
You must be signed in to change notification settings - Fork 4
/
nodejs14.changes
333 lines (254 loc) · 12.6 KB
/
nodejs14.changes
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
-------------------------------------------------------------------
Fri Jul 2 15:27:59 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 14.17.2:
deps: libuv upgrade - Out of bounds read (Medium)
(bsc#1187973, CVE-2021-22918)
- old_icu.patch: update with upstream's patch from
https://github.com/nodejs/node/pull/39068
- specfile cleanup
-------------------------------------------------------------------
Thu Jun 17 09:48:02 UTC 2021 - Adam Majer <adam.majer@suse.de>
- update to 14.17.1:
* deps: update ICU to 69.1
* errors: align source-map stacks with spec
- Fix-build-with-icu-69.patch: upstreamed
-------------------------------------------------------------------
Fri Jun 4 22:12:29 UTC 2021 - Dirk Müller <dmueller@suse.com>
- update to 14.17.0:
* Experimental support for AbortController and AbortSignal
* Diagnostics channel (experimental module)
* UUID support in the crypto module
* update ICU to 68.1
* upgrade to libuv 1.41.0
- add Fix-build-with-icu-69.patch: fix build with icu 69
-------------------------------------------------------------------
Mon May 31 16:27:44 UTC 2021 - Adam Majer <adam.majer@suse.de>
- Use libalternatives instead of update-alternatives
-------------------------------------------------------------------
Wed Apr 7 12:35:34 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.16.1:
* CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be
exploited by prototype pollution. You can read more about it in
https://github.com/advisories/GHSA-c4w7-xm78-47vh
(bsc#1184450)
* deps: upgrade npm to 6.14.12
- versioned.patch: refreshed
-------------------------------------------------------------------
Tue Feb 23 14:46:06 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.16.0:
* CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service
by resource exhaustion (bsc#1182619)
* CVE-2021-22884: DNS rebinding in --inspect (bsc#1182620)
-------------------------------------------------------------------
Wed Feb 17 17:33:25 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.15.5:
* deps:
+ upgrade npm to 6.14.11
+ V8: backport dfcf1e86fac0 #37245
Note: Node.js is not believed to be vulnerable to CVE-2021-21148
* stream,zlib: do not use _stream_* anymore
- relax OpenSSL cipher suite policies for unit tests
-------------------------------------------------------------------
Mon Jan 4 19:27:41 UTC 2021 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.15.4:
* CVE-2020-8265: use-after-free in TLSWrap (High) bug in TLS
implementation. When writing to a TLS enabled socket,
node::StreamBase::Write calls node::TLSWrap::DoWrite with
a freshly allocated WriteWrap object as first argument.
If the DoWrite method does not return an error, this object is
passed back to the caller as part of a StreamWriteResult structure.
This may be exploited to corrupt memory leading to a
Denial of Service or potentially other exploits (bsc#1180553)
* CVE-2020-8287: HTTP Request Smuggling allow two copies of a
header field in a http request. For example, two Transfer-Encoding
header fields. In this case Node.js identifies the first header
field and ignores the second. This can lead to HTTP Request
Smuggling (https://cwe.mitre.org/data/definitions/444.html).
(bsc#1180554)
-------------------------------------------------------------------
Mon Dec 21 12:37:16 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.15.3:
* deps:
+ upgrade npm to 6.14.9
+ update acorn to v8.0.4
* http2: check write not scheduled in scope destructor
* stream: fix regression on duplex end
- versioned.patch, sle12_python3_compat.patch: refreshed
-------------------------------------------------------------------
Mon Nov 30 19:44:30 UTC 2020 - Adam Majer <adam.majer@suse.de>
- openssl_binary_detection.patch: fixes unit tests on SLE12
-------------------------------------------------------------------
Mon Nov 23 16:06:15 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update Requires: so -devel requires npm
- Rely on rpmbuild to define necessary python dependencies
-------------------------------------------------------------------
Thu Nov 19 11:42:09 UTC 2020 - Adam Majer <adam.majer@suse.de>
- New upstream LTS version 14.15.1:
* deps: Denial of Service through DNS request (High).
