Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP7:Update
nodejs16
nodejs16.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File nodejs16.changes of Package nodejs16
------------------------------------------------------------------- Tue Oct 29 13:07:18 UTC 2024 - Adam Majer <adam.majer@suse.de> - openssl31.patch: fix unit tests with OpenSSL 3.1 (bsc#1232756) ------------------------------------------------------------------- Mon May 27 11:44:37 UTC 2024 - Adam Majer <adam.majer@suse.de> - CVE-2024-30261.patch: update undici to v5.28.4 (bsc#1222530, bsc#1222603, CVE-2024-30260, CVE-2024-30261) ------------------------------------------------------------------- Thu Apr 11 10:51:31 UTC 2024 - Adam Majer <adam.majer@suse.de> - CVE-2024-27983.patch - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) (bsc#1222244, CVE-2024-27983) - CVE-2024-27982.patch - HTTP Request Smuggling via Content Length Obfuscation- (Medium) (bsc#1222384, CVE-2024-27982) - updated dependencies: + llhttp version 6.1.1 - CVE-2024-22025.patch - test timeout adjustment ------------------------------------------------------------------- Tue Feb 20 09:52:34 UTC 2024 - Adam Majer <adam.majer@suse.de> * CVE-2023-46809.patch: Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium) (CVE-2023-46809, bsc#1219997) * CVE-2024-22019.patch: http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) (CVE-2024-22019, bsc#1219993) * CVE-2024-22025.patch: fix Denial of Service by resource exhaustion in fetch() brotli decoding (CVE-2024-22025, bsc#1220014) * CVE-2024-24758.patch: ignore proxy-authorization headers (CVE-2024-24758, bsc#1220017) * CVE-2024-24806.patch: fix improper domain lookup that potentially leads to SSRF attacks (CVE-2024-24806, bsc#1220053) * sle12-node-gyp-addon-gypi.patch - GYP patches for SLE12 ------------------------------------------------------------------- Tue Oct 17 11:52:34 UTC 2023 - Adam Majer <adam.majer@suse.de> - CVE-2023-38552.patch: Integrity checks according to policies can be circumvented (CVE-2023-38552, bsc#1216272) - CVE-2023-39333.patch, wasm-fixture.tar.gz: Code injection via WebAssembly export names (CVE-2023-39333, bsc#1216273) - CVE-2023-44487.patch: nghttp2 Security Release (CVE-2023-44487, bsc#1216190) - CVE-2023-45143.patch: undici Security Release (CVE-2023-45143, bsc#1216205) - nodejs.keyring: include new releaser keys ------------------------------------------------------------------- Thu Aug 10 14:33:17 UTC 2023 - Adam Majer <adam.majer@suse.de> - Update to LTS version 16.20.2 (security fixes). The following CVE were fixed: * (CVE-2023-32002, bsc#1214150): Policies can be bypassed via Module._load (High) * (CVE-2023-32006, bsc#1214156): Policies can be bypassed by module.constructor.createRequire (Medium) * (CVE-2023-32559, bsc#1214154): Policies can be bypassed via process.binding (Medium) ------------------------------------------------------------------- Wed Jun 21 11:24:39 UTC 2023 - Adam Majer <adam.majer@suse.de> - Update to version 16.20.1 (security fixes only). The following CVEs are fixed in this release: * (CVE-2023-30581, bsc#1212574): mainModule.__proto__ Bypass Experimental Policy Mechanism (High) * (CVE-2023-30585, bsc#1212579): Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium) * (CVE-2023-30588, bsc#1212581): Process interuption due to invalid Public Key information in x509 certificates (Medium) * (CVE-2023-30589, bsc#1212582): HTTP Request Smuggling via Empty headers separated by CR (Medium) * (CVE-2023-30590, bsc#1212583): DiffieHellman does not generate keys after setting a private key (Medium) * deps: update c-ares to 1.19.1: c-ares security issues fixed: + CVE-2023-32067. High. 0-byte UDP payload causes Denial of Service (bsc#1211604) + CVE-2023-31147 Moderate. Insufficient randomness in generation of DNS query IDs (bsc#1211605) + CVE-2023-31130. Moderate. Buffer Underwrite in ares_inet_net_pton() (bsc#1211606) + CVE-2023-31124. Low. AutoTools does not set CARES_RANDOM_FILE during cross compilation (bsc#1211607) - fix_ci_tests.patch: increase default timeout on unit tests to 20min from 2min. This seems to have lead to build failures on some platforms, like s390x in Factory. (bsc#1211407) ------------------------------------------------------------------- Wed Apr 12 09:12:32 UTC 2023 - Adam Majer <adam.majer@suse.de> - 16.20.0 - Update to LTS version 16.20.0 * deps: + update undici to 5.20.0 + update c-ares to 1.19.0 + upgrade npm to 8.19.4 (bsc#1208744, CVE-2022-25881) - legacy_python.patch, versioned.patch: refreshed ------------------------------------------------------------------- Wed Feb 22 13:42:36 UTC 2023 - Adam Majer <adam.majer@suse.de> - Update to LTS version 16.19.1: * fixes permissions policies can be bypassed via process.mainModule (bsc#1208481, CVE-2023-23918) * fixes insecure loading of ICU data through ICU_DATA environment variable (bsc#1208487, CVE-2023-23920) * fixes OpenSSL error handling issues in nodejs crypto library (bsc#1208483, CVE-2023-23919) * updates undici to v5.19.1 + Fetch API in Node.js did not protect against CRLF injection in host headers + Regular Expression Denial of Service in Headers in Node.js fetch API (bsc#1208413, bsc#1208485, CVE-2023-24807, CVE-2023-23936) ------------------------------------------------------------------- Sat Dec 31 20:54:09 UTC 2022 - Adam Majer <adam.majer@suse.de> - Update to LTS version 16.19.0: * dgram: add dgram send queue info * cli: add --watch - systemtap.patch: upstreamed, removed - versioned.patch: refreshed ------------------------------------------------------------------- Fri Dec 23 11:31:12 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Update _constraints: * Less RAM for aarch64 and 32-bit arm * Use 'asimdrdm' cpu flag to use aarch64 workers where tests are more stable ------------------------------------------------------------------- Tue Nov 29 16:34:55 UTC 2022 - Adam Majer <adam.majer@suse.de> - sle12_python3_compat.patch: only apply for older SLE12 codestreams where Python 3.6 is not available. Still worlaround for bsc#1205568 ------------------------------------------------------------------- Wed Nov 23 16:51:08 UTC 2022 - Adam Majer <adam.majer@suse.de> - Workaround bug on SLE12SP5 during source unpack (bsc#1205568) ------------------------------------------------------------------- Mon Nov 7 09:04:49 UTC 2022 - Adam Majer <adam.majer@suse.de> - Update to LTS versino 16.18.1: * inspector: DNS rebinding in --inspect via invalid octal IP (bsc#1205119, CVE-2022-43548) - Replace node-gyp for SLE12 with python 3.4 compatible gyp ------------------------------------------------------------------- Thu Oct 13 08:29:08 UTC 2022 - Adam Majer <adam.majer@suse.de> - Update to LTS version 16.18.0: * http: throw error on content-length mismatch * stream: add ReadableByteStream.tee() * deps: npm updated to 8.19.2 - nodejs-libpath.patch, fix_ci_tests.patch, versioned.patch: refreshed - undici_5.8.1.patch, undici_5.8.2.patch: upstreamed and removed - systemtap.patch: upstream regression ------------------------------------------------------------------- Mon Sep 26 14:20:03 UTC 2022 - Adam Majer <adam.majer@suse.de> - Update to Nodejs 16.17.1: * deps: llhttp updated to 6.0.9 + CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325) + Incorrect Parsing of Multi-line Transfer-Encoding (CVE-2022-32215, bsc#1201327) + Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832) * crypto: fix weak randomness in WebCrypto keygen (CVE-2022-35255, bsc#1203831) ------------------------------------------------------------------- Sat Sep 17 10:35:31 UTC 2022 - Bruno Pitrus <brunopitrus@hotmail.com> - Skip test-fs-utimes-y2K38.js on armv6hl as well as armv7hl. ------------------------------------------------------------------- Thu Aug 25 14:10:41 UTC 2022 - Adam Majer <adam.majer@suse.de> - undici_5.8.1.patch, undici_5.8.2.patch: update undici to 5.8.2 (bsc#1202382, CVE-2022-35949, bsc#1202383, CVE-2022-35948) ------------------------------------------------------------------- Tue Aug 16 14:53:04 UTC 2022 - Adam Majer <adam.majer@suse.de> - enable crypto-policies for SLE15 SP4+ and TW (bsc#1200303) - Update to LTS version 16.17.0: * deps: upgrade npm to 8.15.0 * Improved interoperability of the Web Crypto API * Updated Undici to 5.8.0 (bsc#1201710, CVE-2022-31150) For full list of changes, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V16.md#16.17.0 - nodejs-libpath.patch, versioned.patch: refreshed patches ------------------------------------------------------------------- Mon Jul 11 12:07:16 UTC 2022 - Adam Majer <adam.majer@suse.de> - Update to LTS version 16.16.0: * http: stricter Transfer-Encoding and header separator parsing (bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215) * src: fix IPv4 validation in inspector_socket (bsc#1201328, CVE-2022-32212) ------------------------------------------------------------------- Thu Jun 23 13:42:03 UTC 2022 - Ferdinand Thiessen <rpm@fthiessen.de> - Update to LTS version 16.15.1 * upgrade npm to 8.11.0 (bsc#1200517, CVE-2022-29244) - Update to LTS version 16.15.0 * Add experimental support to the fetch API. This adds the `--experimental-fetch` flag that installs the fetch, Request, Response, Headers, and FormData globals. * Broken x32 support is removed * crypto: Add KeyObject.prototype.equals method * esm: support https remotely and http locally under flag * module: unflag esm jso - rebased: nodejs-libpath.patch, npm_search_paths.patch, versioned.patch ------------------------------------------------------------------- Wed Apr 13 12:55:22 UTC 2022 - Adam Majer <adam.majer@suse.de> - update to LTS release 16.14.2: * deps: upgrade openssl sources to OpenSSL_1_1_1n - fix_ci_tests.patch: refreshed ------------------------------------------------------------------- Wed Mar 16 11:01:02 UTC 2022 - Adam Majer <adam.majer@suse.de> - update to LTS release 16.14.1: * deps: upgrade npm to 8.5.0 * http2: fix memory leak on nghttp2 hd threshold - 42342.patch: upstreamed, dropped - versioned.patch: refreshed ------------------------------------------------------------------- Tue Mar 15 13:29:20 UTC 2022 - Adam Majer <adam.majer@suse.de> - 42342.patch: fix expired certificates in unit tests ------------------------------------------------------------------- Thu Feb 17 12:31:36 UTC 2022 - Adam Majer <adam.majer@suse.de> - update to LTS release 16.14.0: * deps: upgrade npm to 8.1.4 * child_process: add support for URL to cp.fork * fs: accept URL as argument for fs.rm and fs.rmSync * lib: + make AbortSignal cloneable/transferable + add AbortSignal.timeout + add reason to AbortSignal + add unsubscribe method to non-active DC channels * process: add getActiveResourcesInfo() * src: + add x509.fingerprint512 to crypto module + add flags for controlling process behavior * stream: + add map and filter methods to readable + deprecate thenable support * timers: add experimental scheduler api * util: + add numericSeparator to util.inspect + always visualize cause property in errors during inspection + pass through the inspect function to custom inspect functions npm_search_paths.patch, versioned.patch: refreshed ------------------------------------------------------------------- Fri Jan 28 16:09:53 UTC 2022 - Adam Majer <adam.majer@suse.de> - Add buildtime version check to determine if we need patched openssl Requires: or already in upstream. (bsc#1192489) ------------------------------------------------------------------- Tue Jan 18 08:29:18 UTC 2022 - Adam Majer <adam.majer@suse.de> - rsa-pss-revert.patch: dropped, since openssl updated with needed functionality ------------------------------------------------------------------- Tue Jan 11 18:48:04 UTC 2022 - Adam Majer <adam.majer@suse.de> - update to 16.13.2: Security update fixing the following issues: * Improper handling of URI Subject Alternative Names (Medium) (CVE-2021-44531, bsc#1194511) * Certificate Verification Bypass via String Injection (Medium) (CVE-2021-44532, bsc#1194512) * Incorrect handling of certificate subject and issuer fields (Medium) (CVE-2021-44533, bsc#1194513) * Prototype pollution via console.table properties (Low) (CVE-2022-21824, bsc#1194514) ------------------------------------------------------------------- Wed Jan 5 20:50:19 UTC 2022 - Adam Majer <adam.majer@suse.de> - fix_ci_tests.patch: fix tests on s390x ------------------------------------------------------------------- Tue Jan 4 12:17:19 UTC 2022 - Adam Majer <adam.majer@suse.de> - rsa-pss-revert.patch: temporarily revert functionality requiring newer openssl ------------------------------------------------------------------- Tue Dec 7 16:42:18 UTC 2021 - Adam Majer <adam.majer@suse.de> - Update to 16.13.1: * deps: upgrade npm to 8.1.2 * lib: fix regular expression to detect `/` and `\` - 40670.patch: upstreamed - fix_ci_tests.patch: refreshed ------------------------------------------------------------------- Thu Nov 25 12:21:25 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Fix CXXFLAGS in Tumbleweed - boo#1192824 ------------------------------------------------------------------- Tue Nov 9 10:43:16 UTC 2021 - Adam Majer <adam.majer@suse.de> - BR python 3.6+ ------------------------------------------------------------------- Sat Nov 6 14:13:02 UTC 2021 - Adam Majer <adam.majer@suse.de> - Update to 16.13.0: * Experimental ESM Loader Hooks API https://github.com/nodejs/node/pull/37468 * deps: upgrade npm to 8.1.0 (npm team) * vm: add support for import assertions in dynamic imports - Changes in 16.11.1: * deps: update llhttp to 6.0.4 - HTTP Request Smuggling due to spaced in headers (bsc#1191601, CVE-2021-22959) - HTTP Request Smuggling when parsing the body (bsc#1191602, CVE-2021-22960) - Changes in 16.11.0: * deps: update nghttp2 to v1.45.1 - Changes in 16.10.0: * crypto: add rsa-pss keygen parameters * fs: make open and close stream override optional when unused * http: limit requests per connection The maximum number of requests a socket can handle before closing keep alive connection can be set with server.maxRequestsPerSocket. * src: add --no-global-search-paths cli option * stream: add signal support to pipeline generators - Changes in 16.9.0: * Added support for corepack * crypto: add RSA-PSS params to asymmetricKeyDetails * module: support pattern trailers * stream: add stream.compose - Changes in 16.8.0: * doc: deprecate type coercion for dns.lookup options * stream: add stream.Duplex.from utility and isDisturbed helper * util: expose toUSVString - Changes in 16.7.0: * fs: experimental: add recursive cp method - refreshed: fix_ci_tests.patch, flaky_test_rerun.patch, nodejs-libpath.patch, sle12_python3_compat.patch, versioned.patch, node_modules.tar.xz ------------------------------------------------------------------- Tue Nov 2 14:40:41 UTC 2021 - Dominique Leuenberger <dimstar@opensuse.org> - Add 40670.patch: test: fix test-datetime-change-notify after daylight change. ------------------------------------------------------------------- Fri Oct 15 19:57:42 UTC 2021 - Bernhard Voelker <mail@bernhard-voelker.de> - test-skip-y2038-on-32bit-time_t.patch: Add patch to skip the test 'test/parallel/test-fs-utimes-y2K38.js' which fails with a FP on platforms with 32-bit time_t. - nodejs16.spec: Reference it. ------------------------------------------------------------------- Thu Aug 12 13:51:48 UTC 2021 - Adam Majer <adam.majer@suse.de> - Update to 16.6.2: * CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in domain names (bsc#1189370, bsc#1188881) * CVE-2021-22940: Use after free on close http2 on stream canceling (bsc#1189368) * CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (bsc#1189369) * deps: upgrade npm to 7.20.3 * deps: revert ABI-breaking change from V8 9.2 * module: fix ERR_REQUIRE_ESM error for null frames - cares_public_headers.patch: don't use private headers ------------------------------------------------------------------- Mon Aug 2 13:02:58 UTC 2021 - Adam Majer <adam.majer@suse.de> - Update to 16.6.0: http2: fixes use after free on close http2 on stream canceling (bsc#1188917, CVE-2021-22930) ------------------------------------------------------------------- Thu Jul 22 12:18:32 UTC 2021 - Adam Majer <adam.majer@suse.de> - legacy_python.patch: fix building with python 3.4 in SLE-12 ------------------------------------------------------------------- Wed Jul 21 21:57:54 UTC 2021 - Adam Majer <adam.majer@suse.de> - Update to 16.5.0: * deps: upgrade npm to 7.19.1 * fs: allow empty string for temp directory prefix * Node.js now exposes an experimental implementation of the Web Streams API ------------------------------------------------------------------- Fri Jul 2 15:17:09 UTC 2021 - Adam Majer <adam.majer@suse.de> - Update to 16.4.1: deps: libuv upgrade - Out of bounds read (Medium) (bsc#1187973, CVE-2021-22918) ------------------------------------------------------------------- Thu Jul 1 13:34:05 UTC 2021 - Adam Majer <adam.majer@suse.de> - node-gyp_7.1.2.tar.xz: for SLE-12, use latest node-gyp that is compatible with python 3.4 ------------------------------------------------------------------- Wed Jun 23 12:57:04 UTC 2021 - Adam Majer <adam.majer@suse.de> - Update to 16.4.0: * async_hooks: stabilize part of AsyncLocalStorage * deps: + upgrade npm to 7.18.1 + update V8 to 9.1.269.36 * dns: allow --dns-result-order to change default dns verbatim ------------------------------------------------------------------- Mon Jun 21 05:01:32 UTC 2021 - Andreas Schneider <asn@cryptomilk.org> - Allow building for Fedora in the OBS ------------------------------------------------------------------- Fri Jun 4 20:59:13 UTC 2021 - Dirk Müller <dmueller@suse.com> - update to 16.3.0: * add -C alias for --conditions flag * add workspaces support to npm install commands ------------------------------------------------------------------- Mon May 31 16:27:44 UTC 2021 - Adam Majer <adam.majer@suse.de> - Use libalternatives instead of update-alternatives ------------------------------------------------------------------- Thu May 20 14:56:23 UTC 2021 - Adam Majer <adam.majer@suse.de> - New upstream version 16.2.0: * async_hooks: use new v8::Context PromiseHook API * deps: npm updated to 7.13.0 * lib: support setting process.env.TZ on windows * module: add support for URL to import.meta.resolve * process: add 'worker' event * util: add util.types.isKeyObject and util.types.isCryptoKey ------------------------------------------------------------------- Wed May 5 11:21:13 UTC 2021 - Adam Majer <adam.majer@suse.de> - New upstream version 16.1.0 fs: allow no-params fsPromises fileHandle read ------------------------------------------------------------------- Tue May 4 12:00:35 UTC 2021 - Adam Majer <adam.majer@suse.de> - New upstrean version 16.0.0: For complete list of changes since 15.x, please see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V16.md#16.0.0 ------------------------------------------------------------------- Wed Mar 17 12:05:50 UTC 2021 - Adam Majer <adam.majer@suse.de> - Import staging 16.x
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor