Debian Patches

Status for nodejs/12.22.12~dfsg-1~deb11u5

Patch Description Author Forwarded Bugs Origin Last update
test_dns_lookupService_promises.patch this test assumes /etc/services, work around it Jérémy Lal <kapouer@melix.org> yes 2022-06-26
ares_compat.patch keep nodejs compatible with libc-ares 1.17.1 Jérémy Lal <kapouer@melix.org> not-needed 2021-08-11
shared_uv_from_uvwasi.patch uvwasi depends on uv.gyp and ignores shared_libuv Jérémy Lal <kapouer@melix.org> yes 2021-07-03
large_pages_assembly_gnu_stack.patch Adds .GNU-stack section header to disable executable stack flag James Addison <jay@jp-hosting.net> no https://github.com/nodejs/node/pull/37688
dfhs_module_path_arch_triplet.patch Multiarch search path, arch triplet, DFHS path for modules "Bastien ROUCARIÈS" <roucaries.bastien@gmail.com> yes 2020-03-04
use_system_node_gyp.patch use system-installed node-gyp for building test modules Jérémy Lal <kapouer@melix.org> not-needed 2015-09-09
privacy_breach.patch remove google font from template.html, and link to local Jérémy Lal <kapouer@melix.org> not-needed 2015-09-09
make-doc.patch build doc using marked and js-yaml While waiting for unified/remarked/rehyped modules to be available in debian Jérémy Lal <kapouer@melix.org> not-needed 2020-08-05
2017_mips_configure_fpu.patch use configuration directive to set mips fpu mode YunQiang Su <wzssyqa@gmail.com> yes 2015-09-29
test_ci_buildd.patch adapt test-ci build target for buildd * run tests with ./node
* remove addons from test-ci suite, because it creates a dependency loop
nodejs -> node-gyp -> nodejs which is painful to manage.
* disabled because it requires stdin:
+ test-stdout-close-unref
+ test-regress-GH-746
* test-tick-processor fails on ppc64 and s390x, currently investigated
https://github.com/nodejs/node/issues/2471
* test-cluster-disconnect sometimes fails on busy buildd, forwarded upstream
https://github.com/nodejs/node/issues/3383
* test-fs-watch is flaky, might be related to https://github.com/nodejs/node/issues/4082
* huge timeout value for all platforms, buildd could be busy
* test-npm-install and test-release-npm must fail, debian package dfsg-repacked npm out
* ability to override CI_NATIVE_SUITES, CI_JS_SUITES
* disable tests failing because DNS is disabled
* sequential/test-http2-session-timeout is flaky https://github.com/nodejs/node/issues/20628
Jérémy Lal <kapouer@melix.org> not-needed 2020-02-09
fix_disable_cctest.patch do not build cctest, build broken on debian Jérémy Lal <kapouer@melix.org> invalid 2017-12-18
benchmark_without_alice.patch a test uses a benchmark that read alice.html, dfsg excluded Jérémy Lal <kapouer@melix.org> not-needed 2020-03-04
atomic.patch Link to -latomic by default This avoids surprises on mips*el/ppc*el Jérémy Lal <kapouer@melix.org> not-needed upstream 2019-10-25
mips-fix.patch upstream mips fix no https://github.com/nodejs/node/issues/31118 2020-05-30
mips-less-memory.patch mksnapshot uses too much memory on 32-bit mipsel Jérémy Lal <kapouer@melix.org> yes 2020-06-03
mips-no-jitless.patch on mipsel, mips64el, node --jitless segfaults Jérémy Lal <kapouer@melix.org> yes 2020-06-03
localhost-no-addrconfig.patch do not use dns.ADDRCONFIG for localhost it fails on IPv6-only systems. Setting it with libc fails on linux.
https://github.com/nodejs/node/issues/33279
Jérémy Lal <kapouer@melix.org> yes debian 2020-06-11
ppc64.patch [PATCH] Fix crashes on Linux/PPC64 ELFv1 Marcus Comstedt <marcus@mc.pp.se> no https://github.com/nodejs/node/pull/33866 2020-06-13
python3.patch support build with python3 Jérémy Lal <kapouer@melix.org> not-needed 2020-08-08
cjs-module-lexer.patch cannot rebuilt dist/lexer.js, just use pure-js lexer Jérémy Lal <kapouer@melix.org> not-needed 2020-11-24
upstream-fix-test-worker-prof.patch [PATCH] test: fix flaky test-worker-prof Rich Trott <rtrott@gmail.com> no 2021-02-14
cve-2022-32212.patch commit 48c5aa5cab718d04473fa2761d532657c84b8131

src: fix IPv4 validation in inspector_socket

Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/320
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/325
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: RafaelGSS <rafael.nunu@hotmail.com>
CVE-ID: CVE-2022-32212

