From c788ba095a5baed77060790ba5a3130fd0f1d79d Mon Sep 17 00:00:00 2001 From: Hirokazu MORIKAWA Date: Wed, 16 Sep 2020 09:32:42 +0900 Subject: node: update to v12.18.4 Vulnerabilities fixed: * CVE-2020-8201: HTTP Request Smuggling due to CR-to-Hyphen conversion (High). * CVE-2020-8252: fs.realpath.native on may cause buffer overflow (Medium). Imported patches from the debian package. Signed-off-by: Hirokazu MORIKAWA --- .../node/patches/999-localhost-no-addrconfig.patch | 29 ++++++++++++++++++++++ 1 file changed, 29 insertions(+) create mode 100644 lang/node/patches/999-localhost-no-addrconfig.patch (limited to 'lang/node/patches/999-localhost-no-addrconfig.patch') diff --git a/lang/node/patches/999-localhost-no-addrconfig.patch b/lang/node/patches/999-localhost-no-addrconfig.patch new file mode 100644 index 000000000..4d1197321 --- /dev/null +++ b/lang/node/patches/999-localhost-no-addrconfig.patch @@ -0,0 +1,29 @@ +Description: do not use dns.ADDRCONFIG for localhost + it fails on IPv6-only systems. Setting it with libc fails on linux. + https://github.com/nodejs/node/issues/33279 +Author: Jérémy Lal +Last-Update: 2020-06-11 +Bug-Debian: https://bugs.debian.org/962318 +Forwarded: https://github.com/nodejs/node/issues/33816 +--- a/lib/net.js ++++ b/lib/net.js +@@ -1,4 +1,5 @@ + // Copyright Joyent, Inc. and other Node contributors. ++ + // + // Permission is hereby granted, free of charge, to any person obtaining a + // copy of this software and associated documentation files (the +@@ -1028,13 +1029,6 @@ + hints: options.hints || 0 + }; + +- if (!isWindows && +- dnsopts.family !== 4 && +- dnsopts.family !== 6 && +- dnsopts.hints === 0) { +- dnsopts.hints = dns.ADDRCONFIG; +- } +- + debug('connect: find host', host); + debug('connect: dns options', dnsopts); + self._host = host; -- cgit v1.2.3