./lang/nodejs6, V8 JavaScript for clients and servers

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 6.14.4, Package name: nodejs-6.14.4, Maintainer: filip

Node.js is an evented I/O framework for the V8 JavaScript engine. It is
intended for writing scalable network programs such as web servers.

This package holds the 6.x LTS release.


Required to run:
[net/libcares] [security/openssl] [devel/libuv] [www/http-parser]

Required to build:
[lang/python27] [sysutils/lockf] [pkgtools/cwrappers]

Package options: openssl

Master sites:

SHA1: bb30f20532d6e8b8899fff6717900abac7e1c20c
RMD160: 95cd5ae06991b64ee702ec4c2c82eb195e581f53
Filesize: 26581.546 KB

Version history: (Expand)


CVS history: (Expand)


   2018-08-16 15:40:26 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
lang/nodejs6: Update to 6.14.4.

- buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2
  encoding (CVE-2018-12115)
   2018-06-14 12:52:33 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
lang/nodejs6: Update to 6.14.3.

- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where
  calling Buffer.fill() could hang
   2018-05-12 10:59:56 by Filip Hajny | Files touched by this commit (12)
Log message:
lang/nodejs: Use pkgsrc http-parser, libuv, libcares instead of bundled versions.
Switch back to bundled nghttp2 on lang/nodejs to reconcile a conflict
of OpenSSL versions.
   2018-05-04 16:28:32 by Filip Hajny | Files touched by this commit (4)
Log message:
lang/nodejs*: Provide bl3 to nodejs packages to provide headers.
   2018-05-03 23:12:23 by Filip Hajny | Files touched by this commit (4)
Log message:
lang/nodejs{6,8}: Decouple respective options.mk from main package.
   2018-05-03 12:29:16 by Filip Hajny | Files touched by this commit (3) | Package updated
Log message:
lang/nodejs6: Update to 6.14.2.

- n-api has been backported to v6.x. It is being landed as an
  experimental interface, and as such is landing in
  a Semver-Patch release.
   2018-05-02 18:33:03 by Filip Hajny | Files touched by this commit (16)
Log message:
lang/nodejs*: Remove the npm package manager from nodejs packages. Introduce \ 
nodeversion.mk framework to pick and depend on one of the supported nodejs \ 
version packages. Bump respective PKGREVISIONs.
   2018-04-04 12:35:55 by Filip Hajny | Files touched by this commit (2) | Package updated
Log message:
lang/nodejs6: Update to 6.14.1.

Fixes for the following CVEs are included in this release:

- CVE-2018-7158
- CVE-2018-7159
- CVE-2018-7160

Notable Changes

- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A
  malicious website could use a DNS rebinding attack to trick a web
  browser to bypass same-origin-policy checks and allow HTTP connections
  to localhost or to hosts on the local network, potentially to an open
  inspector port as a debugger, therefore gaining full code execution
  access. The inspector now only allows connections that have a browser
  Host value of localhost or localhost6.
- Fix for 'path' module regular expression denial of service
  (CVE-2018-7158): A regular expression used for parsing POSIX paths
  could be used to cause a denial of service if an attacker were able to
  have a specially crafted path string passed through one of the
  impacted 'path' module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159):
  The Node.js HTTP parser allowed for spaces inside Content-Length
  header values. Such values now lead to rejected connections in the
  same way as non-numeric values.
- Update root certificates: 5 additional root certificates have been
  added to the Node.js binary and 30 have been removed.