From patchwork Fri Feb 19 11:02:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jelle Licht X-Patchwork-Id: 27141 Return-Path: X-Original-To: patchwork@mira.cbaines.net Delivered-To: patchwork@mira.cbaines.net Received: by mira.cbaines.net (Postfix, from userid 113) id C6C4127BC48; Fri, 19 Feb 2021 11:04:11 +0000 (GMT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mira.cbaines.net X-Spam-Level: X-Spam-Status: No, score=-2.9 required=5.0 tests=BAYES_00,MAILING_LIST_MULTI, RCVD_IN_MSPIKE_H4,RCVD_IN_MSPIKE_WL,SPF_HELO_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.2 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) by mira.cbaines.net (Postfix) with ESMTPS id 98A3327BC49 for ; Fri, 19 Feb 2021 11:04:10 +0000 (GMT) Received: from localhost ([::1]:58458 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lD3Zx-0002IT-Qu for patchwork@mira.cbaines.net; Fri, 19 Feb 2021 06:04:09 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:40154) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lD3Zq-0002IL-Ib for guix-patches@gnu.org; Fri, 19 Feb 2021 06:04:02 -0500 Received: from debbugs.gnu.org ([209.51.188.43]:37254) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lD3Zq-0000ne-B6 for guix-patches@gnu.org; Fri, 19 Feb 2021 06:04:02 -0500 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lD3Zq-0003wq-56 for guix-patches@gnu.org; Fri, 19 Feb 2021 06:04:02 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#46634] [PATCH] gnu: node: Update to 10.23.3. [security fixes] Resent-From: Jelle Licht Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Fri, 19 Feb 2021 11:04:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: report 46634 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 46634@debbugs.gnu.org X-Debbugs-Original-To: guix-patches@gnu.org Received: via spool by submit@debbugs.gnu.org id=B.161373258615107 (code B ref -1); Fri, 19 Feb 2021 11:04:01 +0000 Received: (at submit) by debbugs.gnu.org; 19 Feb 2021 11:03:06 +0000 Received: from localhost ([127.0.0.1]:48800 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lD3Yp-0003vA-Om for submit@debbugs.gnu.org; Fri, 19 Feb 2021 06:03:05 -0500 Received: from lists.gnu.org ([209.51.188.17]:59586) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lD3Yl-0003uy-28 for submit@debbugs.gnu.org; Fri, 19 Feb 2021 06:02:58 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]:39964) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lD3Yk-0001p1-QS for guix-patches@gnu.org; Fri, 19 Feb 2021 06:02:54 -0500 Received: from mail1.fsfe.org ([2001:aa8:ffed:f5f3::151]:44950) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lD3Yh-0000HW-IE for guix-patches@gnu.org; Fri, 19 Feb 2021 06:02:54 -0500 From: Jelle Licht Date: Fri, 19 Feb 2021 12:02:46 +0100 Message-ID: <86czww5nhl.fsf@fsfe.org> MIME-Version: 1.0 Received-SPF: pass client-ip=2001:aa8:ffed:f5f3::151; envelope-from=jlicht@fsfe.org; helo=mail1.fsfe.org X-Spam_score_int: -41 X-Spam_score: -4.2 X-Spam_bar: ---- X-Spam_report: (-4.2 / 5.0 requ) BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+patchwork=mira.cbaines.net@gnu.org Sender: "Guix-patches" X-getmail-retrieved-from-mailbox: Patches Hey Guix, The attached two patches together should address CVE-2020-8287 (in Node). I am kind of fuzzy on the details, but to me it seems that the vulnerability is actually in http-parser (and llhttp), not node. I informed upstream about my findings, but in the mean time we should probably apply these. The node package subsequently has a regression test to demonstrate that the applied fix works. Nonetheless, http-parser has quite some dependents, and I only verified everything to still work with node. - Jelle From 44f5b6f6ee7ffbec1c38d52ac8356b3f5a252e61 Mon Sep 17 00:00:00 2001 From: Jelle Licht Date: Wed, 17 Feb 2021 00:06:04 +0100 Subject: [PATCH] gnu: node: Update to 10.23.3. * gnu/packages/node.scm (node): Update to 10.23.3. --- gnu/packages/node.scm | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gnu/packages/node.scm b/gnu/packages/node.scm index 77c47ec71f..051c4c3b41 100644 --- a/gnu/packages/node.scm +++ b/gnu/packages/node.scm @@ -50,14 +50,14 @@ (define-public node (package (name "node") - (version "10.22.1") + (version "10.23.3") (source (origin (method url-fetch) (uri (string-append "https://nodejs.org/dist/v" version "/node-v" version ".tar.xz")) (sha256 (base32 - "0pr569qiabr4m7k38s7rwi3iyzrc5jmx19z2z0k7n4xfvhjlfzzl")) + "13za06bz17k71gcxyrx41l2j8al1kr3j627b8m7kqrf3l7rdfnsi")) (modules '((guix build utils))) (snippet `(begin -- 2.30.1