A Node.js application that allows an attacker to trigger a DNS
request for a host of their choice could trigger a Denial of Service
by getting the application to resolve a DNS record with
a larger number of responses (bsc#1178882, CVE-2020-8277)
-------------------------------------------------------------------
Thu Oct 29 10:12:54 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to LTS version 14.15.0: (jsc#SLE-15774)
* no major changes
* test: reverts marking test-webcrypto-encrypt-decrypt-aes flaky
-------------------------------------------------------------------
Tue Oct 20 14:23:42 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Use SLE OpenSSL version with 12-SP4+, and not just 12-SP5+
- Bump mininum ICU version to 65
-------------------------------------------------------------------
Fri Oct 16 11:54:33 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.14.0:
* fs: add rm method
* http: allow passing array of key/val into writeHead
* src: expose v8::Isolate setup callbacks
- sle12_python3_compat.patch: refreshed
-------------------------------------------------------------------
Thu Oct 8 15:12:05 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.13.1:
* fs: rmdir recursive is no longer considered experimental
- fix_ci_tests.patch: add support to SUSE's ECDH backport errors
in SLE's openssl
-------------------------------------------------------------------
Tue Oct 6 11:30:37 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.13.0:
* deps: upgrade to libuv 1.40.0 #35333
* module: named exports for CJS via static analysis #35249
* module: exports pattern support #34718
* src: allow N-API addon in AddLinkedBinding()
-------------------------------------------------------------------
Thu Sep 24 19:04:31 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.12.0:
* n-api:
+ create N-API version 7
+ add more property defaults
- Changes since version 14.9.0
* deps:
+ update llhttp to 2.1.2 (bsc#1176605, CVE-2020-8201)
+ http: add requestTimeout. Fixes Denial of Service by
resource exhaustion due to unfinished HTTP/1.1 requests
(bsc#1176604, CVE-2020-8251)
+ buffer: also alias BigUInt methods
+ crypto: add randomInt function
+ perf_hooks: add idleTime and event loop util
+ stream: simpler and faster Readable async iterator
+ stream: save error in state
-------------------------------------------------------------------
Wed Sep 2 10:44:47 UTC 2020 - Adam Majer <adam.majer@suse.de>
- old_icu.patch: re-add support for ICU 65 from SLE15 SP2
- fix_ci_tests.patch: move debug symbol strip for testing to the Makefile
-------------------------------------------------------------------
Fri Aug 28 10:39:52 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.9.0:
* build: set --v8-enable-object-print by default (Mary Marchini) #34705
* deps:
+ upgrade to libuv 1.39.0 (cjihrig) #34915
+ upgrade npm to 6.14.8 (Ruy Adorno) #34834
+ V8: cherry-pick e06ace6b5cdb (Anna Henningsen) #34673
* n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) #34839
* tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) #34378
- Changes in version 14.8.0:
* async_hooks: add AsyncResource.bind utility (James M Snell) #34574
* deps: update to uvwasi 0.0.10 (Colin Ihrig) #34623
* module: unflag Top-Level Await (Myles Borins) #34558
* n-api: support type-tagging objects (Gabriel Schulhof) #28237
* n-api,src: provide asynchronous cleanup hooks (Anna Henningsen) #34572
- versioned.patch: refreshed
- linker_lto_jobs.patch: refreshed
-------------------------------------------------------------------
Mon Aug 10 16:38:15 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Explicitly add -fno-strict-aliasing to CFLAGS to fix compilation
on Aarch64 with gcc10 (bsc#1172686)
-------------------------------------------------------------------
Mon Aug 3 12:20:57 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.7.0:
* deps: upgrade npm to 6.14.7
* dgram: add IPv6 scope id suffix to received udp6 dgrams
* src:
+ allow preventing SetPromiseRejectCallback #34387
+ allow setting a dir for all diagnostic output #33584
* worker: make MessagePort inherit from EventTarget #34057
* zlib: switch to lazy init for zlib streams (Andrey Pechkurov) #34048
-------------------------------------------------------------------
Tue Jul 28 07:13:57 UTC 2020 - Dirk Mueller <dmueller@suse.com>
- avoid rpmbuild warnings on if/else/endif constructs
-------------------------------------------------------------------
Wed Jul 22 12:52:50 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.6.0:
* deps:
+ upgrade to libuv 1.38.1
+ upgrade npm to 6.14.6 fixing information leak through
log files (bsc#1173937, CVE-2020-15095)
+ update V8 to 8.4.371.19
* module:
+ doc only deprecation of module.parent
+ package "imports" field
* src: allow embedders to disable esm loader
* tls: make 'createSecureContext' honor more options
* vm: add run-after-evaluate microtask mode
* worker: add option to track unmanaged file descriptors
- versioned.patch - refreshed
-------------------------------------------------------------------
Thu Jul 2 20:51:30 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.5.0:
* deps: V8 engine is updated to version 8.3. For details, see
https://v8.dev/blog/v8-release-83
* events: experimental implementation of EventTarget
For details, see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.5.0
- sle12_python3_compat.patch: refreshed
- fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Tue Jun 9 11:45:55 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Add Require for nodejs14 when intalling npm14. (bsc#1172728)
-------------------------------------------------------------------
Thu Jun 4 12:03:49 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.4.0:
* napi: fix various types of memory corruption in napi_get_value_string_*()
(CVE-2020-8174, bsc#1172443)
* http2: fix HTTP/2 Large Settings Frame DoS
(CVE-2020-11080, bsc#1172442)
* TLS session reuse can lead to host certificate verification bypass
(CVE-2020-8172, bsc#1172441)
-------------------------------------------------------------------
Fri May 29 10:46:58 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.3.0:
* repl: previews improvements with autocompletion
* it's now possible to use the await keyword outside of async functions,
with the --experimental-top-level-await flag
- Changes in version 14.2.0:
* console: Support for console constructor groupIndentation options
- skip_no_console.patch: refreshed
- versioned.patch, fix_ci_tests.patch: refreshed
-------------------------------------------------------------------
Thu Apr 30 11:22:45 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Update to version 14.1.0:
* deps: upgrade openssl sources to 1.1.1g (SLE-12 only)
* http: doc deprecate abort and improve docs
* module: do not warn when accessing __esModule of unfinished exports
* n-api: detect deadlocks in thread-safe function
* src: deprecate embedder APIs with replacements
* stream:
+ don't emit end after close
+ don't wait for close on legacy streams
+ pipeline should only destroy un-finished streams
* vm: add importModuleDynamically option to compileFunction
skip_no_console.patch: add more unit tests that fail on dumb terminals
-------------------------------------------------------------------
Mon Apr 27 13:35:05 UTC 2020 - Adam Majer <adam.majer@suse.de>
- Initial version 14.0.0
Deprecations
* crypto: move pbkdf2 without digest to EOL
* fs: deprecate closing FileHandle on garbage collection
* http: move OutboundMessage.prototype.flush to EOL
* lib: move GLOBAL and root aliases to EOL
* os: move tmpDir() to EOL
* src: remove deprecated wasm type check
* stream: move _writableState.buffer to EOL
* doc: deprecate process.mainModule
* doc: deprecate process.umask() with no arguments
For a detailed list of changes, see
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V14.md#14.0.0