| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| test_dns_lookupService_promises.patch | this test assumes /etc/services, work around it | Jérémy Lal <kapouer@melix.org> | yes | 2022-06-26 | ||
| ares_compat.patch | keep nodejs compatible with libc-ares 1.17.1 | Jérémy Lal <kapouer@melix.org> | not-needed | 2021-08-11 | ||
| shared_uv_from_uvwasi.patch | uvwasi depends on uv.gyp and ignores shared_libuv | Jérémy Lal <kapouer@melix.org> | yes | 2021-07-03 | ||
| large_pages_assembly_gnu_stack.patch | Adds .GNU-stack section header to disable executable stack flag | James Addison <jay@jp-hosting.net> | no | https://github.com/nodejs/node/pull/37688 | ||
| dfhs_module_path_arch_triplet.patch | Multiarch search path, arch triplet, DFHS path for modules | "Bastien ROUCARIÈS" <roucaries.bastien@gmail.com> | yes | 2020-03-04 | ||
| use_system_node_gyp.patch | use system-installed node-gyp for building test modules | Jérémy Lal <kapouer@melix.org> | not-needed | 2015-09-09 | ||
| privacy_breach.patch | remove google font from template.html, and link to local | Jérémy Lal <kapouer@melix.org> | not-needed | 2015-09-09 | ||
| make-doc.patch | build doc using marked and js-yaml While waiting for unified/remarked/rehyped modules to be available in debian | Jérémy Lal <kapouer@melix.org> | not-needed | 2020-08-05 | ||
| 2017_mips_configure_fpu.patch | use configuration directive to set mips fpu mode | YunQiang Su <wzssyqa@gmail.com> | yes | 2015-09-29 | ||
| test_ci_buildd.patch | adapt test-ci build target for buildd * run tests with ./node * remove addons from test-ci suite, because it creates a dependency loop nodejs -> node-gyp -> nodejs which is painful to manage. * disabled because it requires stdin: + test-stdout-close-unref + test-regress-GH-746 * test-tick-processor fails on ppc64 and s390x, currently investigated https://github.com/nodejs/node/issues/2471 * test-cluster-disconnect sometimes fails on busy buildd, forwarded upstream https://github.com/nodejs/node/issues/3383 * test-fs-watch is flaky, might be related to https://github.com/nodejs/node/issues/4082 * huge timeout value for all platforms, buildd could be busy * test-npm-install and test-release-npm must fail, debian package dfsg-repacked npm out * ability to override CI_NATIVE_SUITES, CI_JS_SUITES * disable tests failing because DNS is disabled * sequential/test-http2-session-timeout is flaky https://github.com/nodejs/node/issues/20628 |
Jérémy Lal <kapouer@melix.org> | not-needed | 2020-02-09 | ||
| fix_disable_cctest.patch | do not build cctest, build broken on debian | Jérémy Lal <kapouer@melix.org> | invalid | 2017-12-18 | ||
| benchmark_without_alice.patch | a test uses a benchmark that read alice.html, dfsg excluded | Jérémy Lal <kapouer@melix.org> | not-needed | 2020-03-04 | ||
| atomic.patch | Link to -latomic by default This avoids surprises on mips*el/ppc*el | Jérémy Lal <kapouer@melix.org> | not-needed | upstream | 2019-10-25 | |
| mips-fix.patch | upstream mips fix | no | https://github.com/nodejs/node/issues/31118 | 2020-05-30 | ||
| mips-less-memory.patch | mksnapshot uses too much memory on 32-bit mipsel | Jérémy Lal <kapouer@melix.org> | yes | 2020-06-03 | ||
| mips-no-jitless.patch | on mipsel, mips64el, node --jitless segfaults | Jérémy Lal <kapouer@melix.org> | yes | 2020-06-03 | ||
| localhost-no-addrconfig.patch | do not use dns.ADDRCONFIG for localhost it fails on IPv6-only systems. Setting it with libc fails on linux. https://github.com/nodejs/node/issues/33279 |
Jérémy Lal <kapouer@melix.org> | yes | debian | 2020-06-11 | |
| ppc64.patch | [PATCH] Fix crashes on Linux/PPC64 ELFv1 | Marcus Comstedt <marcus@mc.pp.se> | no | https://github.com/nodejs/node/pull/33866 | 2020-06-13 | |
| python3.patch | support build with python3 | Jérémy Lal <kapouer@melix.org> | not-needed | 2020-08-08 | ||
| cjs-module-lexer.patch | cannot rebuilt dist/lexer.js, just use pure-js lexer | Jérémy Lal <kapouer@melix.org> | not-needed | 2020-11-24 | ||
| upstream-fix-test-worker-prof.patch | [PATCH] test: fix flaky test-worker-prof | Rich Trott <rtrott@gmail.com> | no | 2021-02-14 | ||
