CVS commit: pkgsrc/lang/nodejs

To: pkgsrc-changes%NetBSD.org@localhost
Subject: CVS commit: pkgsrc/lang/nodejs
From: "Adam Ciarcinski" <adam%netbsd.org@localhost>
Date: Fri, 17 Sep 2021 20:08:23 +0000

Module Name:    pkgsrc
Committed By:   adam
Date:           Fri Sep 17 20:08:23 UTC 2021

Modified Files:
        pkgsrc/lang/nodejs: Makefile Makefile.common distinfo

Log Message:
nodejs: updated to 14.17.6

Version 14.17.6 'Fermium' (LTS)

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which are related to the initial reports and subsequent remediation of node-tar vulnerabilities CVE-2021-32803 and 
CVE-2021-32804. Subsequent internal security review of node-tar and additional external bounty reports have resulted in another 5 CVE being remediated in core npm CLI dependencies including node-tar, 
and npm arborist.

Version 14.17.5 'Fermium' (LTS)

This is a security release.

Notable Changes

CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the 
output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as 
the issue was not completely resolved by the previous fix. You can read more about it at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would 
have been accepted. You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.


To generate a diff of this commit:
cvs rdiff -u -r1.218 -r1.219 pkgsrc/lang/nodejs/Makefile
cvs rdiff -u -r1.43 -r1.44 pkgsrc/lang/nodejs/Makefile.common
cvs rdiff -u -r1.200 -r1.201 pkgsrc/lang/nodejs/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.

Modified files:

Index: pkgsrc/lang/nodejs/Makefile
diff -u pkgsrc/lang/nodejs/Makefile:1.218 pkgsrc/lang/nodejs/Makefile:1.219
--- pkgsrc/lang/nodejs/Makefile:1.218   Wed Aug  4 09:08:32 2021
+++ pkgsrc/lang/nodejs/Makefile Fri Sep 17 20:08:23 2021
@@ -1,6 +1,6 @@
-# $NetBSD: Makefile,v 1.218 2021/08/04 09:08:32 adam Exp $
+# $NetBSD: Makefile,v 1.219 2021/09/17 20:08:23 adam Exp $
 
-DISTNAME=      node-v14.17.4
+DISTNAME=      node-v14.17.6
 EXTRACT_SUFX=  .tar.xz
 
 USE_LANGUAGES= c gnu++14

Index: pkgsrc/lang/nodejs/Makefile.common
diff -u pkgsrc/lang/nodejs/Makefile.common:1.43 pkgsrc/lang/nodejs/Makefile.common:1.44
--- pkgsrc/lang/nodejs/Makefile.common:1.43     Thu Jun 24 09:29:21 2021
+++ pkgsrc/lang/nodejs/Makefile.common  Fri Sep 17 20:08:23 2021
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile.common,v 1.43 2021/06/24 09:29:21 adam Exp $
+# $NetBSD: Makefile.common,v 1.44 2021/09/17 20:08:23 adam Exp $
 # used by lang/nodejs/Makefile
 # used by lang/nodejs8/Makefile
 # used by lang/nodejs10/Makefile
@@ -22,7 +22,8 @@ GCC_REQD+=            4.9.4
 
 CONFIG_SHELL=          ${PYTHONBIN}
 CONFIGURE_ARGS+=       --prefix=${PREFIX}
-CONFIGURE_ARGS+=       --shared-cares
+# Needs ares_nameser.h which is not installed by libcares
+#CONFIGURE_ARGS+=      --shared-cares
 CONFIGURE_ARGS+=       --shared-libuv
 CONFIGURE_ARGS+=       --shared-zlib
 CONFIGURE_ARGS+=       --without-npm
@@ -85,5 +86,5 @@ BUILDLINK_API_DEPENDS.libuv+= libuv>=1.4
 .include "../../devel/zlib/buildlink3.mk"
 .include "../../lang/python/application.mk"
 .include "../../lang/python/tool.mk"
-.include "../../net/libcares/buildlink3.mk"
+#.include "../../net/libcares/buildlink3.mk"
 .include "../../mk/pthread.buildlink3.mk"

Index: pkgsrc/lang/nodejs/distinfo
diff -u pkgsrc/lang/nodejs/distinfo:1.200 pkgsrc/lang/nodejs/distinfo:1.201
--- pkgsrc/lang/nodejs/distinfo:1.200   Wed Aug  4 09:08:32 2021
+++ pkgsrc/lang/nodejs/distinfo Fri Sep 17 20:08:23 2021
@@ -1,9 +1,9 @@
-$NetBSD: distinfo,v 1.200 2021/08/04 09:08:32 adam Exp $
+$NetBSD: distinfo,v 1.201 2021/09/17 20:08:23 adam Exp $
 
-SHA1 (node-v14.17.4.tar.xz) = 8fe99963072062051d14005b01e4e7124b30b472
-RMD160 (node-v14.17.4.tar.xz) = 72517cf54d051a3d1ff687d990712d2eb8c6728d
-SHA512 (node-v14.17.4.tar.xz) = c06228f1a82cf887fa1557be58a8814027926f5c9750c9f1a1656afd6f58151be08e05203343c62fb9a3957d99a73bee6fe509e52543fdbc5bd4c05a1e76c3cf
-Size (node-v14.17.4.tar.xz) = 33592020 bytes
+SHA1 (node-v14.17.6.tar.xz) = a82646e6bfbf361611d46b871ec87c97192d4190
+RMD160 (node-v14.17.6.tar.xz) = 83d6cd6b114256777ec63a678e5f3b924b69691e
+SHA512 (node-v14.17.6.tar.xz) = 581c5698112426042fbf54fa793e56a30cae0c54ce8f23af6ac20d73c69a4f1166c5410f357c5a7b0409a773f99e3b9291e4afffd53b3c0e00569725dc4c47d3
+Size (node-v14.17.6.tar.xz) = 33606464 bytes
 SHA1 (patch-common.gypi) = f0bd2962bf7c8466db24b35a35154897ecad6316
 SHA1 (patch-deps_cares_cares.gyp) = 22b44f2ac59963f694dfe4f4585e08960b3dec32
 SHA1 (patch-deps_uv_common.gypi) = d38a9c8d9e3522f15812aec2f5b1e1e636d4bab3

Prev by Date: CVS commit: pkgsrc/lang/nodejs12
Next by Date: CVS commit: pkgsrc/doc
Previous by Thread: CVS commit: pkgsrc/lang/nodejs12
Next by Thread: CVS commit: pkgsrc/doc
Indexes:

Home | Main Index | Thread Index | Old Index