From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH 2017.02.x] nodejs: security bump to version 6.11.5
Date: Wed, 25 Oct 2017 22:16:13 +0200 [thread overview]
Message-ID: <20171025201613.17676-1-peter@korsgaard.com> (raw)
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with windowBits
set to 8. On some versions this crashes Node and you cannot recover from
it, while on some versions it throws an exception. Node.js will now
gracefully set windowBits to 9 replicating the legacy behavior to avoid a
DOS vector.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Drop 0002-inspector-don-t-build-when-ssl-support-is-disabled.patch as that
is now upstream:
https://github.com/nodejs/node/commit/ba23506419
And refresh the other patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
...-don-t-build-when-ssl-support-is-disabled.patch | 35 ----------------------
.../0001-gyp-force-link-command-to-use-CXX.patch | 6 ++--
...HAVE_OPENSSL-directive-to-openssl_config.patch} | 6 ++--
package/nodejs/Config.in | 2 +-
package/nodejs/nodejs.hash | 4 +--
5 files changed, 9 insertions(+), 44 deletions(-)
delete mode 100644 package/nodejs/6.11.1/0002-inspector-don-t-build-when-ssl-support-is-disabled.patch
rename package/nodejs/{6.11.1 => 6.11.5}/0001-gyp-force-link-command-to-use-CXX.patch (85%)
rename package/nodejs/{6.11.1/0003-src-add-HAVE_OPENSSL-directive-to-openssl_config.patch => 6.11.5/0002-src-add-HAVE_OPENSSL-directive-to-openssl_config.patch} (90%)
diff --git a/package/nodejs/6.11.1/0002-inspector-don-t-build-when-ssl-support-is-disabled.patch b/package/nodejs/6.11.1/0002-inspector-don-t-build-when-ssl-support-is-disabled.patch
deleted file mode 100644
index c07cbf8c65..0000000000
--- a/package/nodejs/6.11.1/0002-inspector-don-t-build-when-ssl-support-is-disabled.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 7fa541f6c0a31e3ddcab6ea85040b531bbaa4651 Mon Sep 17 00:00:00 2001
-From: Martin Bark <martin@barkynet.com>
-Date: Tue, 12 Jul 2016 19:03:28 +0100
-Subject: [PATCH] inspector: don't build when ssl support is disabled
-
-Signed-off-by: Martin Bark <martin@barkynet.com>
----
- node.gyp | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/node.gyp b/node.gyp
-index 8a8bd00..fdccd60 100644
---- a/node.gyp
-+++ b/node.gyp
-@@ -302,7 +302,7 @@
- 'deps/v8/src/third_party/vtune/v8vtune.gyp:v8_vtune'
- ],
- }],
-- [ 'v8_inspector=="true"', {
-+ [ 'v8_inspector=="true" and node_use_openssl =="true"', {
- 'defines': [
- 'HAVE_INSPECTOR=1',
- 'V8_INSPECTOR_USE_STL=1',
-@@ -828,7 +828,7 @@
- ],
-
- 'conditions': [
-- ['v8_inspector=="true"', {
-+ ['v8_inspector=="true" and node_use_openssl =="true"', {
- 'sources': [
- 'src/inspector_socket.cc',
- 'test/cctest/test_inspector_socket.cc'
---
-2.7.4
-
diff --git a/package/nodejs/6.11.1/0001-gyp-force-link-command-to-use-CXX.patch b/package/nodejs/6.11.5/0001-gyp-force-link-command-to-use-CXX.patch
similarity index 85%
rename from package/nodejs/6.11.1/0001-gyp-force-link-command-to-use-CXX.patch
rename to package/nodejs/6.11.5/0001-gyp-force-link-command-to-use-CXX.patch
index 5746582c14..7b5a9947c5 100644
--- a/package/nodejs/6.11.1/0001-gyp-force-link-command-to-use-CXX.patch
+++ b/package/nodejs/6.11.5/0001-gyp-force-link-command-to-use-CXX.patch
@@ -15,12 +15,12 @@ diff --git a/tools/gyp/pylib/gyp/generator/make.py b/tools/gyp/pylib/gyp/generat
index b88a433..0a1f2e0 100644
--- a/tools/gyp/pylib/gyp/generator/make.py
+++ b/tools/gyp/pylib/gyp/generator/make.py
-@@ -142,7 +142,7 @@ cmd_alink_thin = rm -f $@ && $(AR.$(TOOLSET)) crsT $@ $(filter %.o,$^)
+@@ -147,7 +147,7 @@ cmd_alink_thin = rm -f $@ && $(AR.$(TOOLSET)) crsT $@ $(filter %.o,$^)
# special "figure out circular dependencies" flags around the entire
# input list during linking.
quiet_cmd_link = LINK($(TOOLSET)) $@
--cmd_link = $(LINK.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) -Wl,--end-group $(LIBS)
-+cmd_link = $(CXX.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) -Wl,--end-group $(LIBS)
+-cmd_link = $(LINK.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) $(LIBS) -Wl,--end-group
++cmd_link = $(CXX.$(TOOLSET)) $(GYP_LDFLAGS) $(LDFLAGS.$(TOOLSET)) -o $@ -Wl,--start-group $(LD_INPUTS) $(LIBS) -Wl,--end-group
# We support two kinds of shared objects (.so):
# 1) shared_library, which is just bundling together many dependent libraries
diff --git a/package/nodejs/6.11.1/0003-src-add-HAVE_OPENSSL-directive-to-openssl_config.patch b/package/nodejs/6.11.5/0002-src-add-HAVE_OPENSSL-directive-to-openssl_config.patch
similarity index 90%
rename from package/nodejs/6.11.1/0003-src-add-HAVE_OPENSSL-directive-to-openssl_config.patch
rename to package/nodejs/6.11.5/0002-src-add-HAVE_OPENSSL-directive-to-openssl_config.patch
index f07fdc2455..c22311ed3f 100644
--- a/package/nodejs/6.11.1/0003-src-add-HAVE_OPENSSL-directive-to-openssl_config.patch
+++ b/package/nodejs/6.11.5/0002-src-add-HAVE_OPENSSL-directive-to-openssl_config.patch
@@ -33,9 +33,9 @@ diff --git a/src/node.cc b/src/node.cc
index 57415bba41..ec78339d89 100644
--- a/src/node.cc
+++ b/src/node.cc
-@@ -4233,8 +4233,10 @@ void Init(int* argc,
- if (config_warning_file.empty())
- SafeGetenv("NODE_REDIRECT_WARNINGS", &config_warning_file);
+@@ -4389,8 +4389,10 @@ void Init(int* argc,
+ V8::SetFlagsFromString(NODE_V8_OPTIONS, sizeof(NODE_V8_OPTIONS) - 1);
+ #endif
+#if HAVE_OPENSSL
if (openssl_config.empty())
diff --git a/package/nodejs/Config.in b/package/nodejs/Config.in
index 31dcfb67d9..9ce02306e4 100644
--- a/package/nodejs/Config.in
+++ b/package/nodejs/Config.in
@@ -43,7 +43,7 @@ config BR2_PACKAGE_NODEJS_V8_ARCH_SUPPORTS
config BR2_PACKAGE_NODEJS_VERSION_STRING
string
- default "6.11.1" if BR2_PACKAGE_NODEJS_V8_ARCH_SUPPORTS
+ default "6.11.5" if BR2_PACKAGE_NODEJS_V8_ARCH_SUPPORTS
default "0.10.48"
config BR2_PACKAGE_NODEJS_NPM
diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
index 2dbbdc7cc2..319774c62d 100644
--- a/package/nodejs/nodejs.hash
+++ b/package/nodejs/nodejs.hash
@@ -1,5 +1,5 @@
# From upstream URL: http://nodejs.org/dist/v0.10.48/SHASUMS256.txt
sha256 365a93d9acc076a0d93f087d269f376abeebccad599a9dab72f2f6ed96c8ae6e node-v0.10.48.tar.xz
-# From upstream URL: http://nodejs.org/dist/v6.11.1/SHASUMS256.txt
-sha256 6f6655b85919aa54cb045a6d69a226849802fcc26491d0db4ce59873e41cc2b8 node-v6.11.1.tar.xz
+# From upstream URL: http://nodejs.org/dist/v6.11.5/SHASUMS256.txt
+sha256 1c6de415216799fbaeca82304b3fef87accc7101ebf2ead7d5c545e0779e8aaf node-v6.11.5.tar.xz
--
2.11.0
next reply other threads:[~2017-10-25 20:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-25 20:16 Peter Korsgaard [this message]
2017-10-26 11:25 ` [Buildroot] [PATCH 2017.02.x] nodejs: security bump to version 6.11.5 Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171025201613.17676-1-peter@korsgaard.com \
--to=peter@korsgaard.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox