Fixes CVE-2017-15896 - Node.js was affected by OpenSSL vulnerability
CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake
failure. The result was that an active network attacker could send
application data to Node.js using the TLS or HTTP2 modules in a way that
bypassed TLS authentication and encryption.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with windowBits
set to 8. On some versions this crashes Node and you cannot recover from
it, while on some versions it throws an exception. Node.js will now
gracefully set windowBits to 9 replicating the legacy behavior to avoid a
DOS vector.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Drop 0002-inspector-don-t-build-when-ssl-support-is-disabled.patch as that
is now upstream:
https://github.com/nodejs/node/commit/ba23506419
And refresh the other patches.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet was
crafted in a particular way. This patch checks that there is enough data
for the required elements of an NAPTR record (2 int16, 3 bytes for string
lengths) before processing a record.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
6.11.0 is the latest release in the LTS series, fixing a number of issues:
https://nodejs.org/en/blog/release/v6.11.0/
Building without openssl is broken in 6.11.0, so add an upstream patch to
fix that.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
https://nodejs.org/en/blog/release/v6.7.0/
The patches from 6.2.1 have been copied to 6.7.0 with the following
changes:
- Add 0002-inspector-don-t-build-when-ssl-support-is-disabled.patch
to disable the new V8 inspector when openssl is not included.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See https://nodejs.org/en/blog/release/v6.0.0/
The patches from 5.11.0 have been copied to 6.0.0 with the following
changes:
- Removed 0001-Remove-dependency-on-Python-bz2-module.patch,
0003-Fix-va_list-not-declared.patch and
0004-Fix-support-for-uClibc-ng.patch as all 3 have been fixed upstream
- Renamed 0002-gyp-force-link-command-to-use-CXX.patch to
0001-gyp-force-link-command-to-use-CXX.patch
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Patches from 5.3.0 have been copied over with the following exceptions:
- Removed 0005-Fix-crash-in-GetInterfaceAddresses.patch as this has
been applied upstream
- Renamed 0006-Fix-support-for-uClibc-ng.patch to
0005-Fix-support-for-uClibc-ng.patch
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Remove 0.12.9 to rationalise the number of nodejs releases supported by
buildroot. Going forward buildroot will only support the latest release
of nodejs and the 0.10.x branch for armv5 support.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Patch #4 was applied upstream, however a new bug was introduced which breaks
building nodejs without OpenSSL support. We replace the applied patch with a
new patch to fix:
error: ‘ALLOW_INSECURE_SERVER_DHPARAM’ was not declared in this scope
ALLOW_INSECURE_SERVER_DHPARAM = true;
Patch #4 status: Sent upstream [1]
[1] https://github.com/nodejs/node/pull/4201
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
We add a new version, because it is not API-compatible with the previous
versions.
Also, nodejs-4.1.2 requires gcc >= 4.8.
Forward-port patches from 0.12.7:
- 0001-Remove-dependency-on-Python-bz2-module.patch partially applied
upstream;
- 0002-gyp-force-link-command-to-use-CXX.patch slightly refreshed;
- 0003-Use-a-python-variable-instead-of-hardcoding-Python.patch
largely refreshed to address new occurences of hard-coded calls;
- 0004-fix-build-error-without-OpenSSL-support.patch applied upstream
- 0005-Fix-typo-for-arm-predefined-macro-in-atomicops_inte.patch
applied upstream.
New patch:
- 0004-fix-arm-vfpv2.patch to fix the gcc -mfpu option for VFPv2.
Signed-off-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Cc: Jörg Krause <joerg.krause@embedded.rocks>
Cc: Martin Bark <martin@barkynet.com>
Cc: Jaap Crezee <jaap@jcz.nl>
Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
The version of the V8 JavaScript engine used by node.js v0.12.5 requires
at least an ARMv6 architecture with VFPv2. For this reason v0.10.39
remains the default for ARMv5 targets, all other targets now default to
v0.12.5.
Signed-off-by: Martin Bark <martin@barkynet.com>
Acked-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Version 0.10.38 upgrades OpenSSL to version 1.0.1m, which includes fixes for
several CVEs:
- CVE-2015-0204
- CVE-2015-0286
- CVE-2015-0287
- CVE-2015-0289
- CVE-2015-0292
- CVE-2015-0293
- CVE-2015-0209
- CVE-2015-0288
Version 0.10.37 comes with a fix for CVE-2015-0278.
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
