* [Buildroot] [PATCH 1/1] package/nodejs: security bump to version 20.11.1
@ 2024-02-21 22:03 Fabrice Fontaine
2024-02-22 13:07 ` Marcus Hoffmann via buildroot
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Fabrice Fontaine @ 2024-02-21 22:03 UTC (permalink / raw)
To: buildroot
Cc: Fabrice Fontaine, Marcus Hoffmann, Martin Bark, Thomas Petazzoni,
Daniel Price
- Fix CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017,
CVE-2023-46809, CVE-2024-21891, CVE-2024-21890 and CVE-2024-22025
- LICENSE hash changed due to two things:
* c-ares vendored dependency license got updated [1]. This is unused
by buildroot though anyway
* base64 vendored library license updated copyright years and sorted
contributor names [2], [3]
- This bump will fix the following build failure raised since bump of
python to version 3.12.1 in commit 36e635d2d5c0166476858aa239ccbe78e8f2af14
thanks to
https://github.com/nodejs/node/commit/95534ad82f4e33f53fd50efe633d43f8da70cba6
https://github.com/nodejs/node/commit/6557c1c9b1206a85bb7d8e7450e8c3a4cff7c84b:
Traceback (most recent call last):
File "/home/autobuild/autobuild/instance-2/output-1/build/host-nodejs-src-20.9.0/configure.py", line 17, in <module>
from distutils.version import StrictVersion
ModuleNotFoundError: No module named 'distutils'
https://github.com/nodejs/node/blob/v20.11.1/CHANGELOG.md
[1] https://github.com/c-ares/c-ares/pull/556
[2] https://github.com/aklomp/base64/commit/2e8ad2aec2065f258dc1aec9402aedd3604cfbcd
[3] https://github.com/aklomp/base64/commit/d7bca2bb2928de6c4fe496e6defe8b3affa35d1b
Fixes: 36e635d2d5c0166476858aa239ccbe78e8f2af14
- http://autobuild.buildroot.org/results/8b38bc4b7879a0349c1305e2fcb458a0cfd04a93
Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
---
package/nodejs/nodejs.hash | 14 +++++++-------
package/nodejs/nodejs.mk | 2 +-
2 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
index 2d60437a7c..ddab345e0a 100644
--- a/package/nodejs/nodejs.hash
+++ b/package/nodejs/nodejs.hash
@@ -1,8 +1,8 @@
-# From https://nodejs.org/dist/v20.9.0/SHASUMS256.txt.asc
-sha256 ced3ecece4b7c3a664bca3d9e34a0e3b9a31078525283a6fdb7ea2de8ca5683b node-v20.9.0-linux-arm64.tar.xz
-sha256 64099d7e62bdbb8efd52c216a6759b3cdd77c38aa993096fdee9f875d95b2d8e node-v20.9.0-linux-armv7l.tar.xz
-sha256 3c6cea5d614cfbb95d92de43fbc2f8ecd66e431502fe5efc4f3c02637897bd45 node-v20.9.0-linux-ppc64le.tar.xz
-sha256 9033989810bf86220ae46b1381bdcdc6c83a0294869ba2ad39e1061f1e69217a node-v20.9.0-linux-x64.tar.xz
-sha256 a23d96810abf0455426b349d47ce5310f33095b7bc0571b9cc510f481c3a4519 node-v20.9.0.tar.xz
+# From https://nodejs.org/dist/v20.11.1/SHASUMS256.txt.asc
+sha256 c957f29eb4e341903520caf362534f0acd1db7be79c502ae8e283994eed07fe1 node-v20.11.1-linux-arm64.tar.xz
+sha256 28e0120d2d150a8f41717899d33167b8b32053778665583d49ff971bfd188d1b node-v20.11.1-linux-armv7l.tar.xz
+sha256 51343cacf5cdf5c4b5e93e919d19dd373d6ef43d5f2c666eae299f26e31d08b5 node-v20.11.1-linux-ppc64le.tar.xz
+sha256 d8dab549b09672b03356aa2257699f3de3b58c96e74eb26a8b495fbdc9cf6fbe node-v20.11.1-linux-x64.tar.xz
+sha256 77813edbf3f7f16d2d35d3353443dee4e61d5ee84d9e3138c7538a3c0ca5209e node-v20.11.1.tar.xz
# Locally calculated
-sha256 93ac846282ce6c5255e00fada2fd2e7e292255239fe58d5502b0a554859e6a3e LICENSE
+sha256 7b0bbdca72f925bd78b764914651244a4432a753c7325d061a565cd7eac1193d LICENSE
diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
index 9806a64d38..858c6a86f5 100644
--- a/package/nodejs/nodejs.mk
+++ b/package/nodejs/nodejs.mk
@@ -5,7 +5,7 @@
################################################################################
# _VERSION, _SOURCE and _SITE must be kept empty to avoid downloading anything
-NODEJS_COMMON_VERSION = 20.9.0
+NODEJS_COMMON_VERSION = 20.11.1
NODEJS_COMMON_SOURCE = node-v$(NODEJS_COMMON_VERSION).tar.xz
NODEJS_COMMON_SITE = http://nodejs.org/dist/v$(NODEJS_COMMON_VERSION)
--
2.43.0
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/nodejs: security bump to version 20.11.1
2024-02-21 22:03 [Buildroot] [PATCH 1/1] package/nodejs: security bump to version 20.11.1 Fabrice Fontaine
@ 2024-02-22 13:07 ` Marcus Hoffmann via buildroot
2024-02-24 10:16 ` Peter Korsgaard
2024-03-17 13:03 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Marcus Hoffmann via buildroot @ 2024-02-22 13:07 UTC (permalink / raw)
To: Fabrice Fontaine, buildroot; +Cc: Martin Bark, Thomas Petazzoni, Daniel Price
On 21.02.24 23:03, Fabrice Fontaine wrote:
> - Fix CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017,
> CVE-2023-46809, CVE-2024-21891, CVE-2024-21890 and CVE-2024-22025
>
> - LICENSE hash changed due to two things:
> * c-ares vendored dependency license got updated [1]. This is unused
> by buildroot though anyway
> * base64 vendored library license updated copyright years and sorted
> contributor names [2], [3]
>
> - This bump will fix the following build failure raised since bump of
> python to version 3.12.1 in commit 36e635d2d5c0166476858aa239ccbe78e8f2af14
> thanks to
> https://github.com/nodejs/node/commit/95534ad82f4e33f53fd50efe633d43f8da70cba6
> https://github.com/nodejs/node/commit/6557c1c9b1206a85bb7d8e7450e8c3a4cff7c84b:
>
> Traceback (most recent call last):
> File "/home/autobuild/autobuild/instance-2/output-1/build/host-nodejs-src-20.9.0/configure.py", line 17, in <module>
> from distutils.version import StrictVersion
> ModuleNotFoundError: No module named 'distutils'
>
> https://github.com/nodejs/node/blob/v20.11.1/CHANGELOG.md
>
> [1] https://github.com/c-ares/c-ares/pull/556
> [2] https://github.com/aklomp/base64/commit/2e8ad2aec2065f258dc1aec9402aedd3604cfbcd
> [3] https://github.com/aklomp/base64/commit/d7bca2bb2928de6c4fe496e6defe8b3affa35d1b
>
> Fixes: 36e635d2d5c0166476858aa239ccbe78e8f2af14
> - http://autobuild.buildroot.org/results/8b38bc4b7879a0349c1305e2fcb458a0cfd04a93
>
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Thanks!
Reviewed-By: Marcus Hoffmann <buildroot@bubu1.eu>
> ---
> package/nodejs/nodejs.hash | 14 +++++++-------
> package/nodejs/nodejs.mk | 2 +-
> 2 files changed, 8 insertions(+), 8 deletions(-)
>
> diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
> index 2d60437a7c..ddab345e0a 100644
> --- a/package/nodejs/nodejs.hash
> +++ b/package/nodejs/nodejs.hash
> @@ -1,8 +1,8 @@
> -# From https://nodejs.org/dist/v20.9.0/SHASUMS256.txt.asc
> -sha256 ced3ecece4b7c3a664bca3d9e34a0e3b9a31078525283a6fdb7ea2de8ca5683b node-v20.9.0-linux-arm64.tar.xz
> -sha256 64099d7e62bdbb8efd52c216a6759b3cdd77c38aa993096fdee9f875d95b2d8e node-v20.9.0-linux-armv7l.tar.xz
> -sha256 3c6cea5d614cfbb95d92de43fbc2f8ecd66e431502fe5efc4f3c02637897bd45 node-v20.9.0-linux-ppc64le.tar.xz
> -sha256 9033989810bf86220ae46b1381bdcdc6c83a0294869ba2ad39e1061f1e69217a node-v20.9.0-linux-x64.tar.xz
> -sha256 a23d96810abf0455426b349d47ce5310f33095b7bc0571b9cc510f481c3a4519 node-v20.9.0.tar.xz
> +# From https://nodejs.org/dist/v20.11.1/SHASUMS256.txt.asc
> +sha256 c957f29eb4e341903520caf362534f0acd1db7be79c502ae8e283994eed07fe1 node-v20.11.1-linux-arm64.tar.xz
> +sha256 28e0120d2d150a8f41717899d33167b8b32053778665583d49ff971bfd188d1b node-v20.11.1-linux-armv7l.tar.xz
> +sha256 51343cacf5cdf5c4b5e93e919d19dd373d6ef43d5f2c666eae299f26e31d08b5 node-v20.11.1-linux-ppc64le.tar.xz
> +sha256 d8dab549b09672b03356aa2257699f3de3b58c96e74eb26a8b495fbdc9cf6fbe node-v20.11.1-linux-x64.tar.xz
> +sha256 77813edbf3f7f16d2d35d3353443dee4e61d5ee84d9e3138c7538a3c0ca5209e node-v20.11.1.tar.xz
> # Locally calculated
> -sha256 93ac846282ce6c5255e00fada2fd2e7e292255239fe58d5502b0a554859e6a3e LICENSE
> +sha256 7b0bbdca72f925bd78b764914651244a4432a753c7325d061a565cd7eac1193d LICENSE
> diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
> index 9806a64d38..858c6a86f5 100644
> --- a/package/nodejs/nodejs.mk
> +++ b/package/nodejs/nodejs.mk
> @@ -5,7 +5,7 @@
> ################################################################################
>
> # _VERSION, _SOURCE and _SITE must be kept empty to avoid downloading anything
> -NODEJS_COMMON_VERSION = 20.9.0
> +NODEJS_COMMON_VERSION = 20.11.1
> NODEJS_COMMON_SOURCE = node-v$(NODEJS_COMMON_VERSION).tar.xz
> NODEJS_COMMON_SITE = http://nodejs.org/dist/v$(NODEJS_COMMON_VERSION)
>
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/nodejs: security bump to version 20.11.1
2024-02-21 22:03 [Buildroot] [PATCH 1/1] package/nodejs: security bump to version 20.11.1 Fabrice Fontaine
2024-02-22 13:07 ` Marcus Hoffmann via buildroot
@ 2024-02-24 10:16 ` Peter Korsgaard
2024-03-17 13:03 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2024-02-24 10:16 UTC (permalink / raw)
To: Fabrice Fontaine
Cc: Daniel Price, Martin Bark, Marcus Hoffmann, Thomas Petazzoni,
buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017,
> CVE-2023-46809, CVE-2024-21891, CVE-2024-21890 and CVE-2024-22025
> - LICENSE hash changed due to two things:
> * c-ares vendored dependency license got updated [1]. This is unused
> by buildroot though anyway
> * base64 vendored library license updated copyright years and sorted
> contributor names [2], [3]
> - This bump will fix the following build failure raised since bump of
> python to version 3.12.1 in commit 36e635d2d5c0166476858aa239ccbe78e8f2af14
> thanks to
