From: Hirokazu MORIKAWA Date: Fri, 16 Feb 2024 06:14:51 +0000 (+0900) Subject: node: February 14 2024 Security Releases X-Git-Url: http://git.99rst.org/?a=commitdiff_plain;h=52e6017ad188334b184c79135bebff50a76cf01f;p=openwrt-packages.git node: February 14 2024 Security Releases Update to v20.11.1 This is a security release. Notable changes * CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High) * CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High) * CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High) * CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High) * CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium) * CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium) * CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium) * CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium) * undici version 5.28.3 * libuv version 1.48.0 * OpenSSL version 3.0.13+quic1 (Depends on shared library provided by OpenWrt) Signed-off-by: Hirokazu MORIKAWA --- diff --git a/lang/node/Makefile b/lang/node/Makefile index 874da8716..1238b94d8 100644 --- a/lang/node/Makefile +++ b/lang/node/Makefile @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=node -PKG_VERSION:=v20.11.0 +PKG_VERSION:=v20.11.1 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://nodejs.org/dist/$(PKG_VERSION) -PKG_HASH:=31807ebeeeb049c53f1765e4a95aed69476a4b696dd100cb539ab668d7950b40 +PKG_HASH:=77813edbf3f7f16d2d35d3353443dee4e61d5ee84d9e3138c7538a3c0ca5209e PKG_MAINTAINER:=Hirokazu MORIKAWA , Adrian Panella PKG_LICENSE:=MIT