Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:Update
nodejs6.15324
nodejs6.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File nodejs6.changes of Package nodejs6.15324
------------------------------------------------------------------- Thu Jun 4 13:39:29 UTC 2020 - Adam Majer <adam.majer@suse.de> - CVE-2020-8174.patch: napi: fix various types of memory corruption in napi_get_value_string_*() (CVE-2020-8174, bsc#1172443) - minimist.patch: Fixes a vulnerability in an npm component (CVE-2020-7598 bsc#1166916) ------------------------------------------------------------------- Mon May 4 12:27:33 UTC 2020 - Adam Majer <adam.majer@suse.de> - Reduce Requires to Recommends on nodejs6-devel when installing npm6 ------------------------------------------------------------------- Fri Feb 7 15:11:56 UTC 2020 - Adam Majer <adam.majer@suse.de> - CVE-2019-15604.patch: fixes a remotely triggerable assertion on a TLS server via a crafted certificate string (CVE-2019-15604, bsc#1163104) - CVE-2019-15605.patch: fixes an HTTP request smuggling vulnerability via malformed Transfer-Encoding header (CVE-2019-15605, bsc#1163102) - CVE-2019-15606.patch: trim HTTP header values of optional white space (CVE-2019-15606, bsc#1163103) ------------------------------------------------------------------- Tue Jan 7 13:12:10 UTC 2020 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Really disable LTO when required (nodejs < 12) ------------------------------------------------------------------- Thu Jan 2 14:40:46 UTC 2020 - Adam Majer <adam.majer@suse.de> - Add npm.tar.xz - Update npm to 6.13.4 fixing an arbitrary path overwrite and access via "bin" field (bsc#1159352, CVE-2019-16777, CVE-2019-16776, CVE-2019-16775). - CVE-2019-13173.patch - upstreamed - refreshed: node-gyp-addon-gypi.patch, npm_search_paths.patch, versioned.patch ------------------------------------------------------------------- Thu Oct 24 15:41:09 UTC 2019 - Adam Majer <adam.majer@suse.de> - New upstream LTS release 6.17.1: * http: fix error check in Execute() ------------------------------------------------------------------- Wed Oct 2 11:45:25 UTC 2019 - Michel Normand <normand@linux.vnet.ibm.com> - Add _constraints for ppc64le to avoid build error ------------------------------------------------------------------- Mon Jul 29 09:01:36 UTC 2019 - Adam Majer <adam.majer@suse.de> - CVE-2019-13173.patch: fix potential file overwrite via hardlink in fstream.DirWriter() function (bsc#1140290, CVE-2019-13173) ------------------------------------------------------------------- Thu Feb 28 13:28:56 UTC 2019 - Adam Majer <adam.majer@suse.de> - New upstream LTS release 6.17.0: * deps: OpenSSL has been upgraded to 1.0.2r. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data. (CVE-2019-1559, bsc#1127080) * http: + Backport server.keepAliveTimeout to prevent keep-alive HTTP and HTTPS connections remaining open and inactive for an extended period of time, leading to a potential Denial of Service (DoS). (CVE-2019-5739, bsc#1127533) + Further prevention of "Slowloris" attacks on HTTP and HTTPS connections by consistently applying the receive timeout set by server.headersTimeout to connections in keep-alive mode. (CVE-2019-5737, bsc#1127532) ------------------------------------------------------------------- Fri Feb 1 12:40:17 UTC 2019 - adam.majer@suse.de - nodejs.keyring: update keyring to today's list as per https://github.com/nodejs/node ------------------------------------------------------------------- Mon Jan 7 16:06:53 UTC 2019 - adam.majer@suse.de - Update upstream LTS release 6.16.0: * cli: add --max-http-header-size flag * http: add maxHeaderSize property - Changes in LTS release 6.15.0: * debugger: prevent the debugger from listening on 0.0.0.0. It now defaults to 127.0.0.1. (CVE-2018-12120, bsc#1117625) * deps: Upgrade to OpenSSL 1.0.2q, fixing CVE-2018-0734 (bsc#1113652) and CVE-2018-5407 (bsc#1113534) * http: + Headers received by HTTP servers must not exceed 8192 