> https://github.com/nodejs/node/commit/95534ad82f4e33f53fd50efe633d43f8da70cba6
> https://github.com/nodejs/node/commit/6557c1c9b1206a85bb7d8e7450e8c3a4cff7c84b:
> Traceback (most recent call last):
> File "/home/autobuild/autobuild/instance-2/output-1/build/host-nodejs-src-20.9.0/configure.py", line 17, in <module>
> from distutils.version import StrictVersion
> ModuleNotFoundError: No module named 'distutils'
> https://github.com/nodejs/node/blob/v20.11.1/CHANGELOG.md
> [1] https://github.com/c-ares/c-ares/pull/556
> [2] https://github.com/aklomp/base64/commit/2e8ad2aec2065f258dc1aec9402aedd3604cfbcd
> [3] https://github.com/aklomp/base64/commit/d7bca2bb2928de6c4fe496e6defe8b3affa35d1b
> Fixes: 36e635d2d5c0166476858aa239ccbe78e8f2af14
> - http://autobuild.buildroot.org/results/8b38bc4b7879a0349c1305e2fcb458a0cfd04a93
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/nodejs: security bump to version 20.11.1
2024-02-21 22:03 [Buildroot] [PATCH 1/1] package/nodejs: security bump to version 20.11.1 Fabrice Fontaine
2024-02-22 13:07 ` Marcus Hoffmann via buildroot
2024-02-24 10:16 ` Peter Korsgaard
@ 2024-03-17 13:03 ` Peter Korsgaard
2 siblings, 0 replies; 4+ messages in thread
From: Peter Korsgaard @ 2024-03-17 13:03 UTC (permalink / raw)
To: Fabrice Fontaine
Cc: Daniel Price, Martin Bark, Marcus Hoffmann, Thomas Petazzoni,
buildroot
>>>>> "Fabrice" == Fabrice Fontaine <fontaine.fabrice@gmail.com> writes:
> - Fix CVE-2024-21892, CVE-2024-22019, CVE-2024-21896, CVE-2024-22017,
> CVE-2023-46809, CVE-2024-21891, CVE-2024-21890 and CVE-2024-22025
> - LICENSE hash changed due to two things:
> * c-ares vendored dependency license got updated [1]. This is unused
> by buildroot though anyway
> * base64 vendored library license updated copyright years and sorted
> contributor names [2], [3]
> - This bump will fix the following build failure raised since bump of
> python to version 3.12.1 in commit 36e635d2d5c0166476858aa239ccbe78e8f2af14
> thanks to
> https://github.com/nodejs/node/commit/95534ad82f4e33f53fd50efe633d43f8da70cba6
> https://github.com/nodejs/node/commit/6557c1c9b1206a85bb7d8e7450e8c3a4cff7c84b:
> Traceback (most recent call last):
> File "/home/autobuild/autobuild/instance-2/output-1/build/host-nodejs-src-20.9.0/configure.py", line 17, in <module>
> from distutils.version import StrictVersion
> ModuleNotFoundError: No module named 'distutils'
> https://github.com/nodejs/node/blob/v20.11.1/CHANGELOG.md
> [1] https://github.com/c-ares/c-ares/pull/556
> [2] https://github.com/aklomp/base64/commit/2e8ad2aec2065f258dc1aec9402aedd3604cfbcd
> [3] https://github.com/aklomp/base64/commit/d7bca2bb2928de6c4fe496e6defe8b3affa35d1b
> Fixes: 36e635d2d5c0166476858aa239ccbe78e8f2af14
> - http://autobuild.buildroot.org/results/8b38bc4b7879a0349c1305e2fcb458a0cfd04a93
> Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
Committed to 2023.11.x, thanks.
For 2023.02.x I will bump to the latest 16.x version.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-03-17 13:03 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-02-21 22:03 [Buildroot] [PATCH 1/1] package/nodejs: security bump to version 20.11.1 Fabrice Fontaine
2024-02-22 13:07 ` Marcus Hoffmann via buildroot
2024-02-24 10:16 ` Peter Korsgaard
2024-03-17 13:03 ` Peter Korsgaard
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox