File nodejs4.changes of Package nodejs4.8543

Overview Repositories Revisions Requests Users Attributes Meta

File nodejs4.changes of Package nodejs4.8543

-------------------------------------------------------------------
Thu Aug 23 13:44:19 UTC 2018 - adam.majer@suse.de

- CVE-2018-12115.patch: buffer: avoid overrun on UCS-2 string write
  (CVE-2018-12115, bsc#1105019)
- openssl_1_0_2p.patch: deps: Upgrade to OpenSSL 1.0.2p, fixing:
  * Client DoS due to large DH parameter (CVE-2018-0732, bsc#1097158)
  * ECDSA key extraction via local side-channel

-------------------------------------------------------------------
Sun Jul 29 10:47:39 UTC 2018 - jengelh@inai.de

- Ensure neutrality of description.
- Use %make_install.

-------------------------------------------------------------------
Fri Jun 15 12:03:47 UTC 2018 - adam.majer@suse.de

- Recommend same major version npm package (bsc#1097748)

-------------------------------------------------------------------
Thu May 24 14:17:25 UTC 2018 - adam.majer@suse.de

- env_shebang.patch: use absolute paths in executable shebang lines
- versioned.patch: updated to move shebang modifications to above
  patch.

-------------------------------------------------------------------
Fri May 11 12:36:51 UTC 2018 - adam.majer@suse.de

- icu_61_namespacefix.patch: Fix building with ICU61.1 (bsc#1091764)

-------------------------------------------------------------------
Thu Apr  5 07:18:42 UTC 2018 - adam.majer@suse.de

- Install license with %license, not %doc (bsc#1082318)

-------------------------------------------------------------------
Wed Apr  4 13:29:24 UTC 2018 - adam.majer@suse.de

- Fix some node-gyp permissions

-------------------------------------------------------------------
Tue Apr  3 11:03:14 UTC 2018 - adam.majer@suse.de

- New upstream maintenance 4.9.1:
  * Security fixes:
    + Fix for 'path' module regular expression denial of service
      (bsc#1087459, CVE-2018-7158)
    + Reject spaces in HTTP Content-Length header values
      (bsc#1087453, CVE-2018-7159)
  * Upgrade to OpenSSL 1.0.2o
  * deps: reject interior blanks in Content-Length
  * deps: upgrade http-parser to v2.8.0
- fix_ci_tests.patch: refreshed

-------------------------------------------------------------------
Thu Mar 22 13:17:38 UTC 2018 - adam.majer@suse.de

- remove any old manpage files in %pre from before update-alternatives
  were used to manage symlinks to these manpages.

-------------------------------------------------------------------
Tue Feb 13 08:40:52 UTC 2018 - adam.majer@suse.de

- Add Recommends and BuildRequire on python2 for npm. node-gyp
  requires this old version of python for now. This is only needed
  for binary modules.

-------------------------------------------------------------------
Tue Jan 30 18:10:06 CET 2018 - ro@suse.de

- even on recent codestreams there is no binutils gold on s390
  only on s390x

-------------------------------------------------------------------
Thu Dec 21 12:53:36 UTC 2017 - adam.majer@suse.de

- Enable CI tests in %check target
  + fix_ci_ssl_tests.patch: Disable testing of obsolete curves
    which are not enabled OpenSUSE's OpenSSL library
  + fix_ci_tests.patch:
    - DNS queries in buildroots are failing with EAI_AGAIN
    - disable test-module-loading-globalpaths.js - we have
      hardcoded global paths
  + versioned.patch: call versioned node binary for tests

-------------------------------------------------------------------
Sat Dec  9 03:22:01 UTC 2017 - qantas94heavy@gmail.com

- New upstream maintenance release 4.8.7:
  * deps/openssl: updated to 1.0.2n (only applies to SLE 12 SP1
    and lower) (bsc#1072322)
    [ CVE-2017-3738 CVE-2017-15896 ]
- Remove unnecessary curl BuildRequires

-------------------------------------------------------------------
Wed Nov 29 01:41:56 UTC 2017 - qantas94heavy@gmail.com

- Change BuildRequires from openssl-devel to libopenssl-1_0_0-devel
  due to Tumbleweed/Leap 15 change to OpenSSL 1.1.0 as default

-------------------------------------------------------------------
Thu Nov 16 13:16:25 UTC 2017 - adam.majer@suse.de

- Update nodejs.keyring based on current Release Team as found on
  https://github.com/nodejs/node#release-team

-------------------------------------------------------------------
Mon Nov 13 14:29:47 UTC 2017 - adam.majer@suse.de

- Fix permissions of node-gyp. This should be executable to allow
  building of binary node modules.

