From 8f462ce5d3f7e31e0c9983deee215c531c03a6ef Mon Sep 17 00:00:00 2001 From: Stephen Gallagher Date: Mon, 16 Oct 2023 11:59:52 -0400 Subject: [PATCH] Update to 20.8.1 This is a security release. The following CVEs are fixed in this release: * [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) * [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) * [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High) * [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High) * [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) * [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low) More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post. Signed-off-by: Stephen Gallagher --- nodejs20.spec | 6 +++--- sources | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/nodejs20.spec b/nodejs20.spec index 64a7a73..537434a 100644 --- a/nodejs20.spec +++ b/nodejs20.spec @@ -27,7 +27,7 @@ %global nodejs_epoch 1 %global nodejs_major 20 %global nodejs_minor 8 -%global nodejs_patch 0 +%global nodejs_patch 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 115 %global nodejs_abi %{nodejs_soversion} @@ -74,7 +74,7 @@ %global libuv_version 1.46.0 # nghttp2 - from deps/nghttp2/lib/includes/nghttp2/nghttp2ver.h -%global nghttp2_version 1.56.0 +%global nghttp2_version 1.57.0 # ICU - from tools/icu/current_ver.dep %global icu_major 73 @@ -145,7 +145,7 @@ Source203: v8.pc.in # These are generated by nodejs-sources.sh Source101: cjs-module-lexer-1.2.2-stripped.tar.gz Source102: wasi-sdk-11.0-linux.tar.gz -Source111: undici-5.25.2-stripped.tar.gz +Source111: undici-5.26.3-stripped.tar.gz Source112: wasi-sdk-20.0-linux.tar.gz Patch: 0001-Remove-unused-OpenSSL-config.patch diff --git a/sources b/sources index 93e6dae..993fbc5 100644 --- a/sources +++ b/sources @@ -1,7 +1,7 @@ -SHA512 (node-v20.8.0-stripped.tar.gz) = 645c1f9d9afde40279a9f360940aa3294dae39e86e2aff12e7edb84fba24c83f98b5d813cc167469b89e3d55dad98eafb5d51464d87bd2d5602c9d5cc3d12ea5 +SHA512 (node-v20.8.1-stripped.tar.gz) = 39c784ec5ccddf61ee73e90e6cd9b0fc9c6732d5c2da898afd1189e5488acc8bbbf5771e4bdc36c12a9e8578083be0cb4b6539dfef75963f97a058957c502f12 SHA512 (icu4c-73_2-data-bin-b.zip) = 8512947da7b2a927627abed6bd7e04218cd4fcd02d44eb72a82ffa87aedabfc3be5d3152e9fba33a769ef35e2db55764c2ab8f5bd65b4e89aa9c15b33392e078 SHA512 (icu4c-73_2-data-bin-l.zip) = 420c2f5090927dab13f5449da3b0ec7bf86a91ea8723f177aca2907a8eea9bcb4c3475b66c54355ae320001813db57a00afdab00bd85b8c36d39adedcab80bfc -SHA512 (cjs-module-lexer-1.2.2-stripped.tar.gz) = 66a1873df855c7c3c67c90e24c3f4359d563bb7cb9dff5683a96088bbf0beaeedd2b63d48c578100298c79e81f9e9948acd4aef9369af890950c92210bb8cb78 +SHA512 (cjs-module-lexer-1.2.2-stripped.tar.gz) = 3417a70d0527db04f6472efc1d697a549517c09551f0b299a3896653ef37d95b29fcdac96ddfa4bd583c2f029b61bac36f37e15a9d16115d5d9b2a61d5a4d876 SHA512 (wasi-sdk-11.0-linux.tar.gz) = e3ed4597f7f2290967eef6238e9046f60abbcb8633a4a2a51525d00e7393df8df637a98a5b668217d332dd44fcbf2442ec7efd5e65724e888d90611164451e20 -SHA512 (undici-5.25.2-stripped.tar.gz) = c07c2396f6ce2bc17d27728d69dc84a21dc44df670e6ba47f676606a41f0653782909a257cb93476f5b5624f51488d0da1b762f19b00c741950e4cad2319d3d6 +SHA512 (undici-5.26.3-stripped.tar.gz) = 4cd994cba4ef09be3a748982bdddb418a1c828a436605f38d6d23fcc729df7586b213fe7a8799c3e3ec21549f499f01a278d09f0ec8032a0f1a3b6eff4596b0b SHA512 (wasi-sdk-20.0-linux.tar.gz) = ff3d368267526887534f50767ff010bd368e9c24178ab2f0cf57a8ed0b3a82fbf85986d620ab2327ac6bb3f456c65adc6edb80626a1289e630dde7e43b191b42