bytes in total to prevent possible Denial of Service attacks. (CVE-2018-12121, bsc#1117626) + A timeout of 40 seconds now applies to servers receiving HTTP headers. This value can be adjusted with server.headersTimeout. Where headers are not completely received within this period, the socket is destroyed on the next received chunk. In conjunction with server.setTimeout(), this aids in protecting against excessive resource retention and possible Denial of Service. (CVE-2018-12122, bsc#1117627) + Two-byte characters are now strictly disallowed for the path option in HTTP client requests. Paths containing characters outside of the range \u0021 - \u00ff will now be rejected with a TypeError. This behavior can be reverted if necessary by supplying the --security-revert=CVE-2018-12116 command line argument (this is not recommended). (CVE-2018-12116, bsc#1117630) * util: Fix a bug that would allow a hostname being spoofed when parsing URLs with url.parse() with the 'javascript:' protocol. (CVE-2018-12123, bsc#1117629) - skip_test_on_lowmem.patch: skip test on low-memory build machine ------------------------------------------------------------------- Mon Nov 26 14:06:57 UTC 2018 - adam.majer@suse.de - flaky_test_rerun.patch: Rerun failing tests in case of flakiness ------------------------------------------------------------------- Mon Nov 12 12:26:46 UTC 2018 - adam.majer@suse.de - env_shebang.patch: dropped in favour of programmatic update ------------------------------------------------------------------- Mon Oct 1 14:47:48 UTC 2018 - adam.majer@suse.de - fix_ci_tests.patch: Fix unit tests ------------------------------------------------------------------- Mon Aug 20 08:44:21 UTC 2018 - adam.majer@suse.de - New upstream LTS release 6.14.4: * buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2 encoding (CVE-2018-12115, bsc#1105019) * deps: Upgrade to OpenSSL 1.0.2p, fixing: + Client DoS due to large DH parameter (CVE-2018-0732, bsc#1097158) + ECDSA key extraction via local side-channel ------------------------------------------------------------------- Sun Jul 29 10:47:39 UTC 2018 - jengelh@inai.de - Ensure neutrality of description. - Use %make_install. ------------------------------------------------------------------- Fri Jun 15 12:03:47 UTC 2018 - adam.majer@suse.de - Recommend same major version npm package (bsc#1097748) ------------------------------------------------------------------- Thu Jun 14 09:20:15 UTC 2018 - adam.majer@suse.de - New upstream LTS release 6.14.3: * buffer: Fixes Denial of Service vulnerability where calling Buffer.fill() could hang (CVE-2018-7167, bsc#1097375) ------------------------------------------------------------------- Thu May 24 14:17:25 UTC 2018 - adam.majer@suse.de - env_shebang.patch: use absolute paths in executable shebang lines - versioned.patch: updated to move shebang modifications to above patch. ------------------------------------------------------------------- Fri May 11 12:36:46 UTC 2018 - adam.majer@suse.de - New upstream LTS release 6.14.2: * n-api: n-api has been backported to v6.x. - icu_61_namespacefix.patch: Fix building with ICU61.1 (bsc#1091764) - versioned.patch: rebased ------------------------------------------------------------------- Thu Apr 5 07:18:42 UTC 2018 - adam.majer@suse.de - Install license with %license, not %doc (bsc#1082318) ------------------------------------------------------------------- Wed Apr 4 13:29:24 UTC 2018 - adam.majer@suse.de - Fix some node-gyp permissions ------------------------------------------------------------------- Tue Apr 3 11:02:56 UTC 2018 - adam.majer@suse.de - New upstream LTS release 6.14.1: * Security fixes: + Fix for inspector DNS rebinding vulnerability (bsc#1087463, CVE-2018-7160) + Fix for 'path' module regular expression denial of service (bsc#1087459, CVE-2018-7158) + Reject spaces in HTTP Content-Length header values (bsc#1087453, CVE-2018-7159) * Upgrade to OpenSSL 1.0.2o * deps: upgrade http-parser to