From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] package/nodejs: security bump to version 12.16.0
Date: Tue, 18 Feb 2020 03:51:55 +0100 [thread overview]
Message-ID: <20200218035155.5d9c4d70@windsurf> (raw)
In-Reply-To: <20200217223849.16987-1-peter@korsgaard.com>
On Mon, 17 Feb 2020 23:38:49 +0100
Peter Korsgaard <peter@korsgaard.com> wrote:
> Fixes the following security issues (12.15.0):
>
> - CVE-2019-15606: HTTP header values do not have trailing OWS trimmed
>
> - CVE-2019-15605: HTTP request smuggling using malformed Transfer-Encoding
> header
>
> - CVE-2019-15604: Remotely trigger an assertion on a TLS server with a
> malformed certificate string
>
> For more details, see the advisory:
> https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
>
> On top of this, 12.16.0 brings a number of changes and bugfixes.
>
> Update the license hash for an addition of the (MIT) licensing terms for the
> uvwsai module:
>
> +
> +- uvwasi, located at deps/uvwasi, is licensed as follows:
> + """
> + MIT License
> +
> + Copyright (c) 2019 Colin Ihrig and Contributors
> +
> + Permission is hereby granted, free of charge, to any person obtaining a copy
> + of this software and associated documentation files (the "Software"), to deal
> + in the Software without restriction, including without limitation the rights
> + to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
> + copies of the Software, and to permit persons to whom the Software is
> + furnished to do so, subject to the following conditions:
> +
> + The above copyright notice and this permission notice shall be included in all
> + copies or substantial portions of the Software.
> +
> + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
> + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
> + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
> + AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
> + LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
> + OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
> + SOFTWARE.
> + """
>
> While we are at it, adjust the white space in the .hash function to match
> the new agreements.
>
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> ---
> package/nodejs/nodejs.hash | 6 +++---
> package/nodejs/nodejs.mk | 2 +-
> 2 files changed, 4 insertions(+), 4 deletions(-)
Applied to master, thanks.
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
prev parent reply other threads:[~2020-02-18 2:51 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-17 22:38 [Buildroot] [PATCH] package/nodejs: security bump to version 12.16.0 Peter Korsgaard
2020-02-18 2:51 ` Thomas Petazzoni [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200218035155.5d9c4d70@windsurf \
--to=thomas.petazzoni@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox