[pkgsrc/trunk]: pkgsrc/lang/nodejs12 nodejs12: updated to 12.22.6

To: pkgsrc-changes-hg%NetBSD.org@localhost
Subject: [pkgsrc/trunk]: pkgsrc/lang/nodejs12 nodejs12: updated to 12.22.6
From: adam <adam%pkgsrc.org@localhost>
Date: Fri, 17 Sep 2021 21:07:38 +0000

details:   https://anonhg.NetBSD.org/pkgsrc/rev/1f1e35f06c00
branches:  trunk
changeset: 458516:1f1e35f06c00
user:      adam <adam%pkgsrc.org@localhost>
date:      Fri Sep 17 20:07:15 2021 +0000

description:
nodejs12: updated to 12.22.6

Version 12.22.6 'Erbium' (LTS)

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and 
CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, 
and npm arborist.


Version 12.22.5 'Erbium' (LTS)

This is a security release.

Notable Changes

CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the 
output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as 
the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would 
have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.


Version 12.22.4 'Erbium' (LTS)

This is a security release.

Notable Changes

CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. You can read more about it in 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930

diffstat:

 lang/nodejs12/Makefile                         |   8 ++++----
 lang/nodejs12/distinfo                         |  11 +++++------
 lang/nodejs12/patches/patch-src_cares__wrap.cc |  17 -----------------
 3 files changed, 9 insertions(+), 27 deletions(-)

diffs (77 lines):

diff -r 5cc1c646b646 -r 1f1e35f06c00 lang/nodejs12/Makefile
--- a/lang/nodejs12/Makefile    Fri Sep 17 15:50:39 2021 +0000
+++ b/lang/nodejs12/Makefile    Fri Sep 17 20:07:15 2021 +0000
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.35 2021/07/06 07:04:11 adam Exp $
+# $NetBSD: Makefile,v 1.36 2021/09/17 20:07:15 adam Exp $
 
-DISTNAME=      node-v12.22.3
+DISTNAME=      node-v12.22.6
 EXTRACT_SUFX=  .tar.xz
 
 USE_LANGUAGES= c gnu++14
@@ -13,7 +13,7 @@
 CONFIGURE_ARGS+=       --shared-brotli
 CONFIGURE_ARGS+=       --shared-nghttp2
 # ICU 69.1: error: 'createInstance' is a private member of 'icu_69::ListFormatter'
-#CONFIGURE_ARGS+=      --with-intl=system-icu
+CONFIGURE_ARGS+=       --with-intl=system-icu
 
 PYTHON_VERSIONS_ACCEPTED=      27
 
@@ -29,7 +29,7 @@
 
 .include "../../lang/nodejs/Makefile.common"
 .include "../../archivers/brotli/buildlink3.mk"
-#.include "../../textproc/icu/buildlink3.mk"
+.include "../../textproc/icu/buildlink3.mk"
 # Requires nghttp2_option_set_max_settings
 BUILDLINK_API_DEPENDS.nghttp2+=        nghttp2>=1.41.0
 .include "../../www/nghttp2/buildlink3.mk"
diff -r 5cc1c646b646 -r 1f1e35f06c00 lang/nodejs12/distinfo
--- a/lang/nodejs12/distinfo    Fri Sep 17 15:50:39 2021 +0000
+++ b/lang/nodejs12/distinfo    Fri Sep 17 20:07:15 2021 +0000
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.24 2021/07/06 07:04:11 adam Exp $
+$NetBSD: distinfo,v 1.25 2021/09/17 20:07:15 adam Exp $
 
-SHA1 (node-v12.22.3.tar.xz) = 0cb24e343ce26a96b20799ec234e5abe44985faa
-RMD160 (node-v12.22.3.tar.xz) = d9d6526d038c0789299e0dd8b25edd2a25c3a872
-SHA512 (node-v12.22.3.tar.xz) = 11684b6df15b6b74b8674ebf2c2bb950d1e52b83f90478638e85dd11a163dc7c62ae888bc4c1c29e89179e0c47fdccc26bee2817d64eb3ff926b2d3e648c351c
-Size (node-v12.22.3.tar.xz) = 23662268 bytes
+SHA1 (node-v12.22.6.tar.xz) = e91060181f5c34450aff5b3cb1f9ce02ce32fdd7
+RMD160 (node-v12.22.6.tar.xz) = 1578f89347c4dbb7e0f94494995b69bd5c4b0e26
+SHA512 (node-v12.22.6.tar.xz) = d107f1ff7073d2db9f0198f14b0523870e9b262c71055de2e03fba54f87bc98a57dad43d902c0b349957df21de71dc066133d4831eb7eb07f4e548d0ac724fb2
+Size (node-v12.22.6.tar.xz) = 23664904 bytes
 SHA1 (patch-common.gypi) = a3fa3b5b974f910b3c8fea640ded4dca262e1ba8
 SHA1 (patch-deps_cares_cares.gyp) = 22b44f2ac59963f694dfe4f4585e08960b3dec32
 SHA1 (patch-deps_uv_common.gypi) = d38a9c8d9e3522f15812aec2f5b1e1e636d4bab3
@@ -17,7 +17,6 @@
 SHA1 (patch-deps_v8_src_zone_zone.h) = 651b49d242dac8f713cccc101147ccf61f828ecb
 SHA1 (patch-deps_v8_tools_run-llprof.sh) = 39aa3faf77492ef8dd35b411b7b0e4605b469af3
 SHA1 (patch-node.gypi) = 4a104dba6c22702211009bc60a6be6f87554e2fa
-SHA1 (patch-src_cares__wrap.cc) = 76a56a757ccaa81bb744890253e694333d66cb73
 SHA1 (patch-src_inspector__agent.cc) = 2ec2a7be459648700488096f467a4ae6af5a9d91
 SHA1 (patch-src_node__postmortem__metadata.cc) = 9938482d724ad6636af5dc3fa719ec26ed8539ff
 SHA1 (patch-tools_gyp_pylib_gyp_generator_make.py) = be3cc1aaa85c3d59b6f2758df813cb5ad8d8f74e
diff -r 5cc1c646b646 -r 1f1e35f06c00 lang/nodejs12/patches/patch-src_cares__wrap.cc
--- a/lang/nodejs12/patches/patch-src_cares__wrap.cc    Fri Sep 17 15:50:39 2021 +0000
+++ /dev/null   Thu Jan 01 00:00:00 1970 +0000
@@ -1,17 +0,0 @@
-$NetBSD: patch-src_cares__wrap.cc,v 1.3 2020/05/30 20:45:12 joerg Exp $
-
-NetBSD has neither AI_V4MAPPED nor AI_ALL.
-
---- src/cares_wrap.cc.orig     2020-05-26 11:53:34.000000000 +0000
-+++ src/cares_wrap.cc
-@@ -49,8 +49,9 @@
- # include <arpa/nameser.h>
- #endif
- 
--#if defined(__OpenBSD__)
-+#if defined(__OpenBSD__) || defined(__NetBSD__)
- # define AI_V4MAPPED 0
-+# define AI_ALL 0
- #endif
- 
- namespace node {

Prev by Date: [pkgsrc/trunk]: pkgsrc/www/webkit-gtk webkit-gtk: Update to 2.32.4
Next by Date: [pkgsrc/trunk]: pkgsrc/lang/nodejs nodejs: updated to 14.17.6
Previous by Thread: [pkgsrc/trunk]: pkgsrc/www/webkit-gtk webkit-gtk: Update to 2.32.4
Next by Thread: [pkgsrc/trunk]: pkgsrc/lang/nodejs nodejs: updated to 14.17.6
Indexes:

Home | Main Index | Thread Index | Old Index