v2.8.0 ------------------------------------------------------------------- Thu Mar 22 10:52:48 UTC 2018 - adam.majer@suse.de - New upstream LTS release 6.13.1: * http,tls: better support for IPv6 addresses * console: added console.count() and console.clear() * crypto: + expose ECDH class + added cypto.randomFill() and crypto.randomFillSync() + warn on invalid authentication tag length * deps: upgrade libuv to 1.16.1 * dgram: added socket.setMulticastInterface() * http: add agent.keepSocketAlive and agent.reuseSocket as to allow overridable keep-alive behavior of Agent * lib: return this from net.Socket.end() * module: add builtinModules api that provides list of all builtin modules in Node * net: return this from getConnections() * promises: more robust stringification for unhandled rejections * repl: improve require() autocompletion * src: + add openssl-system-ca-path configure option + add --use-bundled-ca --use-openssl-ca check + add process.ppid * tls: accept lookup option for tls.connect() * tools,build: a new macOS installer! * url: WHATWG URL api support * util: add %i and %f formatting specifiers - remove any old manpage files in %pre from before update-alternatives were used to manage symlinks to these manpages. ------------------------------------------------------------------- Tue Feb 13 08:40:52 UTC 2018 - adam.majer@suse.de - Add Recommends and BuildRequire on python2 for npm. node-gyp requires this old version of python for now. This is only needed for binary modules. ------------------------------------------------------------------- Tue Jan 30 18:10:06 CET 2018 - ro@suse.de - even on recent codestreams there is no binutils gold on s390 only on s390x ------------------------------------------------------------------- Tue Jan 9 10:54:48 UTC 2018 - adam.majer@suse.de - New upstream LTS release 6.12.3: * v8: profiler-related fixes * mostly documentation and test related changes - nodejs-sle11-python26-check_output.patch: refreshed ------------------------------------------------------------------- Fri Dec 22 14:28:07 UTC 2017 - adam.majer@suse.de - Enable CI tests in %check target + fix_ci_tests.patch: - DNS queries in buildroots are failing with EAI_AGAIN - disable test-module-loading-globalpaths.js - we have hardcoded global paths + versioned.patch: call versioned node binary for tests ------------------------------------------------------------------- Thu Dec 14 09:45:50 UTC 2017 - adam.majer@suse.de - Dropped 8334.diff - no longer needed ------------------------------------------------------------------- Sat Dec 9 03:22:01 UTC 2017 - qantas94heavy@gmail.com - New upstream LTS release 6.12.2: * deps/openssl: updated to 1.0.2n (only applies to SLE 12 SP1 and lower) (bsc#1072322) [ CVE-2017-3738 CVE-2017-15896 ] - Changes in 6.12.1: * build: fix npm install with --shared [ gh#nodejs/node#16438 ] * build: building on systems with default Python 3 is now supported [ gh#nodejs/node#16058 ] * src: v8 options can be specified with either '_' or '-' in NODE_OPTIONS [ gh#nodejs/node#14093 ] - Remove unnecessary curl BuildRequires - Enable gold linker on s390x (TW and SLE/Leap 15) - Build with bundled ICU if system ICU not available (only applies to SLE 11) ------------------------------------------------------------------- Wed Nov 29 01:41:56 UTC 2017 - qantas94heavy@gmail.com - Change BuildRequires from openssl-devel to libopenssl-1_0_0-devel due to Tumbleweed/Leap 15 change to OpenSSL 1.1.0 as default ------------------------------------------------------------------- Thu Nov 16 13:16:25 UTC 2017 - adam.majer@suse.de - Update nodejs.keyring based on current Release Team as found on https://github.com/nodejs/node#release-team ------------------------------------------------------------------- Mon Nov 13 14:29:47 UTC 2017 - adam.majer@suse.de - Fix permissions of node-gyp. This should be executable to allow building of binary node modules. ------------------------------------------------------------------- Mon Nov 