Buildroot Archive on lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/nodejs: security bump to v20.15.1
@ 2024-07-16  9:43 Marcus Hoffmann via buildroot
  2024-07-16 12:43 ` Thomas Petazzoni via buildroot
  2024-08-28  8:35 ` Peter Korsgaard
  0 siblings, 2 replies; 3+ messages in thread
From: Marcus Hoffmann via buildroot @ 2024-07-16  9:43 UTC (permalink / raw)
  To: buildroot; +Cc: Martin Bark, Thomas Petazzoni, Daniel Price

Release Notes: https://nodejs.org/en/blog/release/v20.15.1

Fixes the following CVE's:

CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
CVE-2024-22018 - fs.lstat bypasses permission model (Low)
CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]:

CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

NodeJS tests are passing:
$ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl
12:02:58 TestNodeJSModuleHostSrc                  Starting
12:02:58 TestNodeJSModuleHostSrc                  Building
13:17:15 TestNodeJSModuleHostSrc                  Building done
13:17:23 TestNodeJSModuleHostSrc                  Cleaning up
.13:17:23 TestNodeJSModuleHostBin                  Starting
13:17:23 TestNodeJSModuleHostBin                  Building
14:06:15 TestNodeJSModuleHostBin                  Building done
14:06:20 TestNodeJSModuleHostBin                  Cleaning up
.14:06:20 TestNodeJSBasic                          Starting
14:06:20 TestNodeJSBasic                          Building
14:55:40 TestNodeJSBasic                          Building done
14:55:45 TestNodeJSBasic                          Cleaning up

LICENSE hash changed due to changes in vendored components:

* copyright year update and adding spdx identifier [1]

[1] https://nodejs.org/en/blog/release/v20.12.1
[2] https://nodejs.org/en/blog/release/v20.12.2
[3] https://github.com/nodejs/node/commit/d5a316f5ea3fade3140c2ae35c144b500fb5d758

Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
---
 package/nodejs/nodejs.hash | 14 +++++++-------
 package/nodejs/nodejs.mk   |  2 +-
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
index 2cbbf766f5..61bda55098 100644
--- a/package/nodejs/nodejs.hash
+++ b/package/nodejs/nodejs.hash
@@ -1,8 +1,8 @@
-# From https://nodejs.org/dist/v20.12.0/SHASUMS256.txt.asc
-sha256  007ca2699cf6e84290e5bed844ed66ef9d707d23561dfaf117212b7dce216ba7  node-v20.12.0-linux-arm64.tar.xz
-sha256  668fb421a24be596c98f00a31049fbf6ada14d221b7382e0f1caa55ab421431a  node-v20.12.0-linux-armv7l.tar.xz
-sha256  78dc3b7ad993c332684802e35c1f0de2b76193d13394bc89e3bab216828587c7  node-v20.12.0-linux-ppc64le.tar.xz
-sha256  0a126adf5b6a5eb11a37bad76a0c626a18f20b6811322e68aae0e3cf9bf580bd  node-v20.12.0-linux-x64.tar.xz
-sha256  76e5346cebfd581528f699f764f4d1a6e87cb818b696708f235ddcb625a0f78d  node-v20.12.0.tar.xz
+# From https://nodejs.org/dist/v20.15.1/SHASUMS256.txt.asc
+sha256  10d47a46ef208b3e4b226e4d595a82659123b22397ed77b7975d989114ec317e  node-v20.15.1-linux-arm64.tar.xz
+sha256  7bc120efdd8018f6915471b963d9b80adf4ed406d6dc9edb4ae944b85f505c4c  node-v20.15.1-linux-armv7l.tar.xz
+sha256  b33e684802251397ad62ad3f8a1836267ee8b7723f87f669470018ad0035287b  node-v20.15.1-linux-ppc64le.tar.xz
+sha256  26700f8d3e78112ad4a2618a9c8e2816e38a49ecf0213ece80e54c38cb02563f  node-v20.15.1-linux-x64.tar.xz
+sha256  fdd53a5729d936691a2a1151046fb4897721cb8b0fca2af957823a9b40fe0c34  node-v20.15.1.tar.xz
 # Locally calculated
-sha256  d3a9fbfe0a1fb78627ee296cd5ca5b498822d4d1c5da3b8e8100c41bd7b791fd  LICENSE
+sha256  49cd410e0fe6a8879a40d0764092d1e6114cc85fe41d4efed990d028eec25582  LICENSE
diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
index 9ed51fbe9b..104d2cf258 100644
--- a/package/nodejs/nodejs.mk
+++ b/package/nodejs/nodejs.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 # _VERSION, _SOURCE and _SITE must be kept empty to avoid downloading anything
-NODEJS_COMMON_VERSION = 20.12.0
+NODEJS_COMMON_VERSION = 20.15.1
 NODEJS_COMMON_SOURCE = node-v$(NODEJS_COMMON_VERSION).tar.xz
 NODEJS_COMMON_SITE = http://nodejs.org/dist/v$(NODEJS_COMMON_VERSION)
 
-- 
2.34.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/nodejs: security bump to v20.15.1
  2024-07-16  9:43 [Buildroot] [PATCH] package/nodejs: security bump to v20.15.1 Marcus Hoffmann via buildroot
@ 2024-07-16 12:43 ` Thomas Petazzoni via buildroot
  2024-08-28  8:35 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni via buildroot @ 2024-07-16 12:43 UTC (permalink / raw)
  To: Marcus Hoffmann via buildroot; +Cc: Daniel Price, Marcus Hoffmann, Martin Bark

On Tue, 16 Jul 2024 11:43:05 +0200
Marcus Hoffmann via buildroot <buildroot@buildroot.org> wrote:

> Release Notes: https://nodejs.org/en/blog/release/v20.15.1
> 
> Fixes the following CVE's:
> 
> CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
> CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
> CVE-2024-22018 - fs.lstat bypasses permission model (Low)
> CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
> CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
> 
> Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]:
> 
> CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
> CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
> CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
> 
> NodeJS tests are passing:
> $ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl
> 12:02:58 TestNodeJSModuleHostSrc                  Starting
> 12:02:58 TestNodeJSModuleHostSrc                  Building
> 13:17:15 TestNodeJSModuleHostSrc                  Building done
> 13:17:23 TestNodeJSModuleHostSrc                  Cleaning up
> .13:17:23 TestNodeJSModuleHostBin                  Starting
> 13:17:23 TestNodeJSModuleHostBin                  Building
> 14:06:15 TestNodeJSModuleHostBin                  Building done
> 14:06:20 TestNodeJSModuleHostBin                  Cleaning up
> .14:06:20 TestNodeJSBasic                          Starting
> 14:06:20 TestNodeJSBasic                          Building
> 14:55:40 TestNodeJSBasic                          Building done
> 14:55:45 TestNodeJSBasic                          Cleaning up
> 
> LICENSE hash changed due to changes in vendored components:
> 
> * copyright year update and adding spdx identifier [1]
> 
> [1] https://nodejs.org/en/blog/release/v20.12.1
> [2] https://nodejs.org/en/blog/release/v20.12.2
> [3] https://github.com/nodejs/node/commit/d5a316f5ea3fade3140c2ae35c144b500fb5d758
> 
> Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>
> ---
>  package/nodejs/nodejs.hash | 14 +++++++-------
>  package/nodejs/nodejs.mk   |  2 +-
>  2 files changed, 8 insertions(+), 8 deletions(-)

Applied to master, thanks.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH] package/nodejs: security bump to v20.15.1
  2024-07-16  9:43 [Buildroot] [PATCH] package/nodejs: security bump to v20.15.1 Marcus Hoffmann via buildroot
  2024-07-16 12:43 ` Thomas Petazzoni via buildroot
@ 2024-08-28  8:35 ` Peter Korsgaard
  1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2024-08-28  8:35 UTC (permalink / raw)
  To: Marcus Hoffmann via buildroot
  Cc: Daniel Price, Marcus Hoffmann, Thomas Petazzoni, Martin Bark

>>>>> "Marcus" == Marcus Hoffmann via buildroot <buildroot@buildroot.org> writes:

 > Release Notes: https://nodejs.org/en/blog/release/v20.15.1
 > Fixes the following CVE's:

 > CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
 > CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
 > CVE-2024-22018 - fs.lstat bypasses permission model (Low)
 > CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
 > CVE-2024-37372 - Permission model improperly processes UNC paths (Low)

 > Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]:

 > CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
 > CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
 > CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

 > NodeJS tests are passing:
 > $ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl
 > 12:02:58 TestNodeJSModuleHostSrc                  Starting
 > 12:02:58 TestNodeJSModuleHostSrc                  Building
 > 13:17:15 TestNodeJSModuleHostSrc                  Building done
 > 13:17:23 TestNodeJSModuleHostSrc                  Cleaning up
 > .13:17:23 TestNodeJSModuleHostBin                  Starting
 > 13:17:23 TestNodeJSModuleHostBin                  Building
 > 14:06:15 TestNodeJSModuleHostBin                  Building done
 > 14:06:20 TestNodeJSModuleHostBin                  Cleaning up
 > .14:06:20 TestNodeJSBasic                          Starting
 > 14:06:20 TestNodeJSBasic                          Building
 > 14:55:40 TestNodeJSBasic                          Building done
 > 14:55:45 TestNodeJSBasic                          Cleaning up

 > LICENSE hash changed due to changes in vendored components:

 > * copyright year update and adding spdx identifier [1]

 > [1] https://nodejs.org/en/blog/release/v20.12.1
 > [2] https://nodejs.org/en/blog/release/v20.12.2
 > [3] https://github.com/nodejs/node/commit/d5a316f5ea3fade3140c2ae35c144b500fb5d758

 > Signed-off-by: Marcus Hoffmann <buildroot@bubu1.eu>

Committed to 2024.02.x and 2024.05.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2024-08-28  8:35 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-07-16  9:43 [Buildroot] [PATCH] package/nodejs: security bump to v20.15.1 Marcus Hoffmann via buildroot
2024-07-16 12:43 ` Thomas Petazzoni via buildroot
2024-08-28  8:35 ` Peter Korsgaard

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox