[Buildroot] [PATCH] package/nodejs: security bump to version 12.18.4
Yann E. MORIN
yann.morin.1998 at free.fr
Thu Oct 1 19:23:53 UTC 2020
Peter, All,
On 2020-10-01 20:49 +0200, Peter Korsgaard spake thusly:
> Fixes the following security issues:
>
> - CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion
>
> Affected Node.js versions converted carriage returns in HTTP request
> headers to a hyphen before parsing. This can lead to HTTP Request
> Smuggling as it is a non-standard interpretation of the header.
>
> Impacts:
> All versions of the 14.x and 12.x releases line
>
> - CVE-2020-8252: fs.realpath.native may cause buffer overflow
>
> libuv's realpath implementation incorrectly determined the buffer size
> which can result in a buffer overflow if the resolved path is longer than
> 256 bytes.
>
> Impacts:
> All versions of the 10.x release line
> All versions of the 12.x release line
>
> For more details, see the advisory:
> https://nodejs.org/en/blog/vulnerability/september-2020-security-releases/
>
> Adjust license hash for the addition of the BSD-3c licensed highlight.js:
> https://github.com/nodejs/node/commit/6f8b7a85d239129273948386c34775810f2dc4a3
>
> Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> package/nodejs/nodejs.hash | 6 +++---
> package/nodejs/nodejs.mk | 2 +-
> 2 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
> index 60d69a8638..33fb407882 100644
> --- a/package/nodejs/nodejs.hash
> +++ b/package/nodejs/nodejs.hash
> @@ -1,5 +1,5 @@
> -# From https://nodejs.org/dist/v12.18.0/SHASUMS256.txt
> -sha256 d4688636a378367f5157f02bd5c13902f5c193356f8f7a35c99dfa383b03b13f node-v12.18.0.tar.xz
> +# From https://nodejs.org/dist/v12.18.4/SHASUMS256.txt
> +sha256 25f03cb18e53b6d0959d0c219e701a85eb4693f526bdda7c72bc6199b364f609 node-v12.18.4.tar.xz
>
> # Hash for license file
> -sha256 cd2e5817a25d7d28efba927b01056cae04a616b673014159f9eafeb008a0e747 LICENSE
> +sha256 0dc03af08b95ea0c1e27f8fd591dee4383eb6f2c304db6eb6cdfb6751f7da87b LICENSE
> diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
> index e384d4c8a0..b159b10253 100644
> --- a/package/nodejs/nodejs.mk
> +++ b/package/nodejs/nodejs.mk
> @@ -4,7 +4,7 @@
> #
> ################################################################################
>
> -NODEJS_VERSION = 12.18.0
> +NODEJS_VERSION = 12.18.4
> NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
> NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
> NODEJS_DEPENDENCIES = host-python host-nodejs c-ares \
> --
> 2.20.1
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
More information about the buildroot
mailing list