[ELSA-2020-5499] nodejs:12 security and bug fix update

Severity Moderate

Affected Packages 7

CVEs 3

nodejs
[1:12.19.1-1]
- Resolves: RHBZ#1901044, #1901045, #1901046, #1901047
- c-ares, ajv and y18n CVEs and yarn installability issues

[1:12.18.4-2]
- Fix RHBZ#1856776 - nodejs-devel not installable due to missing brotli
- Some spec fixes

[12.18.4-1]
- Rebase to 12.18.4

[12.18.2-1]
- Rebase to 12.18.2

[1:12.18.1-1]
- Rebase
- Spec clean up
- Provide i18n package, bundle icu
- Resolves: RHBZ#1845311, RHBZ#1845692

[1:12.18.0-1]
- Security update to 12.18.0
- Resolves: RHBZ#1845311, RHBZ#1845692

[1:12.16.1-2]
- Fix CVE-2020-10531

[1:12.16.1-1]
- Resolves: RHBZ#1800395, RHBZ#1800396, RHBZ#1800381
- Rebase to 12.16.1

[1:12.14.1-1]
- Rebase to 12.14.1

[1:12.13.1-1]
- Resolves: RHBZ# 1773503, update to 12.13.1
- minor clean up and sync with Fedora spec
- turn off debug builds

[1:12.4.0-2]
- Resolves:RHBZ#1685191
- Add condition to libs

[1:12.4.0-1]
- Update to v12.x
- Add v8-devel and libs subpackages from fedora

[1:10.14.1-2]
- move nodejs-packaging BR out of conditional

[1:10.14.1-1]
- Resolves: RHBZ#1644207
- fixes node-gyp permissions
- rebase

[1:10.11.0-2]
- BuildRequire nodejs-packaging for proper npm dependency generation
- Resolves: rhbz#1615947

[1:10.11.0-1]
- Rebase to 10.11.0
- Import changes from fedora
- Resolves: rhbz#1621766

[1:10.7.0-5]
- Import sources from fedora
- Allow using python2 at %build and %install
- turn off debug for aarch64

[1:10.7.0-4]
- Fix npm upgrade scriptlet
- Fix unexpected trailing .1 in npm release field

[1:10.7.0-3]
- Restore annotations to binaries
- Fix unexpected trailing .1 in release field

[1:10.7.0-2]
- Update to 10.7.0
- https://nodejs.org/en/blog/release/v10.7.0/
- https://nodejs.org/en/blog/release/v10.6.0/

[1:10.5.0-1.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild

[1:10.5.0-1]
- Update to 10.5.0
- https://nodejs.org/en/blog/release/v10.5.0/

[1:10.4.1-1]
- Update to 10.4.1 to address security issues
- https://nodejs.org/en/blog/release/v10.4.1/
- Resolves: rhbz#1590801
- Resolves: rhbz#1591014
- Resolves: rhbz#1591019

[1:10.4.0-1]
- Update to 10.4.0
- https://nodejs.org/en/blog/release/v10.4.0/

[1:10.3.0-1]
- Update to 10.3.0
- Update npm to 6.1.0
- https://nodejs.org/en/blog/release/v10.3.0/

[1:10.2.1-2]
- Fix up bare 'python' to be python2
- Drop redundant entry in docs section

[1:10.2.1-1]
- Update to 10.2.1
- https://nodejs.org/en/blog/release/v10.2.1/

[1:10.2.0-1]
- Update to 10.2.0
- https://nodejs.org/en/blog/release/v10.2.0/

[1:10.1.0-3]
- Fix incorrect rpm macro

[1:10.1.0-2]
- Include upstream v8 fix for ppc64[le]
- Disable debug build on ppc64[le] and s390x

[1:10.1.0-1]
- Update to 10.1.0
- https://nodejs.org/en/blog/release/v10.1.0/
- Reenable node_g binary

[1:10.0.0-1]
- Update to 10.0.0
- https://nodejs.org/en/blog/release/v10.0.0/
- Drop workaround patch
- Temporarily drop node_g binary due to
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=85587

[1:9.11.1-2]
- Use standard Fedora linker flags (bug #1543859)

[1:9.11.1-1]
- Update to 9.11.1
- https://nodejs.org/en/blog/release/v9.11.0/
- https://nodejs.org/en/blog/release/v9.11.1/

[1:9.10.0-1]
- Update to 9.10.0
- https://nodejs.org/en/blog/release/v9.10.0/

[1:9.9.0-1]
- Update to 9.9.0
- https://nodejs.org/en/blog/release/v9.9.0/

[1:9.8.0-1]
- Update to 9.8.0
- https://nodejs.org/en/blog/release/v9.8.0/

[1:9.7.0-1]
- Update to 9.7.0
- https://nodejs.org/en/blog/release/v9.7.0/
- Work around F28 build issue

[1:9.6.1-1]
- Update to 9.6.1
- https://nodejs.org/en/blog/release/v9.6.1/
- https://nodejs.org/en/blog/release/v9.6.0/

[1:9.5.0-1]
- Package Node.js 9.5.0

[1:8.9.4-2]
- Fix incorrect Requires:

[1:8.9.4-1]
- Update to 8.9.4
- https://nodejs.org/en/blog/release/v8.9.4/
- Switch to system copy of nghttp2

[1:8.9.3-2]
- Update to 8.9.3
- https://nodejs.org/en/blog/release/v8.9.3/
- https://nodejs.org/en/blog/release/v8.9.2/

[1:8.9.1-2]
- Rebuild for ICU 60.1

[1:8.9.1-1]
- Update to 8.9.1

[1:8.9.0-1]
- Update to 8.9.0
- Drop upstreamed patch

[1:8.8.1-1]
- Update to 8.8.1 to fix a regression

[1:8.8.0-1]
- Security update to 8.8.0
- https://nodejs.org/en/blog/release/v8.8.0/

[1:8.7.0-1]
- Update to 8.7.0
- https://nodejs.org/en/blog/release/v8.7.0/

[1:8.6.0-2]
- Use bcond macro instead of bootstrap conditional

[1:8.6.0-1]
- Fix nghttp2 version
- Update to 8.6.0
- https://nodejs.org/en/blog/release/v8.6.0/

[1:8.5.0-3]
- Build with bootstrap + bundle libuv for modularity
- backport patch for aarch64 debug build

[1:8.5.0-2]
- Disable debug builds on aarch64 due to https://github.com/nodejs/node/issues/15395

[1:8.5.0-1]
- Update to v8.5.0
- https://nodejs.org/en/blog/release/v8.5.0/

[1:8.4.0-2]
- Refactor openssl BR

[1:8.4.0-1]
- Update to v8.4.0
- https://nodejs.org/en/blog/release/v8.4.0/
- http2 is now supported, add bundled nghttp2
- remove openssl 1.0.1 patches, we won't be using them in fedora

[1:8.3.0-1]
- Update to v8.3.0
- https://nodejs.org/en/blog/release/v8.3.0/
- update V8 to 6.0
- update minimal gcc and g++ requirements to 4.9.4

[1:8.2.1-2]
- Bump release to fix broken dependencies

[1:8.2.1-1.2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild

[1:8.2.1-1.1]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

[1:8.2.1-1]
- Update to v8.2.1
- https://nodejs.org/en/blog/release/v8.2.1/

[1:8.2.0-1]
- Update to v8.2.0
- https://nodejs.org/en/blog/release/v8.2.0/
- Update npm to 5.3.0
- Adds npx command

[1:8.1.4-3]
- s/BuildRequires/Requires/ for http-parser-devel%{?_isa}

[1:8.1.4-2]
- Rename python-devel to python2-devel
- own %{_pkgdocdir}/npm

[1:8.1.4-1]
- Update to v8.1.4
- https://nodejs.org/en/blog/release/v8.1.4/
- Drop upstreamed c-ares patch

[1:8.1.3-1]
- Update to v8.1.3
- https://nodejs.org/en/blog/release/v8.1.3/

[1:8.1.2-1]
- Update to v8.1.2
- remove GCC 7 patch, as it is now fixed in node >= 6.12

nodejs-nodemon
[1.18.3-1]
- Resolves: #1615413
- Updated
- bundled

[1.11.0-2]
- rh-nodejs8 rebuild

[1.11.0-1]
- Updated with script

[1.8.1-6]
- rebuilt

[1.8.1-5]
- Enable scl macros

[1.8.1-2]
- Fix dependencies

[1.8.1-1]
- Initial package

nodejs-packaging
* Tue Mar 12 2019 zsvetlik@redhat.com - 17-3
- Change Requires to Recommends on nodejs dependency, so it is usable for building nodejs

[17-2]
- Switch hardcoded python3 shebangs into the %{__python3} macro

[17-1]
- Fix version comparators with a space after the operator

[16-1]
- Rewrite nodejs.req to better match npm versioning rules
- Add tests for nodejs.req and nodejs.prov

[15-1]
- Fix caret dependency ranges

[14-1]
- Only match top level modules for requires and provides generation

[13-1]
- Add %nodejs_setversion macro

[12-1]
- Port to python 3

[11-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild

[11-1]
- nodesjs.req: use boolean with for range dependencies

[10-1]
- Release v10
- Automatically generate Provides for bundled npm dependencies

[9-4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild

[9-3]
- switch source URL to pagure

[9-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild

[9-1]
- nodejs-fixdep: stop --move erroring on missing dependency types

[8-1]
- nodejs-fixdep: add --move option
- nodejs-symlink-deps: add --optional option
- req: generate suggests for optional dependencies

[7-5]
- nodejs-symlink-deps: handle caret in versions

[7-4]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild

[7-3]
- Install macros in %{_rpmconfidir}/macros.d where available (#1074279)

[7-2]
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild

[7-1]
- nodejs-symlink-deps: fix regression preventing multiply versioned modules from
being symlinked correctly

[6-1]
- nodejs-fixdep: use real option parsing
- nodejs-fixdep: support modifying optionalDependencies and devDependencies
- req: support the caret operator
- nodejs-symlink-deps: add --force option
- nodejs-symlink-deps: add --build alias for --check
- nodejs-fixdep: support converting to caret dependencies
- nodejs-fixdep: support non-dictionary dependency properties
- multiver_modules: add nan

[4-1]
- handle cases where the symlink target exists gracefully

[3-1]
- dependencies and engines can be lists or strings too
- handle unversioned dependencies on multiply versioned modules correctly
(RHBZ#982798)
- restrict to compatible arches

[2-1]
- move multiple version list to /usr/share/node
- bump nodejs Requires to 0.10.12
- add Requires: redhat-rpm-config

[1-1]
- initial package

Package	Affected Version
pkg:rpm/oraclelinux/npm?distro=oraclelinux-8.3	< 6.14.8-1.12.19.1.1.module+el8.3.0+7884+668e4ef8
pkg:rpm/oraclelinux/nodejs?distro=oraclelinux-8.3	< 12.19.1-1.module+el8.3.0+7884+668e4ef8
pkg:rpm/oraclelinux/nodejs-packaging?distro=oraclelinux-8.1	< 17-3.module+el8.1.0+5393+aaf413e3
pkg:rpm/oraclelinux/nodejs-nodemon?distro=oraclelinux-8.1	< 1.18.3-1.module+el8.1.0+5393+aaf413e3
pkg:rpm/oraclelinux/nodejs-full-i18n?distro=oraclelinux-8.3	< 12.19.1-1.module+el8.3.0+7884+668e4ef8
pkg:rpm/oraclelinux/nodejs-docs?distro=oraclelinux-8.3	< 12.19.1-1.module+el8.3.0+7884+668e4ef8
pkg:rpm/oraclelinux/nodejs-devel?distro=oraclelinux-8.3	< 12.19.1-1.module+el8.3.0+7884+668e4ef8

ID

ELSA-2020-5499

Severity

moderate

URL

https://linux.oracle.com/errata/ELSA-2020-5499.html

Published

2020-12-17T00:00:00
(3 years ago)

Modified

2020-12-17T00:00:00
(3 years ago)

Rights

Other Advisories

Source	# ID	URL
elsa	ELSA-2020-5499	https://linux.oracle.com/errata/ELSA-2020-5499.html
CVE	CVE-2020-8277	https://linux.oracle.com/cve/CVE-2020-8277.html
CVE	CVE-2020-7774	https://linux.oracle.com/cve/CVE-2020-7774.html
CVE	CVE-2020-15366	https://linux.oracle.com/cve/CVE-2020-15366.html

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform
Affected	pkg:rpm/oraclelinux/npm?distro=oraclelinux-8.3	oraclelinux	npm	< 6.14.8-1.12.19.1.1.module+el8.3.0+7884+668e4ef8	oraclelinux-8.3
Affected	pkg:rpm/oraclelinux/nodejs?distro=oraclelinux-8.3	oraclelinux	nodejs	< 12.19.1-1.module+el8.3.0+7884+668e4ef8	oraclelinux-8.3
Affected	pkg:rpm/oraclelinux/nodejs-packaging?distro=oraclelinux-8.1	oraclelinux	nodejs-packaging	< 17-3.module+el8.1.0+5393+aaf413e3	oraclelinux-8.1
Affected	pkg:rpm/oraclelinux/nodejs-nodemon?distro=oraclelinux-8.1	oraclelinux	nodejs-nodemon	< 1.18.3-1.module+el8.1.0+5393+aaf413e3	oraclelinux-8.1
Affected	pkg:rpm/oraclelinux/nodejs-full-i18n?distro=oraclelinux-8.3	oraclelinux	nodejs-full-i18n	< 12.19.1-1.module+el8.3.0+7884+668e4ef8	oraclelinux-8.3
Affected	pkg:rpm/oraclelinux/nodejs-docs?distro=oraclelinux-8.3	oraclelinux	nodejs-docs	< 12.19.1-1.module+el8.3.0+7884+668e4ef8	oraclelinux-8.3
Affected	pkg:rpm/oraclelinux/nodejs-devel?distro=oraclelinux-8.3	oraclelinux	nodejs-devel	< 12.19.1-1.module+el8.3.0+7884+668e4ef8	oraclelinux-8.3

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date