| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security issues:
Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
For more details, see the CHANGELOG:
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.1
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes regressions introduced by the v8.14.0 security release. From the
announcement:
The 8.14.0 security release introduced some unexpected breakages on the 8.x
release line. This is a special release to fix a regression in the HTTP
binary upgrade response body and add a missing CLI flag to adjust the max
header size of the http parser.
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.0
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security vulnerabilities:
- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
(CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
multiplication (CVE-2018-5407)
For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.12.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Release notes:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/
Fixes CVE-2018-12115, also CVEs were fixed in included OpenSSL code
which do not use for the target build.
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security issues:
- (CVE-2018-7167): Fixes Denial of Service vulnerability where calling
Buffer.fill() could hang
- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
http2 implementation to not crash under certain circumstances during
cleanup
- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
nghttp2 to 1.32.0
See https://nodejs.org/en/blog/release/v8.11.3/ for more details
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.11.2/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following security issues:
- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A malicious
website could use a DNS rebinding attack to trick a web browser to bypass
same-origin-policy checks and allow HTTP connections to localhost or to
hosts on the local network, potentially to an open inspector port as a
debugger, therefore gaining full code execution access. The inspector now
only allows connections that have a browser Host value of localhost or
localhost6.
- Fix for 'path' module regular expression denial of service
(CVE-2018-7158): A regular expression used for parsing POSIX paths could
be used to cause a denial of service if an attacker were able to have a
specially crafted path string passed through one of the impacted 'path'
module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159): The
Node.js HTTP parser allowed for spaces inside Content-Length header
values. Such values now lead to rejected connections in the same way as
non-numeric values.
While we are at it, also add a hash for the license file.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.10.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.9.4/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.9.3/
[Peter: mention that this fixes security issues]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.9.1/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
| |
Fixes a regression introduced in 8.8.0.
See https://nodejs.org/en/blog/release/v8.8.1/
Peter: apply on top of 8.8.0, mention that it fixes regression]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
error to be raised when a raw deflate stream is initialized with windowBits
set to 8. On some versions this crashes Node and you cannot recover from
it, while on some versions it throws an exception. Node.js will now
gracefully set windowBits to 9 replicating the legacy behavior to avoid a
DOS vector.
For more details, see the announcement:
https://nodejs.org/en/blog/vulnerability/oct-2017-dos/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Peter Korsgaard <<a href="mailto:peter@korsgaard.com">peter@korsgaard.com</a>><br>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.6.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
| |
Signed-off-by: Bernd Kuhls <bernd.kuhls@t-online.de>
Signed-off-by: Arnout Vandecappelle (Essensium/Mind) <arnout@mind.be>
|
| |
|
|
|
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.4.0/
An update to v8 6.0.286 has removed the need for mkpeephole and
0002-add-missing-stdarg-includes.patch
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
https://nodejs.org/en/blog/release/v8.2.1/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
is used for parsing NAPTR responses, could be triggered to read memory
outside of the given input buffer if the passed in DNS response packet was
crafted in a particular way. This patch checks that there is enough data
for the required elements of an NAPTR record (2 int16, 3 bytes for string
lengths) before processing a record.
See https://nodejs.org/en/blog/release/v8.1.4/
[Peter: add CVE info]
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.1.2/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v8.0.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v7.10.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v7.9.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v7.8.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v7.7.3/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v7.7.2/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
| |
nodejs 0.10.x is now end of life and is no longer maintained so remove it.
See https://github.com/nodejs/LTS
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
| |
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
| |
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
| |
c-ares: fix for single-byte buffer overwrite, CVE-2016-5180, more
information at https://c-ares.haxx.se/adv_20160929.html
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
| |
https://nodejs.org/en/blog/release/v6.9.1/
The patches from 6.7.0 have been copied to 6.9.1.
Signed-off-by: Patrick Devlin <cloudyparts@icloud.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
https://nodejs.org/en/blog/release/v6.7.0/
The patches from 6.2.1 have been copied to 6.7.0 with the following
changes:
- Add 0002-inspector-don-t-build-when-ssl-support-is-disabled.patch
to disable the new V8 inspector when openssl is not included.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
https://nodejs.org/en/blog/release/v0.10.47/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v6.2.1/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v0.10.45/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v6.1.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v6.0.0/
The patches from 5.11.0 have been copied to 6.0.0 with the following
changes:
- Removed 0001-Remove-dependency-on-Python-bz2-module.patch,
0003-Fix-va_list-not-declared.patch and
0004-Fix-support-for-uClibc-ng.patch as all 3 have been fixed upstream
- Renamed 0002-gyp-force-link-command-to-use-CXX.patch to
0001-gyp-force-link-command-to-use-CXX.patch
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v5.11.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v0.10.44/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v5.10.1/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v5.9.1/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v5.8.0/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v0.10.43/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
| |
See https://nodejs.org/en/blog/release/v5.7.1/
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |\
| |
| |
| | |
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| | |
| |
| |
| |
| |
| |
| |
| | |
This is an important security release. See
https://nodejs.org/en/blog/release/v5.6.0/ for further details
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |/
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes security vulnerabilites [1]:
- CVE-2016-2086
- CVE-2016-2216
Also switch to the xz compressed tar file now available for v0.10 builds from
v0.10.42 onward.
[1] https://nodejs.org/en/blog/vulnerability/february-2016-security-releases/
Signed-off-by: Jörg Krause <joerg.krause@embedded.rocks>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Patches from 5.3.0 have been copied over with the following exceptions:
- Removed 0005-Fix-crash-in-GetInterfaceAddresses.patch as this has
been applied upstream
- Renamed 0006-Fix-support-for-uClibc-ng.patch to
0005-Fix-support-for-uClibc-ng.patch
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
| |
Remove 0.12.9 to rationalise the number of nodejs releases supported by
buildroot. Going forward buildroot will only support the latest release
of nodejs and the 0.10.x branch for armv5 support.
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Replace 4.2.3 with 5.3.0. 5.3.0 is the current Stable release. See
https://nodejs.org/en/blog/release/v5.3.0 for details on the release.
Copied 4.2.3 patched to 5.3.0 with the following exceptions:
- Removed 0004-fix-arm-vfpv2.patch, committed upstream and included in
5.3.0. See https://github.com/nodejs/node/commit/84dea1bd0c
- Added 0004-Fix-va_list-not-declared.patch, fix for a new bug. This
has already been fixed upstream but is not in 5.3.0
Signed-off-by: Martin Bark <martin@barkynet.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
|
