<feed xmlns='http://www.w3.org/2005/Atom'>
<title>buildroot/package/nodejs, branch 2019.02-op-build</title>
<subtitle>OpenPOWER buildroot sources</subtitle>
<id>https://git.raptorcs.com/git/buildroot/atom?h=2019.02-op-build</id>
<link rel='self' href='https://git.raptorcs.com/git/buildroot/atom?h=2019.02-op-build'/>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/'/>
<updated>2019-03-26T14:01:42+00:00</updated>
<entry>
<title>package/nodejs: security bump to version 8.15.1</title>
<updated>2019-03-26T14:01:42+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2019-03-25T22:21:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=18ae511d81846b9f28b34940e5f36d3ca95648f0'/>
<id>urn:sha1:18ae511d81846b9f28b34940e5f36d3ca95648f0</id>
<content type='text'>
Fixes the following security issues:

Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
OpenSSL: 0-byte record padding oracle (CVE-2019-1559)

For more details, see the CHANGELOG:
https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.1

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>package/nodejs: bump version to v8.15.0</title>
<updated>2019-01-04T07:34:13+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2019-01-03T14:44:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=6f68e5cf72118b2c6441172511812853c803202d'/>
<id>urn:sha1:6f68e5cf72118b2c6441172511812853c803202d</id>
<content type='text'>
Fixes regressions introduced by the v8.14.0 security release.  From the
announcement:

The 8.14.0 security release introduced some unexpected breakages on the 8.x
release line.  This is a special release to fix a regression in the HTTP
binary upgrade response body and add a missing CLI flag to adjust the max
header size of the http parser.

https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V8.md#8.15.0

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>package/nodejs: security bump to version 8.14.0</title>
<updated>2018-12-10T10:47:50+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2018-12-09T22:18:30+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=0de2c9c76cd0a522fc1eb4b8d63bb5070efaecd3'/>
<id>urn:sha1:0de2c9c76cd0a522fc1eb4b8d63bb5070efaecd3</id>
<content type='text'>
Fixes the following security vulnerabilities:

- Node.js: Denial of Service with large HTTP headers (CVE-2018-12121)
- Node.js: Slowloris HTTP Denial of Service (CVE-2018-12122 / Node.js)
- Node.js: Hostname spoofing in URL parser for javascript protocol
  (CVE-2018-12123)
- Node.js: HTTP request splitting (CVE-2018-12116)
- OpenSSL: Timing vulnerability in DSA signature generation (CVE-2018-0734)
- OpenSSL: Microarchitecture timing vulnerability in ECC scalar
  multiplication (CVE-2018-5407)

For more details, see the announcement:
https://nodejs.org/en/blog/release/v8.14.0/

Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>package/nodejs: use per-build cache directories</title>
<updated>2018-10-15T11:21:34+00:00</updated>
<author>
<name>Yann E. MORIN</name>
<email>yann.morin.1998@free.fr</email>
</author>
<published>2018-10-13T15:05:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=4a16182d5f9f78e7d817f68a6d28449ce9c32e59'/>
<id>urn:sha1:4a16182d5f9f78e7d817f68a6d28449ce9c32e59</id>
<content type='text'>
When two Buildroot builds run in parallel, and they both happen to call
npm at roughly the same time, the two npm instances may conflict when
accessing the npm cache, which is by default ~/.npm

Although npm is supposed to lock access to the cache, it seems it does
sometimes fail to do so properly, bailling out in error, when it would
never ever crash at all when not running in parallel. We suspect that
the sequence leading to such failures are something like:

    npm-1                           npm-2
      lock(retry=few, sleep=short)    .
      does-stuff()                    .
      .                               lock(retry=few, sleep=short)
      .                               # can't lock local cache
      .                               download-module()
      .                                 # can't download
      .                                 exit(1)
      unlock()

As per the docs [0], few = 10, short = 10. So if the first npm (npm-1)
takes more than 100s (which can happen behind slow links and/or big
modules that contain native code that is compiled), then the second npm
(npm-2) will bail out (the download would fail if there is no network
access, for example, and only local modules are used).

Point npm to use a per-build cache directory, so they no longer compete
across builds.

That would still need some care when we do top-level parallel builds,
though.

Note also that the conflicts are not totally eliminated: two or more npm
instances may still compete for some other resource that has not yet
been identified.

But, at least, the conflict window has been drastically shortened now,
to the point where it now seldom occurs.

Signed-off-by: "Yann E. MORIN" &lt;yann.morin.1998@free.fr&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>arch: allow GCC target options to be optionally overwritten</title>
<updated>2018-09-23T20:17:57+00:00</updated>
<author>
<name>Mark Corbin</name>
<email>mark.corbin@embecosm.com</email>
</author>
<published>2018-09-12T10:22:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=bd0640a2139119e2fdb4b384ebf32d1edcb0fdaa'/>
<id>urn:sha1:bd0640a2139119e2fdb4b384ebf32d1edcb0fdaa</id>
<content type='text'>
The BR2_GCC_TARGET_* configuration variables are copied to
corresponding GCC_TARGET_* variables which may then be optionally
modified or overwritten by architecture specific makefiles.

All makefiles must use the new GCC_TARGET_* variables instead
of the BR2_GCC_TARGET_* versions.

Signed-off-by: Mark Corbin &lt;mark.corbin@embecosm.com&gt;
[Thomas: simplify include of arch/arch.mk]
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>package/nodejs: bump version to 8.12.0</title>
<updated>2018-09-12T16:11:09+00:00</updated>
<author>
<name>Martin Bark</name>
<email>martin@barkynet.com</email>
</author>
<published>2018-09-12T12:48:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=e75d9c6bcf4349c75ee958150d0acf70e7da1df3'/>
<id>urn:sha1:e75d9c6bcf4349c75ee958150d0acf70e7da1df3</id>
<content type='text'>
See https://nodejs.org/en/blog/release/v8.12.0/

Signed-off-by: Martin Bark &lt;martin@barkynet.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>Merge branch 'next'</title>
<updated>2018-09-07T11:13:17+00:00</updated>
<author>
<name>Peter Korsgaard</name>
<email>peter@korsgaard.com</email>
</author>
<published>2018-09-07T11:08:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=721e4cbb529d247c9c1ebef68275e70a3086ae0b'/>
<id>urn:sha1:721e4cbb529d247c9c1ebef68275e70a3086ae0b</id>
<content type='text'>
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>package/nodejs: use host-libopenssl</title>
<updated>2018-08-20T22:00:08+00:00</updated>
<author>
<name>Bernd Kuhls</name>
<email>bernd.kuhls@t-online.de</email>
</author>
<published>2018-08-19T16:51:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=cbb7b49f4c790a26cddca4d826095b86af70446f'/>
<id>urn:sha1:cbb7b49f4c790a26cddca4d826095b86af70446f</id>
<content type='text'>
host-nodejs is configured to build openssl by using its included openssl
source code which is based on openssl 1.0.2. If host-libopenssl was
already built its header files are being picked up during host-nodejs
build, this was verified by adding debug code to
$(HOST_DIR)/include/openssl/opensslv.h.

This situation was not a problem as long as host-libopenssl was the
same version than the openssl code included in nodejs.

Some code in host-nodejs-8.11.4/src/node_crypto.cc is guarded by

	#if OPENSSL_VERSION_NUMBER &lt; 0x10100000L

to be used only with openssl 1.0.x.

This leads to problems if host-libopenssl 1.1.x was built before. Due
to the usage of its header files some code in node_crypto.cc is not
built leading to many linking errors later on, for example:

node_crypto.cc:(.text+0x1a1): undefined reference to `DH_get0_pqg'

When the nodejs package originally was added to buildroot back in
March 2013:
https://git.buildroot.net/buildroot/commit/?id=b31bc7d4387095091a109eb879464d54d37a5eab

We did not have a host-libopenssl package back then, it was added one
month later:
https://git.buildroot.net/buildroot/commit/?id=7842789cb539b6b64d61b03f5c8dbe6813f01da7

To fix the problem we use host-libopenssl for host-nodejs.
By using host-libopenssl the build time of nodejs is reduced by ~15s.

Signed-off-by: Bernd Kuhls &lt;bernd.kuhls@t-online.de&gt;
Reviewed-by: "Yann E. MORIN" &lt;yann.morin.1998@free.fr&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
<entry>
<title>package/nodejs: security bump version to 8.11.4</title>
<updated>2018-08-19T19:29:11+00:00</updated>
<author>
<name>Bernd Kuhls</name>
<email>bernd.kuhls@t-online.de</email>
</author>
<published>2018-08-19T13:22:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=bfc5dc9920ffa9913b096cdc85572a06980ee9e2'/>
<id>urn:sha1:bfc5dc9920ffa9913b096cdc85572a06980ee9e2</id>
<content type='text'>
Release notes:
https://nodejs.org/en/blog/vulnerability/august-2018-security-releases/

Fixes CVE-2018-12115, also CVEs were fixed in included OpenSSL code
which do not use for the target build.

Signed-off-by: Bernd Kuhls &lt;bernd.kuhls@t-online.de&gt;
Signed-off-by: Peter Korsgaard &lt;peter@korsgaard.com&gt;
</content>
</entry>
<entry>
<title>package/nodejs: security bump to version 8.11.3</title>
<updated>2018-06-17T12:04:29+00:00</updated>
<author>
<name>Martin Bark</name>
<email>martin@barkynet.com</email>
</author>
<published>2018-06-16T22:44:08+00:00</published>
<link rel='alternate' type='text/html' href='https://git.raptorcs.com/git/buildroot/commit/?id=64baf3def763fe962f19d7ca083cf019a73f6281'/>
<id>urn:sha1:64baf3def763fe962f19d7ca083cf019a73f6281</id>
<content type='text'>
Fixes the following security issues:

- (CVE-2018-7167): Fixes Denial of Service vulnerability where calling
  Buffer.fill() could hang

- (CVE-2018-7161): Fixes Denial of Service vulnerability by updating the
  http2 implementation to not crash under certain circumstances during
  cleanup

- (CVE-2018-1000168): Fixes Denial of Service vulnerability by upgrading
  nghttp2 to 1.32.0

See https://nodejs.org/en/blog/release/v8.11.3/ for more details

Signed-off-by: Martin Bark &lt;martin@barkynet.com&gt;
Signed-off-by: Thomas Petazzoni &lt;thomas.petazzoni@bootlin.com&gt;
</content>
</entry>
</feed>
