[Buildroot] [git commit branch/2021.02.x] package/nodejs: security bump to version 12.22.7

Peter Korsgaard peter at korsgaard.com
Tue Oct 26 18:34:32 UTC 2021


commit: https://git.buildroot.net/buildroot/commit/?id=bc0a1d2bcb090acafc8b80759904303ef9b95360
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/2021.02.x

Fixes the following security issues:

- CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium)
  The http parser accepts requests with a space (SP) right after the header
  name before the colon.  This can lead to HTTP Request Smuggling (HRS).

- CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium)

  The http parser ignores chunk extensions when parsing the body of chunked
  requests.  This leads to HTTP Request Smuggling (HRS) under certain
  conditions.

For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/

Signed-off-by: Peter Korsgaard <peter at korsgaard.com>
---
 package/nodejs/nodejs.hash | 4 ++--
 package/nodejs/nodejs.mk   | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
index 8d39ef489d..f31c7d5d69 100644
--- a/package/nodejs/nodejs.hash
+++ b/package/nodejs/nodejs.hash
@@ -1,5 +1,5 @@
-# From https://nodejs.org/dist/v12.22.6/SHASUMS256.txt
-sha256  c2022f16b8f689620c3472c2b5261fdabbd0ab976bf9ac3b7db6747a2e9b0f7a  node-v12.22.6.tar.xz
+# From https://nodejs.org/dist/v12.22.7/SHASUMS256.txt
+sha256  cc6a23b44870679a94bd8f3c8d4e1f4b77bb2712a36888ab87463459e6785f6b  node-v12.22.7.tar.xz
 
 # Hash for license file
 sha256  221417a7ca275112a5ac54639b36ee3c5184e74631ea1e1b01b701293b655190  LICENSE
diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
index 38e8936986..c8c5223a0b 100644
--- a/package/nodejs/nodejs.mk
+++ b/package/nodejs/nodejs.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-NODEJS_VERSION = 12.22.6
+NODEJS_VERSION = 12.22.7
 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
 NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
 NODEJS_DEPENDENCIES = host-python host-nodejs c-ares \


More information about the buildroot mailing list