From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] package/nodejs: security bump to version 12.16.0
Date: Tue, 18 Feb 2020 03:51:55 +0100 [thread overview]
Message-ID: <20200218035155.5d9c4d70@windsurf> (raw)
In-Reply-To: <20200217223849.16987-1-peter@korsgaard.com>
On Mon, 17 Feb 2020 23:38:49 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security issues (12.15.0):
>
> - CVE-2019-15606: HTTP header values do not have trailing OWS trimmed
>
> - CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding
> header
>
> - CVE-2019-15604: Remotely trigger an assertion on a TLS server with a
> malformed certificate string
>
> For more details, see the advisory:
> https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
>
> On top of this, 12.16.0 brings a number of changes and bugfixes.
>
> Update the license hash for an addition of the (MIT) licensing terms for the
> uvwsai module:
>
> +
> +- uvwasi, located at deps/uvwasi, is licensed as follows:
> + """
> + MIT License
> +
> + Copyright (c) 2019 Colin Ihrig and Contributors
> +
> + Permission is hereby granted, free of charge, to any person obtaining a copy
> + of this software and associated documentation files (the "Software"), to deal
> + in the Software without restriction, including without limitation the rights
> + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
> + copies of the Software, and to permit persons to whom the Software is
> + furnished to do so, subject to the following conditions:
> +
> + The above copyright notice and this permission notice shall be included in all
> + copies or substantial portions of the Software.
> +
> + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
> + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
> + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
> + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
> + SOFTWARE.
> + """
>
> While we are at it, adjust the white space in the .hash function to match
> the new agreements.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/nodejs/nodejs.hash | 6 +++---
> package/nodejs/nodejs.mk | 2 +-
> 2 files changed, 4 insertions(+), 4 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
prev parent reply other threads:[~2020-02-18 2:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-17 22:38 [Buildroot] [PATCH] package/nodejs: security bump to version 12.16.0 Peter Korsgaard
2020-02-18 2:51 ` Thomas Petazzoni [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200218035155.5d9c4d70@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.