diff options
| author | Peter Korsgaard <peter@korsgaard.com> | 2018-03-31 08:11:55 +0200 |
|---|---|---|
| committer | Peter Korsgaard <peter@korsgaard.com> | 2018-04-06 20:10:02 +0200 |
| commit | 560b1d374e15046567ed7c866aa1aebbaf3d6e7e (patch) | |
| tree | 8ab101a2c1ded7288448814df1a45060487dca2a /package/nodejs | |
| parent | 5b6c090749e31701bab7254d7ebb3cd121ef3d34 (diff) | |
| download | buildroot-560b1d374e15046567ed7c866aa1aebbaf3d6e7e.tar.gz buildroot-560b1d374e15046567ed7c866aa1aebbaf3d6e7e.zip | |
nodejs: security bump to version 8.11.1
Fixes the following security issues:
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
website could use a DNS rebinding attack to trick a web browser to bypass
same-origin-policy checks and allow HTTP connections to localhost or to
hosts on the local network, potentially to an open inspector port as a
debugger, therefore gaining full code execution access. The inspector now
only allows connections that have a browser Host value of localhost or
localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths could
be used to cause a denial of service if an attacker were able to have a
specially crafted path string passed through one of the impacted 'path'
module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
Node.js HTTP parser allowed for spaces inside Content-Length header
values. Such values now lead to rejected connections in the same way as
non-numeric values.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
(cherry picked from commit 7f02604553bc3c8449d6a112818f038e99abbdaf)
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Diffstat (limited to 'package/nodejs')
| -rw-r--r-- | package/nodejs/nodejs.hash | 7 | ||||
| -rw-r--r-- | package/nodejs/nodejs.mk | 2 |
2 files changed, 6 insertions, 3 deletions
diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash index 4adef79dca..b3900f6a7d 100644 --- a/package/nodejs/nodejs.hash +++ b/package/nodejs/nodejs.hash @@ -1,2 +1,5 @@ -# From http://nodejs.org/dist/v8.10.0/SHASUMS256.txt -sha256 b72d4e71618d6bcbd039b487b51fa7543631a4ac3331d7caf69bdf55b5b2901a node-v8.10.0.tar.xz +# From http://nodejs.org/dist/v8.11.1/SHASUMS256.txt +sha256 40a6eb51ea37fafcf0cfb58786b15b99152bec672cccf861c14d1cca0ad4758a node-v8.11.1.tar.xz + +# Hash for license file +sha256 b87be6c1479ed977481115869c2dd8b6d59e5ea55aa09939d6c898242121b2f5 LICENSE diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk index e1dd11cef5..2642525c47 100644 --- a/package/nodejs/nodejs.mk +++ b/package/nodejs/nodejs.mk @@ -4,7 +4,7 @@ # ################################################################################ -NODEJS_VERSION = 8.10.0 +NODEJS_VERSION = 8.11.1 NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION) NODEJS_DEPENDENCIES = host-python host-nodejs c-ares \ |