-------------------------------------------------------------------
Mon Nov 13 10:12:07 UTC 2017 - adam.majer@suse.de

- New upstream maintenance release 4.8.6:
  * crypto: upgrade openssl sources to 1.0.2m
    [OpenSSL Security Advisory (bsc#1066242, bsc#1056058)
     CVE-2017-3735 CVE-2017-3736]
  * deps: add support for more modern versions of INTL
- 0f3e69db.patch: removed, upstreamed
- icu59.patch: removed, upstreamed

-------------------------------------------------------------------
Wed Oct 25 07:02:20 UTC 2017 - qantas94heavy@gmail.com

- New upstream maintenance release 4.8.5:
  * zlib: (CVE-2017-14919: only affects TW) In zlib v1.2.9, a
    change was made that causes an exception to be thrown when a
    raw deflate stream is initialized with windowBits set to 8.
    Node.js will now gracefully set windowBits to 9 (replicating
    the legacy behavior) to avoid a DOS vector.

-------------------------------------------------------------------
Thu Oct 19 08:07:05 UTC 2017 - adam.majer@suse.de

- Replace {{node_version_major}} with RPM define %node_version_number
  for simpler spec file review.
- Make sure npm program remains executable

-------------------------------------------------------------------
Wed Aug  2 15:16:57 UTC 2017 - adam.majer@suse.de

- Fix update-alternative handling in %postun - don't remove
  links on upgrades.

-------------------------------------------------------------------
Wed Jul 12 08:17:53 UTC 2017 - adam.majer@suse.de

- New LTS upstream version 4.8.4
  * v8: disable V8 snapshots. The hashseed embedded in the snapshot
    is currently the same for all runs of the binary. This opens
    node up to collision attacks which could result in a Denial
    of Service. We have temporarily disabled snapshots until a more
    robust solution is found (bnc#1048299, CVE-2017-11499).
  * http: fixes http.get with numeric authorization options that
    created/used uninitialized buffers as the authentication string
  * The c-ares function ares_parse_naptr_reply(), which is used for
    parsing NAPTR responses, could be triggered to read memory
    outside of the given input buffer if the passed in DNS response
    packet was crafted in a particular way.
    (CVE-2017-1000381, bnc#1044946)

-------------------------------------------------------------------
Fri Jul  7 14:05:05 UTC 2017 - adam.majer@suse.de

- Depend on nodejs-common that is then used to pick correctly
  versioned node or npm binary. This is required since 3rd party
  modules use `/usr/bin/env node` which breaks if multiple versions
  of NodeJS are installed at the same time and non-default version
  is used (for example, to compile a native module)
 
-------------------------------------------------------------------
Thu Jul  6 12:08:26 UTC 2017 - adam.majer@suse.de

- npm_search_paths.patch: Since concurrent installations are now
  possible, node manual pages are moved once again back under npm
  searcheable locations only.
- versioned.patch: All files are now under versioned directoies
  and names. node and npm symlinks are now managed by
  update-alternatives
- node-gyp-addon-gypi.patch: Reference versioned directories only

-------------------------------------------------------------------
Tue Jun 13 11:34:35 UTC 2017 - adam.majer@suse.de

- Fix typo in node-gyp-addon-gypi.patch patch

-------------------------------------------------------------------
Tue May 30 12:45:42 UTC 2017 - adam.majer@suse.de

- 0f3e69db.patch, icu59.patch: GCC 7 compilation fixes for v8
  backported and add missing ICU59 headers (bnc#1041283)

-------------------------------------------------------------------
Tue May 23 09:54:05 UTC 2017 - adam.majer@suse.de

- New upstream LTS release 4.8.3
  * v8: trigger OOM crash if memory allocation fails
  * src: fix base64 decoding in rare edgecase
  * tls:
    + fix segfault on destroy after partial read
    + keep track of stream that is closed
    + TLSSocket emits 'error' on handshake failure
- nodejs-libpath.patch: updated

-------------------------------------------------------------------
Wed Apr  5 01:37:06 UTC 2017 - qantas94heavy@gmail.com

- New upstream maintenance release 4.8.2
  * crypto: fix memory leak if certificate is revoked (#12089)

- Changes not applicable to openSUSE in 4.8.2:
  * deps: upgrade zlib to 1.2.11 (#10980)

- Changes in LTS release 4.8.1
  * buffer: The performance of .toJSON() is now up to 2859% faster
    on average.
  * IPC: Batched writes have been enabled for process IPC on
    platforms that support Unix Domain Sockets. Performance gains
    may be up to 40% for some workloads.
  * http: Control characters are now always rejected when using
    http.request().
  * node: Heap statistics now support values larger than 4GB.

