Fixes the following security issues:
- (CVE-2018-7167): Fixes Denial of Service vulnerability where calling
Buffer.fill() could hang
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during
cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
See https://nodejs.org/en/blog/release/v8.11.3/ for more details
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Fixes the following security issues:
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
website could use a DNS rebinding attack to trick a web browser to bypass
same-origin-policy checks and allow HTTP connections to localhost or to
hosts on the local network, potentially to an open inspector port as a
debugger, therefore gaining full code execution access. The inspector now
only allows connections that have a browser Host value of localhost or
localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths could
be used to cause a denial of service if an attacker were able to have a
specially crafted path string passed through one of the impacted 'path'
module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
Node.js HTTP parser allowed for spaces inside Content-Length header
values. Such values now lead to rejected connections in the same way as
non-numeric values.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See https://nodejs.org/en/blog/release/v8.9.3/
[Peter: mention that this fixes security issues]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit fixes the warnings reported by check-package on the help
text of all package Config.in files, related to the formatting of the
help text: should start with a tab, then 2 spaces, then at most 62
characters.
The vast majority of warnings fixed were caused by too long lines. A
few warnings were related to spaces being used instead of a tab to
indent the help text.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes a regression introduced in 8.8.0.
See https://nodejs.org/en/blog/release/v8.8.1/
Peter: apply on top of 8.8.0, mention that it fixes regression]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with windowBits
set to 8. On some versions this crashes Node and you cannot recover from
it, while on some versions it throws an exception. Node.js will now
gracefully set windowBits to 9 replicating the legacy behavior to avoid a
DOS vector.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <<a href="mailto:peter@korsgaard.com">peter@korsgaard.com</a>><br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
See https://nodejs.org/en/blog/release/v8.4.0/
An update to v8 6.0.286 has removed the need for mkpeephole and
0002-add-missing-stdarg-includes.patch
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
nodejs requires libuv and by default will use an internal copy
bundled with the release. Change to using a shared libuv library.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
nodejs requires libhttpparser and by default will use an internal copy
bundled with the release. Change to using a shared libhttpparser library.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
nodejs requires c-ares and by default will use an internal copy
bundled with the release. Change to using a shared c-ares library.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet was
crafted in a particular way. This patch checks that there is enough data
for the required elements of an NAPTR record (2 int16, 3 bytes for string
lengths) before processing a record.
See https://nodejs.org/en/blog/release/v8.1.4/
[Peter: add CVE info]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Since things are no longer installed in $(HOST_DIR)/usr, the callers
should also not refer to it.
This is a mechanical change with
git grep -l '$(HOST_DIR)/usr/bin' | xargs sed -i 's%$(HOST_DIR)/usr/bin%$(HOST_DIR)/bin%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Remove the redundant usr/ component of the HOST_DIR paths. Since a
previous commit added a symlink from $(HOST_DIR)/usr to $(HOST_DIR),
everything keeps on working.
This is a mechanical change with
git grep -l '\$(HOST_DIR)/usr' | xargs sed -i 's%\(prefix\|PREFIX\)=\("\?\)\$(HOST_DIR)/usr%\1=\2$(HOST_DIR)%g'
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
nodejs 0.10.x is now end of life and is no longer maintained so remove it.
See https://github.com/nodejs/LTS
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
http://autobuild.buildroot.net/results/833/8334631b54fdfd43d38ca00f42e4d5a98e3a70c4/http://autobuild.buildroot.net/results/9c0/9c08e0b745fab671123facb4a46f60eec5afd718/
Commit 24d90db52a (package/nodejs: disable icu support for host build)
added --with-intl=none to host configure flags to fix an issue related to
icu. The 0.10.x version unfortunately doesn't understand this configure
flag and errors out when provided, breaking the build:
configure: error: no such option: --with-intl
The 0.10.x version doesn't seem to have this icu issue (E.G. no autobuilder
issues before this commit and unable to reproduce locally), so fix it by
only passing --with-intl=none for the 6.9.x version.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Fixes:
http://autobuild.buildroot.net/results/1d6/1d6bbef2cb0c8c2e00b6d7511814ff9ddb2e3073/http://autobuild.buildroot.net/results/4c7/4c7fc92a42405e25f41394fa44f5bdc27a4538c4/
Apperently if both icu and nodejs are enabled during the nodejs host build
the nodejs buildsystem gets confused by the icu version installed by
Buildroot (icu 58.2) and the one bundled with the nodejs source tree(icu
57), which ends up in linking-time errors as:
"""
undefined reference to
`icu_58::NumberFormat::format(icu_58::StringPiece,
icu_58::UnicodeString&, icu_58::FieldPositionIterator*, UErrorCode&)
const'
"""
(note the icu_58 in the symbol name while the bundled icu version is 57)
This patch disables the (not used) i18n support in the nodejs host build
config in order to fix the issue. The issue doesn't affect the target build of
nodejs.
[Peter: add autobuilder references]
Signed-off-by: Zoltan Gyarmati <mr.zoltan.gyarmati@gmail.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Commit 3fd9c062e (nodejs: bump to version 6.9.2) bumped the 6.x version but
forgot to rename the patch directory, so the patches were no longer used.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
information at https://c-ares.haxx.se/adv_20160929.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
https://nodejs.org/en/blog/release/v6.9.1/
The patches from 6.7.0 have been copied to 6.9.1.
Signed-off-by: Patrick Devlin <cloudyparts@icloud.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
https://nodejs.org/en/blog/release/v6.7.0/
The patches from 6.2.1 have been copied to 6.7.0 with the following
changes:
- Add 0002-inspector-don-t-build-when-ssl-support-is-disabled.patch
to disable the new V8 inspector when openssl is not included.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
The only menu was "Module Selection", even though it contained
options (like "NPM for target") which are not related to selecting
modules. This commit therefore removes the menu ... endmenu.
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
icu support was added to nodejs in commit 7d0702a, however, 0.10.x does
not have support for icu. The 0.10.x configure script will error
if it is passed the --with-intl option. This commit removes icu support
from 0.10.x.
Fixes:
http://autobuild.buildroot.net/results/932e4ec24623592255f234a098f7a90ef2ad8063
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Martin Bark <martin@barkynet.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Martin Bark <martin@barkynet.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: Martin Bark <martin@barkynet.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Most packages in buildroot pass a FOO_CONF_OPTS variable into the
configure script. Transition nodejs to follow this convention.
Signed-off-by: Martin Bark <martin@barkynet.com>
Reviewed-by: "Yann E. MORIN" <yann.morin.1998@free.fr>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
