./lang/nodejs10, V8 JavaScript for clients and servers

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 10.24.1nb2, Package name: nodejs-10.24.1nb2, Maintainer: pkgsrc-users

Node.js is an evented I/O framework for the V8 JavaScript engine. It is
intended for writing scalable network programs such as web servers.

This package holds the 10.x LTS release.


Required to run:
[textproc/icu] [net/libcares] [security/openssl] [devel/libuv] [lang/gcc49-libs] [www/nghttp2] [www/http-parser]

Required to build:
[lang/python27] [sysutils/lockf] [lang/gcc49] [pkgtools/cwrappers]

Package options: openssl

Master sites:

RMD160: 1e59704c06219ced68b1f47abd2e1e176a144f41
Filesize: 21140.621 KB

Version history: (Expand)


CVS history: (Expand)


   2021-10-07 16:21:17 by Nia Alarie | Files touched by this commit (282)
Log message:
lang: Remove SHA1 hashes for distfiles
   2021-09-29 21:01:31 by Adam Ciarcinski | Files touched by this commit (872)
Log message:
revbump for boost-libs
   2021-04-21 13:43:04 by Adam Ciarcinski | Files touched by this commit (1822)
Log message:
revbump for textproc/icu
   2021-04-07 08:19:21 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs10: updated to 10.24.1

Version 10.24.1 'Dubnium' (LTS)

This is a security release.

Notable Changes

Vulerabilties fixed:

CVE-2021-3450: OpenSSL - CA certificate check bypass with \ 
X509_V_FLAG_X509_STRICT (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines

CVE-2021-3449: OpenSSL - NULL pointer deref in signature_algorithms processing (High)
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210325.txt
Impacts:
All versions of the 15.x, 14.x, 12.x and 10.x releases lines

CVE-2020-7774: npm upgrade - Update y18n to fix Prototype-Pollution (High)
This is a vulnerability in the y18n npm module which may be exploited by \ 
prototype pollution. You can read more about it in \ 
https://github.com/advisories/GHSA-c4w7-xm78-47vh
Impacts:
All versions of the 14.x, 12.x and 10.x releases lines
   2021-02-24 12:10:12 by Adam Ciarcinski | Files touched by this commit (4)
Log message:
nodejs10/12: switch to .tar.xz
   2021-02-24 12:04:35 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs10: updated to 10.24.0

Version 10.24.0 'Dubnium' (LTS)

This is a security release.

Notable changes

Vulnerabilities fixed:

CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource \ 
exhaustion
Affected Node.js versions are vulnerable to denial of service attacks when too \ 
many connection attempts with an 'unknownProtocol' are established. This leads \ 
to a leak of file descriptors. If a file descriptor limit is configured on the \ 
system, then the server is unable to accept new connections and prevent the \ 
process also from opening, e.g. a file. If no file descriptor limit is \ 
configured, then this lead to an excessive memory usage and cause the system to \ 
run out of memory.
CVE-2021-22884: DNS rebinding in --inspect
Affected Node.js versions are vulnerable to denial of service attacks when the \ 
whitelist includes “localhost6”. When “localhost6” is not present in \ 
/etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over \ 
network. If the attacker controls the victim's DNS server or can spoof its \ 
responses, the DNS rebinding protection can be bypassed by using the \ 
“localhost6” domain. As long as the attacker uses the “localhost6” \ 
domain, they can still apply the attack described in CVE-2018-7160.
CVE-2021-23840: OpenSSL - Integer overflow in CipherUpdate
This is a vulnerability in OpenSSL which may be exploited through Node.js. You \ 
can read more about it in https://www.openssl.org/news/secadv/20210216.txt
   2021-02-15 11:20:59 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs10: updated to 10.23.3

Version 10.23.3 'Dubnium' (LTS)

Notable changes

The update to npm 6.14.11 has been relanded so that npm correctly reports its \ 
version.

Version 10.23.2 'Dubnium'

Notable changes

Release keys have been synchronized with the main branch.

deps:
upgrade npm to 6.14.11
   2021-01-05 09:35:36 by Adam Ciarcinski | Files touched by this commit (2) | Package updated
Log message:
nodejs10: updated to 10.23.1

Version 10.23.1 'Dubnium' (LTS)

Notable changes

This is a security release.

Vulnerabilities fixed:

CVE-2020-8265: use-after-free in TLSWrap (High) Affected Node.js versions are \ 
vulnerable to a use-after-free bug in its TLS implementation. When writing to a \ 
TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a \ 
freshly allocated WriteWrap object as first argument. If the DoWrite method does \ 
not return an error, this object is passed back to the caller as part of a \ 
StreamWriteResult structure. This may be exploited to corrupt memory leading to \ 
a Denial of Service or potentially other exploits
CVE-2020-8287: HTTP Request Smuggling in nodejs Affected versions of Node.js \ 
allow two copies of a header field in a http request. For example, two \ 
Transfer-Encoding header fields. In this case Node.js identifies the first \ 
header field and ignores the second. This can lead to HTTP Request Smuggling \ 
(https://cwe.mitre.org/data/definitions/444.html).
CVE-2020-1971: OpenSSL - EDIPARTYNAME NULL pointer de-reference (High) This is a \ 
vulnerability in OpenSSL which may be exploited through Node.js. You can read \ 
more about it in https://www.openssl.org/news/secadv/20201208.txt