===================================================================
Tobias Nießen <tniessen@tnie.de> no 2022-05-27
cve-2022-35255.patch Comment:
Although WebCrypto is not implemented in 12.x series, this fix is introducing
enhancment to the crypto setup of V8:EntropySource().

commit 0c2a5723beff39d1f62daec96b5389da3d427e79

crypto: fix weak randomness in WebCrypto keygen

Commit dae283d96f from August 2020 introduced a call to EntropySource()
in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There
are two problems with that:

1. It does not check the return value, it assumes EntropySource() always
succeeds, but it can (and sometimes will) fail.

2. The random data returned byEntropySource() may not be
cryptographically strong and therefore not suitable as keying
material.

An example is a freshly booted system or a system without /dev/random or
getrandom(2).

EntropySource() calls out to openssl's RAND_poll() and RAND_bytes() in a
best-effort attempt to obtain random data. OpenSSL has a built-in CSPRNG
but that can fail to initialize, in which case it's possible either:

1. No random data gets written to the output buffer, i.e., the output is
unmodified, or

2. Weak random data is written. It's theoretically possible for the
output to be fully predictable because the CSPRNG starts from a
predictable state.

Replace EntropySource() and CheckEntropy() with new function CSPRNG()
that enforces checking of the return value. Abort on startup when the
entropy pool fails to initialize because that makes it too easy to
compromise the security of the process.

Refs: https://hackerone.com/bugs?report_id=1690000
Refs: https://github.com/nodejs/node/pull/35093

Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
PR-URL: #346
Backport-PR-URL: #351
CVE-ID: CVE-2022-35255

===================================================================
Ben Noordhuis <info@bnoordhuis.nl> no https://github.com/nodejs/node/commit/0c2a5723beff39d1f62daec96b5389da3d427e79 2022-09-11
cve-2022-43548.patch commit 2b433af094fb79cf80f086038b7f36342cb6826f

inspector: harden IP address validation again

Use inet_pton() to parse IP addresses, which restricts IP addresses
to a small number of well-defined formats. In particular, octal and
hexadecimal number formats are not allowed, and neither are leading
zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable.

Refs: https://hackerone.com/reports/1710652
CVE-ID: CVE-2022-43548
PR-URL: https://github.com/nodejs-private/node-private/pull/354
Reviewed-by: Michael Dawson <midawson@redhat.com>
Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-by: Rich Trott <rtrott@gmail.com>

===================================================================
Tobias Nießen <tniessen@tnie.de> no 2022-09-25
cve-llhttp.patch Comment:
This patch updates the embeded copy of llhttp from version 2.1.4 to 2.1.6,
which is upstream's actual fix for CVE-2022-32213, CVE-2022-32214, CVE-2022-32215,
CVE-2022-35256.
Test cases are ported to use mustCall() to replace the later introduced
mustSucceed(), to avoid pulling in too many dependent new test codes.
References:
* https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd
* https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0
no 2023-01-05
cve-2023-23920.patch build: build ICU with ICU_NO_USER_DATA_OVERRIDE RafaelGSS <rafael.nunu@hotmail.com> yes debian upstream https://github.com/nodejs/node/commit/97a0443f1369e65cf656a529b2f5433bfd56ad92 2023-01-18
0027-CVE-2023-30589-http-disable-request-smuggling-via-em.patch CVE-2023-30589 http: disable request smuggling via empty headers
The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests.
This can lead to HTTP Request Smuggling (HRS). The CR character (without LF)
is sufficient to delimit HTTP header fields in the llhttp parser.

According to RFC7230 section 3, only the CRLF sequence should delimit each header-field.

origin-pull-429: https://github.com/nodejs-private/node-private/pull/429
origin-pull-427: https://github.com/nodejs-private/node-private/pull/427
Paolo Insogna <paolo@cowtech.it> yes upstream 2023-06-13
0028-CVE-2023-30590-Fix-documentation-and-clarify-API-cal.patch CVE-2023-30590: Fix documentation and clarify API call for crypto.createDiffieHellman()

The DiffieHellman class is an old and thin wrapper around certain
OpenSSL functions, many of which are deprecated in OpenSSL 3.0. Because
the Node.js API mirrors the OpenSSL API, it adopts some of its
peculiarities, but the Node.js documentation does not properly reflect
these. Most importantly, despite the documentation saying otherwise,
diffieHellman.generateKeys() does not generate a new private key when
one has already been set or generated. Based on the documentation alone,
users may be led to misuse the API in a way that results in key reuse,
which can have drastic negative consequences for subsequent operations
that consume the shared secret.