- Modify 8334.diff:
  * Bring patch in line with upstream changes (#8334)

-------------------------------------------------------------------
Sun Feb 26 03:00:33 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 4.8.0
 * child_process: add shell option to spawn()
 * crypto: add ALPN Support
 * crypto: allow adding extra certs to well-known CAs
 * deps/v8: expose statistics about heap spaces
 * fs: add the fs.mkdtemp() function
 * process: add process.memoryUsage().external
 * process: add process.cpuUsage()
- Modify 8334.diff:
  * Remove merged reference counting code (#9409)

-------------------------------------------------------------------
Fri Feb  3 12:30:12 UTC 2017 - adam.majer@suse.de

- New upstream LTS release 4.7.3
  * deps: upgrade openssl sources to 1.0.2k
    (CVE-2017-3731, CVE-2017-3732, CVE-2016-7055,
     bnc#1022085, bnc#1022086, bnc#1009528)
- No changes in LTS version 4.7.2
- Adjusted 8334.diff to be inline with accepted changes
- Merge nodejs4.changes from SLE and devel project

-------------------------------------------------------------------
Fri Jan  6 08:25:14 UTC 2017 - qantas94heavy@gmail.com

- Add basic check that Node.js loads successfully to spec file

-------------------------------------------------------------------
Wed Jan  4 02:59:22 UTC 2017 - qantas94heavy@gmail.com

- New upstream LTS release 4.7.1
  * build: shared library support is now working for AIX builds
  * repl: passing options to the repl will no longer overwrite
          defaults
  * timers: recanceling a cancelled timers will no longer throw

-------------------------------------------------------------------
Fri Dec  9 04:00:08 UTC 2016 - qantas94heavy@gmail.com

- New upstream LTS version 4.7.0
  * build: introduce the configure --shared option for embedders
  * debugger: make listen address configurable in debugger server
  * dgram: generalized send queue to handle close, fixing a
           potential throw when dgram socket is closed in the
           listening event handler
  * http: introduce the 451 status code "Unavailable For
          Legal Reasons"
  * gtest: the test reporter now outputs tap comments as yamlish
  * tls: introduce secureContext for tls.connect (useful for
         caching client certificates, key, and CA certificates)
  * tls: fix memory leak when writing data to TLSWrap instance
         during handshake
  * src: node no longer aborts when c-ares initialization fails
- Modify 8334.diff:
  * ported and updated system CA store for the new node crypto code
- Refresh nodejs-libpath.patch

-------------------------------------------------------------------
Thu Dec  1 02:48:44 UTC 2016 - qantas94heavy@gmail.com

- New upstream LTS version 4.6.2
  * build:
    + It is now possible to build the documentation from the release tarball.
  * buffer:
    + Buffer.alloc() will no longer incorrectly return a zero filled buffer
      when an encoding is passed.
  * deps:
    + Upgrade npm in LTS to 2.15.11.
  * repl:
    + Enable tab completion for global properties.
  * url:
    + url.format() will now encode all "#" in search.

-------------------------------------------------------------------
Wed Nov 23 09:00:40 UTC 2016 - adam.majer@suse.de

- Add missing conflicts to base package. It's not possible to have
  concurrent nodejs installations.

-------------------------------------------------------------------
Fri Nov 18 11:59:06 UTC 2016 - adam.majer@suse.de

- Package unification across various branches of NodeJS. Package
  for 4.x, 6.x and current (7.x) branches of NodeJS are now
  handled via GitHub repository.
- remove support-arm64-build.patch: no longer required
- remove nodejs-libpath64.patch: obsolete

-------------------------------------------------------------------
Tue Nov  8 14:03:01 UTC 2016 - adam.majer@suse.de

- npm4 should provide versioned nodejs-npm and npm allowing
  nodejs-packaging to continue to function properly in Leap 42.2
  (bnc #1009011)

-------------------------------------------------------------------
Wed Oct 19 08:16:38 UTC 2016 - qantas94heavy@gmail.com

- New upstream LTS version 4.6.1
  * c-ares: fix for single-byte buffer overwrite, CVE-2016-5180
    more information at https://c-ares.haxx.se/adv_20160929.html
    (bnc #1007728)

-------------------------------------------------------------------
Tue Oct  4 14:25:04 UTC 2016 - adam.majer@suse.de

- npm4 now provides nodejs-npm to ease upgrades for Leap

-------------------------------------------------------------------
Thu Sep 29 08:52:25 UTC 2016 - adam.majer@suse.de

- enable usage of system certificate store on SLE11SP4 by 
  requiring openssl1 (boo#1000036)
- nodejs-libpath.patch:
  * adapt patch from main nodejs project so it builds on SLE11
- New upstream LTS version 4.6.0
  * openssl update (not applicable for SLE12SP2, Leap 42.2 and later)
    + upgrade to 1.0.2j (CVE-2016-6304, CVE-2016-2183, CVE-2016-2178,
      CVE-2016-6306, CVE-2016-7052)
    + remove support for dynamic 3rd party engine modules
  * http: Properly validate for allowable characters in input
      user data. This introduces a new case where throw may occur
      when configuring HTTP responses, users should already
      be adopting try/catch here. (CVE-2016-5325, bnc#985201)
  * tls: properly validate wildcard certificates
      (CVE-2016-7099, bnc#1001652)
  * buffer: Zero-fill excess bytes in new Buffer objects created
      with Buffer.concat()

