Re: [Buildroot] [PATCH] package/nodejs: security bump to v20.15.1

From: Thomas Petazzoni via buildroot <buildroot@buildroot.org>
To: Marcus Hoffmann via buildroot <buildroot@buildroot.org>
Cc: Daniel Price <daniel.price@gmail.com>,
	Marcus Hoffmann <buildroot@bubu1.eu>,
	Martin Bark <martin@barkynet.com>
Subject: Re: [Buildroot] [PATCH] package/nodejs: security bump to v20.15.1
Date: Tue, 16 Jul 2024 14:43:08 +0200	[thread overview]
Message-ID: <20240716144308.618a1abf@windsurf> (raw)
In-Reply-To: <20240716094305.1646641-1-buildroot@bubu1.eu>

On Tue, 16 Jul 2024 11:43:05 +0200
Marcus Hoffmann via buildroot <buildroot@buildroot.org> wrote:

> Release Notes: https://nodejs.org/en/blog/release/v20.15.1
> 
> Fixes the following CVE's:
> 
> CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
> CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
> CVE-2024-22018 - fs.lstat bypasses permission model (Low)
> CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
> CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
> 
> Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]:
> 
> CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
> CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
> CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
> 
> NodeJS tests are passing:
> $ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl
> 12:02:58 TestNodeJSModuleHostSrc                  Starting
> 12:02:58 TestNodeJSModuleHostSrc                  Building
> 13:17:15 TestNodeJSModuleHostSrc                  Building done
> 13:17:23 TestNodeJSModuleHostSrc                  Cleaning up
> .13:17:23 TestNodeJSModuleHostBin                  Starting
> 13:17:23 TestNodeJSModuleHostBin                  Building
> 14:06:15 TestNodeJSModuleHostBin                  Building done
> 14:06:20 TestNodeJSModuleHostBin                  Cleaning up
> .14:06:20 TestNodeJSBasic                          Starting
> 14:06:20 TestNodeJSBasic                          Building
> 14:55:40 TestNodeJSBasic                          Building done
> 14:55:45 TestNodeJSBasic                          Cleaning up
> 
> LICENSE hash changed due to changes in vendored components:
> 
> * copyright year update and adding spdx identifier [1]
> 
> [1] https://nodejs.org/en/blog/release/v20.12.1
> [2] https://nodejs.org/en/blog/release/v20.12.2
> [3] https://github.com/nodejs/node/commit/d5a316f5ea3fade3140c2ae35c144b500fb5d758
> 
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
> ---
>  package/nodejs/nodejs.hash | 14 +++++++-------
>  package/nodejs/nodejs.mk   |  2 +-
>  2 files changed, 8 insertions(+), 8 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot