Next | Query returned 16 messages, browsing 1 to 10 | Previous

History of commit frequency

CVS Commit History:


   2018-06-14 12:53:10 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
lang/nodejs8: Update to 8.11.3.

- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where
  calling Buffer.fill() could hang
- http2:
  - (CVE-2018-7161): Fixes Denial of Service vulnerability by updating
    the http2 implementation to not crash under certain circumstances
    during cleanup
  - (CVE-2018-1000168): Fixes Denial of Service vulnerability by
    upgrading nghttp2 to 1.32.0
   2018-05-16 20:41:54 by Filip Hajny | Files touched by this commit (3) | Package updated
Log message:
lang/nodejs8: Update to 8.11.2.

deps:
- update node-inspect to 1.11.3
- update nghttp2 to 1.29.0
http2:
- Sync with current release stream
n-api:
- Sync with current release stream
   2018-05-12 11:04:24 by Filip Hajny | Files touched by this commit (2)
Log message:
lang/nodejs8: Fix build with GCC>=5. Patch by leot@.
   2018-05-12 10:59:56 by Filip Hajny | Files touched by this commit (12)
Log message:
lang/nodejs: Use pkgsrc http-parser, libuv, libcares instead of bundled versions.
Switch back to bundled nghttp2 on lang/nodejs to reconcile a conflict
of OpenSSL versions.
   2018-05-09 14:18:03 by Adam Ciarcinski | Files touched by this commit (4)
Log message:
nodejs8: Fix building with ICU 61.
   2018-05-04 16:28:32 by Filip Hajny | Files touched by this commit (4)
Log message:
lang/nodejs*: Provide bl3 to nodejs packages to provide headers.
   2018-05-03 23:12:23 by Filip Hajny | Files touched by this commit (4)
Log message:
lang/nodejs{6,8}: Decouple respective options.mk from main package.
   2018-05-02 18:33:03 by Filip Hajny | Files touched by this commit (16)
Log message:
lang/nodejs*: Remove the npm package manager from nodejs packages. Introduce \ 
nodeversion.mk framework to pick and depend on one of the supported nodejs \ 
version packages. Bump respective PKGREVISIONs.
   2018-04-14 09:34:46 by Adam Ciarcinski | Files touched by this commit (681) | Package updated
Log message:
revbump after icu update
   2018-04-04 12:37:44 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
lang/nodejs8: Update to 8.11.1.

Fixes for the following CVEs are included in this release:

- CVE-2018-7158
- CVE-2018-7159
- CVE-2018-7160

Notable Changes

- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A
  malicious website could use a DNS rebinding attack to trick a web
  browser to bypass same-origin-policy checks and allow HTTP connections
  to localhost or to hosts on the local network, potentially to an open
  inspector port as a debugger, therefore gaining full code execution
  access. The inspector now only allows connections that have a browser
  Host value of localhost or localhost6.
- Fix for 'path' module regular expression denial of service
  (CVE-2018-7158): A regular expression used for parsing POSIX paths
  could be used to cause a denial of service if an attacker were able to
  have a specially crafted path string passed through one of the
  impacted 'path' module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159):
  The Node.js HTTP parser allowed for spaces inside Content-Length
  header values. Such values now lead to rejected connections in the
  same way as non-numeric values.
- Update root certificates: 5 additional root certificates have been
  added to the Node.js binary and 30 have been removed.

Next | Query returned 16 messages, browsing 1 to 10 | Previous