All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Yann E. MORIN" <yann.morin.1998@free.fr>
To: Peter Korsgaard <peter@korsgaard.com>
Cc: Daniel Price <daniel.price@gmail.com>,
	Martin Bark <martin@barkynet.com>,
	buildroot@buildroot.org
Subject: Re: [Buildroot] [PATCH] package/nodejs: security bump to version 12.22.6
Date: Sat, 18 Sep 2021 19:44:25 +0200	[thread overview]
Message-ID: <20210918174425.GF1053080@scaer> (raw)
In-Reply-To: <20210918161131.10276-1-peter@korsgaard.com>

Peter, All,

On 2021-09-18 18:11 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
> 
> - CVE-2021-37701: Arbitrary File Creation/Overwrite via insufficient symlink
>   protection due to directory cache poisoning using symbolic links
> 
> - CVE-2021-37712: Arbitrary File Creation/Overwrite via insufficient symlink
>   protection due to directory cache poisoning using symbolic links
> 
> - CVE-2021-37713: Arbitrary File Creation/Overwrite on Windows via
>   insufficient relative path sanitization
> 
> - CVE-2021-39134: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
> 
> - CVE-2021-39135: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
> 
> For more details, see the advisory:
> https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/
> 
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>

Applied to master, thanks.

Regards,
Yann E. MORIN.

> ---
>  package/nodejs/nodejs.hash | 4 ++--
>  package/nodejs/nodejs.mk   | 2 +-
>  2 files changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
> index 1552e937b7..8d39ef489d 100644
> --- a/package/nodejs/nodejs.hash
> +++ b/package/nodejs/nodejs.hash
> @@ -1,5 +1,5 @@
> -# From https://nodejs.org/dist/v12.22.5/SHASUMS256.txt
> -sha256  f927ff6c2ac5a7234596031b18ba03febbcadd2650d375f1a3fd02426687fd14  node-v12.22.5.tar.xz
> +# From https://nodejs.org/dist/v12.22.6/SHASUMS256.txt
> +sha256  c2022f16b8f689620c3472c2b5261fdabbd0ab976bf9ac3b7db6747a2e9b0f7a  node-v12.22.6.tar.xz
>  
>  # Hash for license file
>  sha256  221417a7ca275112a5ac54639b36ee3c5184e74631ea1e1b01b701293b655190  LICENSE
> diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
> index 39099b53dc..38e8936986 100644
> --- a/package/nodejs/nodejs.mk
> +++ b/package/nodejs/nodejs.mk
> @@ -4,7 +4,7 @@
>  #
>  ################################################################################
>  
> -NODEJS_VERSION = 12.22.5
> +NODEJS_VERSION = 12.22.6
>  NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
>  NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
>  NODEJS_DEPENDENCIES = host-python host-nodejs c-ares \
> -- 
> 2.20.1
> 
> _______________________________________________
> buildroot mailing list
> buildroot@lists.buildroot.org
> https://lists.buildroot.org/mailman/listinfo/buildroot

-- 
.-----------------.--------------------.------------------.--------------------.
|  Yann E. MORIN  | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software  Designer | \ / CAMPAIGN     |  ___               |
| +33 561 099 427 `------------.-------:  X  AGAINST      |  \e/  There is no  |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL    |   v   conspiracy.  |
'------------------------------^-------^------------------^--------------------'
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

      reply	other threads:[~2021-09-18 17:44 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-18 16:11 [Buildroot] [PATCH] package/nodejs: security bump to version 12.22.6 Peter Korsgaard
2021-09-18 17:44 ` Yann E. MORIN [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210918174425.GF1053080@scaer \
    --to=yann.morin.1998@free.fr \
    --cc=buildroot@buildroot.org \
    --cc=daniel.price@gmail.com \
    --cc=martin@barkynet.com \
    --cc=peter@korsgaard.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.