These design issues in this old API have been around for many years, and
we are not currently aware of any misuse in the ecosystem that falls
into the above scenario. Changing the behavior of the API would be a
significant breaking change and is thus not appropriate for a security
release (nor is it a goal.) The reported issue is treated as CWE-1068
(after a vast amount of uncertainty whether to treat it as a
vulnerability at all), therefore, this change only updates the
documentation to match the actual behavior. Tests are also added that
demonstrate this particular oddity.

Newer APIs exist that can be used for some, but not all, Diffie-Hellman
operations (e.g., crypto.diffieHellman() that was added in 2020). We
should keep modernizing crypto APIs, but that is a non-goal for this
security release.

The ECDH class mirrors the DiffieHellman class in many ways, but it does
not appear to be affected by this particular peculiarity. In particular,
ecdh.generateKeys() does appear to always generate a new private key.

PR-URL: https://github.com/nodejs-private/node-private/pull/426
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
CVE-ID: CVE-2023-30590
=?utf-8?q?Tobias_Nie=C3=9Fen?= <tobias.niessen@tuwien.ac.at> no 2023-06-12
0029-CVE-2023-32559-policy-disable-process.binding-when-e.patch CVE-2023-32559: policy: disable process.binding() when enabled
process.binding() can be used to trivially bypass restrictions imposed
through a policy. Since the function is deprecated already, simply
replace it with a stub when a policy is being enabled.
=?utf-8?q?Tobias_Nie=C3=9Fen?= <tobias.niessen@tuwien.ac.at> yes upstream https://github.com/nodejs-private/node-private/pull/459 2023-04-16
0030-CVE-2023-46809-crypto-disable-PKCS-1-padding-for-pri.patch CVE-2023-46809 crypto: disable PKCS#1 padding for privateDecrypt

Disable RSA_PKCS1_PADDING for crypto.privateDecrypt() in order
to protect against the Marvin attack.

Includes a security revert flag that can be used to restore
support.
Michael Dawson <midawson@redhat.com> yes upstream backport, https://github.com/nodejs/node/commit/d3d357ab096884f10f5d2f164149727eea875635 2024-01-04
0031-CVE-2024-22019-http-add-maximum-chunk-extension-size.patch CVE-2024-22019: http: add maximum chunk extension size Paolo Insogna <paolo@cowtech.it> yes upstream backport, https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171.patch 2024-01-09
0032-CVE-2024-22025-zlib-pause-stream-if-outgoing-buffer-.patch CVE-2024-22025 zlib: pause stream if outgoing buffer is full
A vulnerability in Node.js has been identified, allowing for a Denial
of Service (DoS) attack through resource exhaustion when using the
fetch() function to retrieve content from an untrusted URL. The
vulnerability stems from the fact that the fetch() function in Node.js
always decodes Brotli, making it possible for an attacker to cause
resource exhaustion when fetching content from an untrusted URL. An
attacker controlling the URL passed into fetch() can exploit this
vulnerability to exhaust memory, potentially leading to process
termination, depending on the system configuration
Matteo Collina <hello@matteocollina.com> yes upstream backport, https://github.com/nodejs/node/commit/9052ef43dc2d1b0db340591a9bc9e45a25c01d90.patch 2024-02-06
0033-CVE-2024-27982-http-do-not-allow-OBS-fold-in-headers.patch CVE-2024-27982 http: do not allow OBS fold in headers by default
The team has identified a critical vulnerability in the http server of
the most recent version of Node, where malformed headers can lead to
HTTP request smuggling. Specifically, if a space is placed before a
content-length header, it is not interpreted correctly, enabling
attackers to smuggle in a second request within the body of the first.
Paolo Insogna <paolo@cowtech.it> yes upstream backport, https://github.com/nodejs/node/commit/5d4d5848cf557fba6dc0bfdd020471ea607950ca.patch 2024-03-15
0034-CVE-2024-27983-ensure-to-close-stream-when-destroyin.patch CVE-2024-27983 ensure to close stream when destroying session RafaelGSS <rafael.nunu@hotmail.com> no backport, https://github.com/nodejs/node/commit/0fb816dbccde955cd24acc1b16497a91fab507c8.patch 2024-03-26

All known versions for source package 'nodejs'

Links