13 10:08:04 UTC 2017 - adam.majer@suse.de - New upstream LTS release 6.12.0: * assert: assert.fail() can now take one or two arguments * crypto: add sign/verify support for RSASSA-PSS * deps: + upgrade openssl sources to 1.0.2m [OpenSSL Security Advisory (bsc#1066242, bsc#1056058) CVE-2017-3735 CVE-2017-3736] + upgrade libuv to 1.15.0 * fs: Add support for fs.write/fs.writeSync(fd, buffer, cb) and fs.write/fs.writeSync(fd, buffer, offset, cb) as documented * inspector: enable --inspect-brk * process: add --redirect-warnings command line argument * src: + allow CLI args in env with NODE_OPTIONS + --abort-on-uncaught-exception in NODE_OPTIONS + allow --tls-cipher-list in NODE_OPTIONS + use SafeGetenv() for NODE_REDIRECT_WARNINGS * test: remove common.fail() - 0f3e69db.patch, icu59.patch: removed empty patches - nodejs-libpath.patch: refreshed ------------------------------------------------------------------- Wed Oct 25 05:19:03 UTC 2017 - qantas94heavy@gmail.com - New upstream LTS release 6.11.5: * zlib: (CVE-2017-14919: only affects TW) In zlib v1.2.9, a change was made that causes an exception to be thrown when a raw deflate stream is initialized with windowBits set to 8. Node.js will now gracefully set windowBits to 9 (replicating the legacy behavior) to avoid a DOS vector. ------------------------------------------------------------------- Thu Oct 19 08:07:05 UTC 2017 - adam.majer@suse.de - Replace {{node_version_major}} with RPM define %node_version_number for simpler spec file review. - Make sure npm program remains executable ------------------------------------------------------------------- Wed Oct 4 16:38:26 UTC 2017 - adam.majer@suse.de - New upstream LTS release 6.11.4: * net: support passing undefined to listen() to match behavior in v4.x and v8.x ------------------------------------------------------------------- Mon Sep 11 13:58:26 UTC 2017 - qantas94heavy@gmail.com - New upstream LTS release 6.11.3: * deps: Snapshots are turned back on!!! (#14385) * path: win32 volume-relative paths are working again! (#14440) * tools: v6.x can now build with ICU 59 (#12078) - Drop icu59.patch: merged upstream. - Refresh versioned.patch ------------------------------------------------------------------- Thu Aug 17 08:57:20 UTC 2017 - qantas94heavy@gmail.com - New upstream LTS release 6.11.2 * configure: add mips64el to valid_arch (#13620) * crypto: updated root certificates based on NSS 3.30 (#13279, #12402) * deps: upgrade OpenSSL to version 1.0.2.l (#12913) * http: + parse errors are now reported when NODE_DEBUG=http (#13206) + Agent constructor can now be invoked without new (#12927) * zlib: node will now throw an Error when zlib rejects the value of windowBits, instead of crashing (#13098) - Drop 0f3e69db.patch: fixed upstream ------------------------------------------------------------------- Wed Aug 2 15:16:57 UTC 2017 - adam.majer@suse.de - Fix update-alternative handling in %postun - don't remove links on upgrades. ------------------------------------------------------------------- Wed Jul 12 08:24:32 UTC 2017 - adam.majer@suse.de - New upstream LTS release 6.11.1 * v8: disable V8 snapshots. The hashseed embedded in the snapshot is currently the same for all runs of the binary. This opens node up to collision attacks which could result in a Denial of Service. We have temporarily disabled snapshots until a more robust solution is found. (bnc#1048299, CVE-2017-11499) * The c-ares function ares_parse_naptr_reply(), which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. (CVE-2017-1000381, bnc#1044946) ------------------------------------------------------------------- Fri Jul 7 14:05:05 UTC 2017 - adam.majer@suse.de - Depend on nodejs-common that is then used to pick correctly versioned node or npm binary. This is required since 3rd party modules use `/usr/bin/env node` which breaks if multiple versions of NodeJS are installed at the same time and non-default version is used (for example, to compile a native module) ------------------------------------------------------------------- Thu Jul 6 12:08:26 UTC 2017 - adam.majer@suse.de - npm_search_paths.patch: Since concurrent installations are now possible, node manual pages are moved once again back under npm searcheable locations only. - versioned.patch: All files are now under versioned directoies and names. node and npm symlinks are now managed by update-alternatives - node-gyp-addon-gypi.patch: Reference versioned directories only ------------------------------------------------------------------- Tue Jun 13 09:13:23 UTC 2017 - adam.majer@suse.de - New upstream LTS release 6.11.0 * added support for building mips64el * cluster: + disconnect() now returns a reference to the disconnected worker. * crypto: + ability to select cert store at runtime + Use system CAs instead of using bundled ones (obsoletes 8334.diff) + The Decipher methods setAuthTag() and setAAD now return this + adding support for OPENSSL_CONF again + make LazyTransform compabile with Streams1 * deps: + upgrade libuv to 1.11.0 * dns: + Implemented {ttl: true} for resolve4() and resolve6(). * process: + add NODE_NO_WARNINGS environment variable * readline: + add option to stop duplicates in history * src: + support "--" after "-e" as end-of-options * tls: + new tls.TLSSocket() supports sec ctx options + Allow obvious key/passphrase combinations. - Fix typo in node-gyp-addon-gypi.patch patch - Refresh icu59.patch ------------------------------------------------------------------- Tue May 30 12:45:42 UTC 2017 - adam.majer@suse.de - 0f3e69db.patch, icu59.patch: backported GCC 7 compilation fixes for v8 backported and add missing ICU59 includes (bnc#1041282) ------------------------------------------------------------------- Tue May 23 09:52:00 UTC 2017 - adam.majer@suse.de - New upstream LTS release 6.10.3 * b8: + Trigger OOM crash on memory allcation errors + Don't treat catch scopes as possibly-shadowing for sloppy eval * lib: fix event race condition with -e * src: fix base64 decoding in rare edgecase * tls: + fix segfault on destroy after partial read + keep track of stream that is closed + fix macro to check NPN feature - nodejs-libpath.patch: updated ------------------------------------------------------------------- Wed Apr 5 01:30:39 UTC 2017 - qantas94heavy@gmail.com - New upstream LTS release 6.10.2 * crypto: fix memory leak if certificate is revoked (#12089) * deps: backport V8 fixes for spread syntax regression causing segfaults (#12037) - Changes not applicable to openSUSE in 6.10.2: * deps: upgrade zlib to 1.2.11 (#10980) * repl: revert commit that broke REPL display on Windows (#12123) - Changes in LTS release 6.10.1 * performance: The performance of several APIs has been improved. + Buffer.compare() is up to 35% faster on average. + buffer.toJSON() is up to 2859% faster on average. + fs.*statSync() functions are now up to 9% faster on average. + os.loadavg is up to 151% faster. + process.memoryUsage() is up to 34% faster. + querystring.unescape() for Buffers is 15% faster on average. + querystring.stringify() is up to 7.8% faster on average. + querystring.parse() is up to 21% faster on average. * IPC: Batched writes have been enabled for process IPC on platforms that support Unix Domain Sockets. Performance gains may be up to 40% for some workloads. * child_process: spawnSync now returns a null status when child is terminated by a signal. This fixes the behavior to act like spawn() does. * http: Control characters are now always rejected when using http.request(). Debug messages have been added for cases when headers contain invalid values. * node: Heap statistics now support values larger than 4GB. * timers: Timer callbacks now always maintain order when interacting with domain error handling. ------------------------------------------------------------------- Sun Feb 26 03:01:09 UTC 2017 - qantas94heavy@gmail.com - New upstream LTS release 6.10.0 * crypto: allow adding extra certs to well-known CAs * deps: upgrade INTL ICU to version 58 * fs: cache non-symlinks in realpathSync * process: add process.memoryUsage().external * repl: allow autocompletion for scoped packages * src: add wrapper for process.emitWarning() - Modify 8334.diff: * Remove merged reference counting code (#9409) * Bring patch in line with upstream changes (#8334) ------------------------------------------------------------------- Fri Feb 3 12:21:10 UTC 2017 - adam.majer@suse.de - New upstream LTS release 6.9.5 * deps: upgrade openssl sources to 1.0.2k (CVE-2017-3731, CVE-2017-3732, CVE-2016-7055, bnc#1022085, bnc#1022086, bnc#1009528) - No changes in LTS release 6.9.4 - Adjusted 8334.diff to be inline with accepted changes ------------------------------------------------------------------- Fri Jan 6 08:25:14 UTC 2017 - qantas94heavy@gmail.com - Add basic check that Node.js loads successfully to spec file ------------------------------------------------------------------- Wed Jan 4 02:56:09 UTC 2017 - qantas94heavy@gmail.com - New upstream LTS release 6.9.3 * build: shared library support is now working for AIX builds * deps/npm: upgrade npm to 3.10.10 * deps/V8: destructuring of arrow function arguments via computed property no longer throws * inspector: /json/version returns object, not an object wrapped in an array * module: using --debug-brk and --eval together now works as expected * process: improve performance of nextTick up to 20% * repl: the division operator will no longer be accidentally parsed as regex * repl: improved support for generator functions * timers: recanceling a cancelled timers will no longer throw ------------------------------------------------------------------- Fri Dec 9 04:22:27 UTC 2016 - qantas94heavy@gmail.com - New upstream LTS version 6.9.2 * buffer: coerce slice parameters consistently * deps/npm: upgrade npm to 3.10.9 * deps/V8: Various fixes to destructuring edge cases + cherry-pick 3c39bac from V8 upstream + cherry pick 7166503 from upstream v8 * gtest: the test reporter now outputs tap comments as yamlish * inspector: inspector now prompts user to use 127.0.0.1 rather than localhost * tls: fix memory leak when writing data to TLSWrap instance during handshake - Modify 8334.diff: * ported and updated system CA store for the new node crypto code ------------------------------------------------------------------- Wed Nov 23 09:00:40 UTC 2016 - adam.majer@suse.de - Add missing conflicts to base package. It's not possible to have concurrent nodejs installations. ------------------------------------------------------------------- Fri Nov 18 11:59:06 UTC 2016 - adam.majer@suse.de - Package unification across various branches of NodeJS. Package for 4.x, 6.x and current (7.x) branches of NodeJS are now handled via GitHub repository. - NodeJS 6.x LTS package, based on NodeJS 4.x LTS layout. All NodeJS packages are interchangeable. (FATE #321373) ------------------------------------------------------------------- Mon Nov 7 13:15:21 UTC 2016 - adam.majer@suse.de - Add versioned dependencies for unbundling of c-ares and icu libraries - SLE12 can have unbundled libicu ------------------------------------------------------------------- Wed Nov 2 04:13:20 UTC 2016 - qantas94heavy@gmail.com - Fork package devel:languages:nodejs/nodejs - Remove support-arm64-build.patch (not necessary for aarch64 build) - Use system library versions of c-ares and ICU where supported - Remove /usr/{lib,lib64}/node_modules from global module paths * This is deprecated behaviour that was caused by an incorrect patch in devel:languages:nodejs/nodejs almost 6 months ago (boo#985350) - Modify nodejs-libpath.patch * Move /usr/lib64/node_modules to %{_libexecpath} as npm isn't architecture dependent (only npm itself is stored there) - Remove nodejs-libpath64.patch - Use separate .sig file instead of .asc file for source verification - Use exec instead of xargs to remove files in install script
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor