| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
| |
Notable Changes
*OpenSSL 1.1.1s
*Root certificates updated to NSS 3.85
*Time zone update to 2022f
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
| |
Update to v16.18.0
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The following CVEs are fixed in this release:
* CVE-2022-32212: DNS rebinding in --inspect on macOS (High)
* Insufficient fix for macOS devices on v18.5.0
* CVE-2022-32222: Node 18 reads openssl.cnf from /home/iojs/build/ upon startup on MacOS (Medium)
* CVE-2022-32213: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)
* Insufficient fix on v18.5.0
* CVE-2022-32215: HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)
* Insufficient fix on v18.5.0
* CVE-2022-35256: HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)
* CVE-2022-35255: Weak randomness in WebCrypto keygen
More detailed information on each of the vulnerabilities can be found in September 22nd 2022 Security Releases blog post.
llhttp updated to 6.0.10
llhttp is updated to 6.0.10 which includes fixes for the following vulnerabilities.
* HTTP Request Smuggling - CVE-2022-32213 bypass via obs-fold mechanic (Medium)(CVE-2022-32213 ): The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
* HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215): The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
* HTTP Request Smuggling - Incorrect Parsing of Header Fields (Medium)(CVE-35256): The llhttp parser in the http does not correctly handle header fields that are not terminated with CLRF. This can lead to HTTP Request Smuggling (HRS).
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Notable Changes:
Experimental command-line argument parser API
Experimental ESM Loader Hooks API
Experimental test runner
Improved interoperability of the Web Crypto API
Dependency updates:
Updated Corepack to 0.12.1
Updated ICU to 71.1
Updated npm to 8.15.0
Updated Undici to 5.8.0
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Update to v16.16.0
Release for the following issues:
HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)(CVE-2022-32213)
HTTP Request Smuggling - Improper Delimiting of Header Fields (Medium)(CVE-2022-32214)
HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215)
DNS rebinding in --inspect via invalid IP addresses (High)(CVE-2022-32212)
https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
No vulnerabilities related with openssl (uses system openssl)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
| |
Upgrade npm to 8.11.0
Suppressed unnecessary builds.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
Description:
Update from v16.15.0
Changed handling of host's npm problems due to npm updates.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
This update also changes npm from v6 to v8.
This change also requires node module packages to be modified.
Each package will be updated later.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Update to v14.18.3
January 10th 2022 Security Releases:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
Prototype pollution via console.table properties (Low)(CVE-2022-21824)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
| |
Update to v14.18.2
Remove unneeded c-ares patches
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
October 12th 2021 Security Releases:
HTTP Request Smuggling due to spaced in headers (Medium)(CVE-2021-22959)
HTTP Request Smuggling when parsing the body (Medium)(CVE-2021-22960)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
July 2021 Security Releases:
Use after free on close http2 on stream canceling (High) (CVE-2021-22930)
Node.js is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
You can read more about it in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
Notable Changes:
deps: update ICU to 69.1 (Michaël Zasso)
errors: align source-map stacks with spec (Benjamin Coe)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
| |
Reduce package size by about 1MB.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
| |
Notable Changes:
Diagnostics channel (experimental module)
UUID support in the crypto module
Experimental support for AbortController and AbortSignal
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
Resolve conflicts between OpenWrt's ICU package and the ICU shipped with node.js.
https://github.com/openwrt/packages/issues/15437
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
April 2021 Security Releases
- OpenSSL - CA certificate check bypass with X509_V_FLAG_X509_STRICT (High) (CVE-2021-3450)
- OpenSSL - NULL pointer deref in signature_algorithms processing (High) (CVE-2021-3449)
- npm upgrade - Update y18n to fix Prototype-Pollution (High) (CVE-2020-7774)
OpenSSL-related vulnerabilities do not affect the OpenWrt package. Because OpenWrt's OpenSSL shared library has been updated.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
| |
Signed-off-by: Robin Rainton <robin@rainton.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Update to v14.16.0
February 2021 Security Releases
- HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion (Critical) (CVE-2021-22883)
- DNS rebinding in --inspect (CVE-2021-22884)
- OpenSSL - Integer overflow in CipherUpdate (CVE-2021-23840)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
| |
Made the necessary changes to build the latest version of adguardhome.
See this thread : https://github.com/openwrt/packages/pull/14717
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
Description:
Update to v14.15.5
upgrade npm to 6.14.11
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
January 2021 Security Releases:
use-after-free in TLSWrap (High) (CVE-2020-8265)
HTTP Request Smuggling in nodejs (Low) (CVE-2020-8287)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
Maintainer: me @ianchi
Compile tested: head r15324-920b692, aarch64, x86_64
Run tested: (qemu 5.2.0) aarch64, x86_64
Description:
Update to v14.15.3
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
| |
Update to v14.15.1
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
| |
Update to v12.20.0
Take over maintainership from John Crispin
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
| |
Update to v12.19.0
Fixes for the removal of MIPS FPU emulator support.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
Vulnerabilities fixed:
* CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High).
* CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium).
