[Buildroot] [PATCH] package/nodejs: security bump to version 16.20.0

From: Peter Korsgaard <peter@korsgaard.com>
To: buildroot@buildroot.org
Cc: Martin Bark <martin@barkynet.com>, Daniel Price <daniel.price@gmail.com>
Subject: [Buildroot] [PATCH] package/nodejs: security bump to version 16.20.0
Date: Mon, 19 Jun 2023 16:32:20 +0200	[thread overview]
Message-ID: <20230619143220.210438-1-peter@korsgaard.com> (raw)

Fixes the following security issues:

- CVE-2023-23918: Node.js Permissions policies can be bypassed via
  process.mainModule (High)

- CVE-2023-23919: Node.js OpenSSL error handling issues in nodejs crypto
  library (Medium)

- CVE-2023-23920: Node.js insecure loading of ICU data through ICU\_DATA
  environment variable (Low)

- CVE-2023-23936: Fetch API in Node.js did not protect against CRLF
  injection in host headers (Medium)
  https://github.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff

- CVE-2023-24807: Regular Expression Denial of Service in Headers in Node.js
  fetch API (Low)
  https://github.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/february-2023-security-releases

Update LICENSE hash after an update of the openssl license snippet:
https://github.com/nodejs/node/commit/e7ed56f501389978e4619ab697a812631c4061ff

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
 package/nodejs/nodejs.hash | 6 +++---
 package/nodejs/nodejs.mk   | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
index 4408782248..6ab4c53e79 100644
--- a/package/nodejs/nodejs.hash
+++ b/package/nodejs/nodejs.hash
@@ -1,5 +1,5 @@
-# From https://nodejs.org/dist/v16.18.1/SHASUMS256.txt
-sha256  1f8051a88f86f42064f4415fe7a980e59b0a502ecc8def583f6303bc4d445238  node-v16.18.1.tar.xz
+# From https://nodejs.org/dist/v16.20.0/SHASUMS256.txt
+sha256  e0990f992234e40a51fe11f92c3816c93a77e1b081145d3dd762cd1026345349  node-v16.20.0.tar.xz
 
 # Hash for license file
-sha256  0bec08634ba79b5404f6b7f92ea850f3c2a06e27e6f83f2267e4f5e55ae33334  LICENSE
+sha256  ba325815d3df8819bebaf37cad67d6e1f82271e1e4a1189b53abd28e261977d6  LICENSE
diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
index 539ded06cd..fe629ada21 100644
--- a/package/nodejs/nodejs.mk
+++ b/package/nodejs/nodejs.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NODEJS_VERSION = 16.18.1
+NODEJS_VERSION = 16.20.0
 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
 NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
 NODEJS_DEPENDENCIES = \
-- 
2.30.2

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
