From a1549d7138caf3067809b4c532b30095703fe5b6 Mon Sep 17 00:00:00 2001 From: Peter Korsgaard Date: Tue, 26 Oct 2021 10:34:57 +0200 Subject: [PATCH] package/nodejs: security bump to version 12.22.7 Fixes the following security issues: - CVE-2021-22959: HTTP Request Smuggling due to spaced in headers (Medium) The http parser accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS). - CVE-2021-22960: HTTP Request Smuggling when parsing the body (Medium) The http parser ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. For more details, see the advisory: https://nodejs.org/en/blog/vulnerability/oct-2021-security-releases/ Signed-off-by: Peter Korsgaard --- package/nodejs/nodejs.hash | 4 ++-- package/nodejs/nodejs.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash index 8d39ef489d..f31c7d5d69 100644 --- a/package/nodejs/nodejs.hash +++ b/package/nodejs/nodejs.hash @@ -1,5 +1,5 @@ -# From https://nodejs.org/dist/v12.22.6/SHASUMS256.txt -sha256 c2022f16b8f689620c3472c2b5261fdabbd0ab976bf9ac3b7db6747a2e9b0f7a node-v12.22.6.tar.xz +# From https://nodejs.org/dist/v12.22.7/SHASUMS256.txt +sha256 cc6a23b44870679a94bd8f3c8d4e1f4b77bb2712a36888ab87463459e6785f6b node-v12.22.7.tar.xz # Hash for license file sha256 221417a7ca275112a5ac54639b36ee3c5184e74631ea1e1b01b701293b655190 LICENSE diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk index 38e8936986..c8c5223a0b 100644 --- a/package/nodejs/nodejs.mk +++ b/package/nodejs/nodejs.mk @@ -4,7 +4,7 @@ # ################################################################################ -NODEJS_VERSION = 12.22.6 +NODEJS_VERSION = 12.22.7 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION) NODEJS_DEPENDENCIES = host-python host-nodejs c-ares \