-------------------------------------------------------------------
Fri Aug 26 10:37:38 UTC 2016 - adam.majer@suse.de

- New upstream LTS version 4.5.0 (bnc#997405)
  * buffer:
    + backport new buffer constructor APIs to v4.x
    + backport --zero-fill-buffers cli option
    + ignore negative allocation lengths
  * build
    + add Intel Vtune profiling support
  * repl
    + copying tabs shouldn't trigger completion
  * src
    + add node::FreeEnvironment public API
  * test
    + run v8 tests from node tree
  * V8
    + Add post mortem data to improve object inspection and
      function's context variables inspection
  * upgrade libuv to 1.9.1
  * upgrade npm to 2.15.9
- 8334.diff
  * use system CA store instead of one provided by Node
- Refresh patches

-------------------------------------------------------------------
Wed Aug 10 08:08:38 UTC 2016 - adam.majer@suse.de

- use system OpenSSL with Leap 42.2 and SLE12:SP2
- simplify source code integrity check
  + use GPG service instead of explicit BR
  + add empty checksum so GPG service is run - it's not detached signature
    like it thinks it is.

-------------------------------------------------------------------
Mon Jul  4 08:02:22 UTC 2016 - adam.majer@suse.de

- rename patches to have a .patch suffix, for consistancy
- npm_search_paths.patch:
  Change defaultPrefix to /usr/local if it is detected to be
  /usr. This is in attempt to prevent globally installed npm-managed
  packages from installing into the zypper managed prefix.
- refreshed patches support-arm64-build.patch
- use upstream .xz instead of .gz tarball

-------------------------------------------------------------------
Fri Jul  1 13:35:35 UTC 2016 - adam.majer@suse.de

- New upstream version 4.4.7
  * debugger:
    + All properties of an array (aside from length) can now be printed
      in the repl
  * Upgrade npm to 2.15.8 (Rebecca Turner)
  * Fix for a bug that became more prevalent with the stream changes
    that landed in v4.4.5. (Anna Henningsen). 'reset awaitDrain after manual
    .resume()'
  * V8:
    + Fix for a bug in crankshaft that was causing crashes on arm64
      (Myles Borins)
    +  Add missing classes to postmortem info such as JSMap and JSSet
       (evan.lucas)
- Add upstream release keyring
- Verify upstream sources during %prep

-------------------------------------------------------------------
Mon Jun 27 10:36:14 UTC 2016 - adam.majer@suse.de

- Use build flags to enable/disable gdb usage instead of 
  configure script. Easier to find and change in future.
- Fix paths, and have to fix lots of paths because they
  are all more or less hardcoded relative paths.
- Renumber patches allowing upstream patches to be inserted
  before our own.

-------------------------------------------------------------------
Fri Jun 24 15:55:35 UTC 2016 - adam.majer@suse.de

- New upstream version 4.4.6
 + fix buffer overflow vulnerability discovered in v8
   (CVE-2016-1669)

-------------------------------------------------------------------
Thu Jun 16 15:06:11 UTC 2016 - adam.majer@suse.de

- Change detection of library paths from runtime to compile time.
  nodejs-libpath.patch, nodejs-libpath64.patch

-------------------------------------------------------------------
Wed Jun 15 12:03:10 UTC 2016 - adam.majer@suse.de

- This package is in response to FATE#320396 and ECO#317945
  and references bnc#958943
  It's to be part of Web and Scripting Module
- Use build conditional for intree_openssl
- Fix permissions of some supplies javascript files - they are
  not executables
- General cleanup of the package

-------------------------------------------------------------------
Wed Jun 15 11:18:13 UTC 2016 - adam.majer@suse.de

- Tighten dependencies so we don't end up with mixed versions
  installed.

-------------------------------------------------------------------
Tue Jun 14 16:53:01 UTC 2016 - adam.majer@suse.de

- Dedup manpages
- Conflict with other providers of NodeJS packages. This is
  important if we want to provide NodeJS v6.x branch along with
  v4.x branch

-------------------------------------------------------------------
Mon Jun  6 08:44:43 UTC 2016 - adam.majer@suse.de

- 'New' package of 4.x LTS branch of NodeJS, based on v6.2.1
   from Tumbleweed
-  Fix search paths to actually look where modules are installed

Places

File nodejs4.changes of Package nodejs4.8543

Places