pkgsrc.se | The NetBSD package collection

Subject: CVS commit: pkgsrc/lang/nodejs12
From: Adam Ciarcinski
Date: 2021-09-17 22:07:15
Message id: 20210917200715.5A548FA97@cvs.NetBSD.org

Log Message:
nodejs12: updated to 12.22.6

Version 12.22.6 'Erbium' (LTS)

This is a security release.

Notable Changes

These are vulnerabilities in the node-tar, arborist, and npm cli modules which \ 
are related to the initial reports and subsequent remediation of node-tar \ 
vulnerabilities CVE-2021-32803 and CVE-2021-32804. Subsequent internal security \ 
review of node-tar and additional external bounty reports have resulted in \ 
another 5 CVE being remediated in core npm CLI dependencies including node-tar, \ 
and npm arborist.

Version 12.22.5 'Erbium' (LTS)

This is a security release.

Notable Changes

CVE-2021-3672/CVE-2021-22931: Improper handling of untypical characters in \ 
domain names (High)
Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to \ 
missing input validation of hostnames returned by Domain Name Servers in the \ 
Node.js DNS library which can lead to the output of wrong hostnames (leading to \ 
Domain Hijacking) and injection vulnerabilities in applications using the \ 
library. You can read more about it at \ 
https://nvd.nist.gov/vuln/detail/CVE-2021-22931.
CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js was vulnerable to a use after free attack where an attacker might be \ 
able to exploit memory corruption to change process behavior. This release \ 
includes a follow-up fix for CVE-2021-22930 as the issue was not completely \ 
resolved by the previous fix. You can read more about it at \ 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930.
CVE-2021-22939: Incomplete validation of rejectUnauthorized parameter (Low)
If the Node.js HTTPS API was used incorrectly and "undefined" was in \ 
passed for the "rejectUnauthorized" parameter, no error was returned \ 
and connections to servers with an expired certificate would have been accepted. \ 
You can read more about it at https://nvd.nist.gov/vuln/detail/CVE-2021-22939.

Version 12.22.4 'Erbium' (LTS)

This is a security release.

Notable Changes

CVE-2021-22930: Use after free on close http2 on stream canceling (High)
Node.js is vulnerable to a use after free attack where an attacker might be able \ 
to exploit the memory corruption, to change process behavior. You can read more \ 
about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930

Files:

Revision	Action	file
1.36	modify	pkgsrc/lang/nodejs12/Makefile
1.25	modify	pkgsrc/lang/nodejs12/distinfo
1.3	remove	pkgsrc/lang/nodejs12/patches/patch-src_cares__wrap.cc