Imported patches from the debian package.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
upgrade npm to 6.14.6
update openssl to 1.1.1g
Vulnerabilities fixed:
* CVE-2020-8172: TLS session reuse can lead to host certificate verification bypass (High).
* CVE-2020-11080: HTTP/2 Large Settings Frame DoS (Low).
* CVE-2020-8174: napi_get_value_string_*() allows various kinds of memory corruption (High).
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
| |
modify host icu library path
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
Add some new APIs
V8 was updated to 7.8.279.23. This includes performance improvements to object
destructuring, RegExp match failures and WebAssembly startup time.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
Update to v12.15.0
Support Python3 : https://github.com/openwrt/packages/issues/8893
Preparing to deprecate nosnapshot builds.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a security release.
Node.js, as well as many other implementations of HTTP/2,
have been found
vulnerable to Denial of Service attacks.
See https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-002.md
for more information.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
fix host build error on macOS
reference: https://github.com/openwrt/packages/issues/9616
Related: https://github.com/openwrt/packages/issues/7171
(This correspondence is necessary to build with macOS.)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
see: https://github.com/openwrt/packages/pull/8796
And remove uclibc depends
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
| |
Node does not support arc or armeb systems.
Moved i18 option to straight under node instead of on its own menu.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
| |
|
|
|
|
| |
Update to v8.16.0
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
| |
support powerpc32 musl
https://downloads.openwrt.org/snapshots/faillogs/powerpc_464fp/packages/node/compile.txt
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
Several security fixes:
Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
OpenSSL: 0-byte record padding oracle (CVE-2019-1559)
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
| |
Mainly CVE fixes.
Added a patch to fix compilation without deprecated OpenSSL APIs.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
| |
Use the openwrt system libraries instead of the ones bundled with node.
Signed-off-by: Eneas U de Queiroz <cote2004-github@yahoo.com>
|
| |
|
|
|
|
|
|
| |
Fixes several CVEs.
Added PKG_CPE_ID for proper CVE tracking.
Signed-off-by: Rosen Penev <rosenp@gmail.com>
|
| |
|
|
|
|
|
| |
Update to v8.11.3 Several security fixes:
CVE-2018-7167, CVE-2018-7161, CVE-2018-1000168,CVE-2018-7158, CVE-2018-7159, CVE-2018-7160
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Automatic detection of the arm architecture does not work well.
http://downloads.lede-project.org/snapshots/faillogs/arm_arm1176jzf-s_vfp/packages/node/compile.txt
```
../deps/v8/src/arm/assembler-arm.cc:176:2: error: #error "CAN_USE_ARMV7_INSTRUCTIONS should match CAN_USE_VFP3_INSTRUCTIONS"
#error "CAN_USE_ARMV7_INSTRUCTIONS should match CAN_USE_VFP3_INSTRUCTIONS"
^~~~~
```
https://github.com/openwrt/packages/issues/5728
Explicitly set cpu arch optimization flag to the compiler option so that "configure" script correctly identifies "arm version".
(Raspberry Pi Zero W)
Raspbian:
```
raspberrypi:~ $ echo | gcc -dM -E - | grep ARM_ARCH
```
OpenWrt (cross-env):
```
ubuntu:~ $ echo | ./arm-openwrt-linux-muslgnueabi-gcc -dM -E - | grep ARM_ARCH
```
```
ubuntu:~ $ echo | ./arm-openwrt-linux-muslgnueabi-gcc -mcpu=arm1176jzf-s -dM -E - | grep ARM_ARCH
```
Also specifying an option lines compactly.
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
| |
modify patch.
https://github.com/nodejs/node/pull/19196
made not to use libressl headers
fix to include path not to use "host/include"
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Changes:
Version bump to 8.10.0
Refreshed patches
Added npx install
Added 004-node_crypto-remove-std.patch
Additional patch fixes node_cypto compile failure:
./src/node_crypto.cc:5626:32: error: expected unqualified-id before '('
Signed-off-by: Arturo Rinaldi <arty.net2@gmail.com>
Signed-off-by: Marko Ratkaj <marko.ratkaj@sartura.hr>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
It requires either hardware or software emulated fpu, otherwise program
can fail with SIGILL for fp instructions emitted by the JIT compiler
See #1937, #2633, #2442, FS#1257 for details
From code snippet at deps/v8/src/mips/constants-mips.h
#elif(defined(__mips_soft_float) && __mips_soft_float != 0)
// This flag is raised when -msoft-float is passed to the compiler.
// // Although FPU is a base requirement for v8, soft-float ABI is used
// // on soft-float systems with FPU kernel emulation.
// const bool IsMipsSoftFloatABI = true;
[1] https://bugs.chromium.org/p/v8/issues/detail?id=4704
Signed-off-by: Yousong Zhou <yszhou4tech@gmail.com>
|
| |
|
|
| |
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
|
|
| |
https://github.com/openwrt/packages/issues/4742
Signed-off-by: Hirokazu MORIKAWA <morikw2@gmail.com>
|
| |
|
|
| |
Signed-off-by: Adrian Panella <ianchi74@outlook.com>
|
| |
|
|
| |
Signed-off-by: Adrian Panella <ianchi74@outlook.com>
|