| cve-2022-32212.patch | commit 48c5aa5cab718d04473fa2761d532657c84b8131 src: fix IPv4 validation in inspector_socket Co-authored-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: https://github.com/nodejs-private/node-private/pull/320 Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/325 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: RafaelGSS <rafael.nunu@hotmail.com> CVE-ID: CVE-2022-32212 =================================================================== |
Tobias Nießen <tniessen@tnie.de> | no | 2022-05-27 | ||
| cve-2022-35255.patch | Comment: Although WebCrypto is not implemented in 12.x series, this fix is introducing enhancment to the crypto setup of V8:EntropySource(). commit 0c2a5723beff39d1f62daec96b5389da3d427e79 crypto: fix weak randomness in WebCrypto keygen Commit dae283d96f from August 2020 introduced a call to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with that: 1. It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2. The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material. An example is a freshly booted system or a system without /dev/random or getrandom(2). EntropySource() calls out to openssl's RAND_poll() and RAND_bytes() in a best-effort attempt to obtain random data. OpenSSL has a built-in CSPRNG but that can fail to initialize, in which case it's possible either: 1. No random data gets written to the output buffer, i.e., the output is unmodified, or 2. Weak random data is written. It's theoretically possible for the output to be fully predictable because the CSPRNG starts from a predictable state. Replace EntropySource() and CheckEntropy() with new function CSPRNG() that enforces checking of the return value. Abort on startup when the entropy pool fails to initialize because that makes it too easy to compromise the security of the process. Refs: https://hackerone.com/bugs?report_id=1690000 Refs: https://github.com/nodejs/node/pull/35093 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> PR-URL: #346 Backport-PR-URL: #351 CVE-ID: CVE-2022-35255 =================================================================== |
Ben Noordhuis <info@bnoordhuis.nl> | no | https://github.com/nodejs/node/commit/0c2a5723beff39d1f62daec96b5389da3d427e79 | 2022-09-11 | |
| cve-2022-43548.patch | commit 2b433af094fb79cf80f086038b7f36342cb6826f inspector: harden IP address validation again Use inet_pton() to parse IP addresses, which restricts IP addresses to a small number of well-defined formats. In particular, octal and hexadecimal number formats are not allowed, and neither are leading zeros. Also explicitly reject 0.0.0.0/8 and ::/128 as non-routable. Refs: https://hackerone.com/reports/1710652 CVE-ID: CVE-2022-43548 PR-URL: https://github.com/nodejs-private/node-private/pull/354 Reviewed-by: Michael Dawson <midawson@redhat.com> Reviewed-by: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-by: Rich Trott <rtrott@gmail.com> =================================================================== |
Tobias Nießen <tniessen@tnie.de> | no | 2022-09-25 | ||
| cve-llhttp.patch | Comment: This patch updates the embeded copy of llhttp from version 2.1.4 to 2.1.6, which is upstream's actual fix for CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-35256. Test cases are ported to use mustCall() to replace the later introduced mustSucceed(), to avoid pulling in too many dependent new test codes. References: * https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd * https://github.com/nodejs/node/commit/a9f1146b8827855e342834458a71f2367346ace0 |
no | 2023-01-05 | |||
| cve-2023-23920.patch | build: build ICU with ICU_NO_USER_DATA_OVERRIDE | RafaelGSS <rafael.nunu@hotmail.com> | yes | debian upstream | https://github.com/nodejs/node/commit/97a0443f1369e65cf656a529b2f5433bfd56ad92 | 2023-01-18 |
| 0027-CVE-2023-30589-http-disable-request-smuggling-via-em.patch | CVE-2023-30589 http: disable request smuggling via empty headers The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. origin-pull-429: https://github.com/nodejs-private/node-private/pull/429 origin-pull-427: https://github.com/nodejs-private/node-private/pull/427 |
Paolo Insogna <paolo@cowtech.it> | yes | upstream | 2023-06-13 | |
| 0028-CVE-2023-30590-Fix-documentation-and-clarify-API-cal.patch | CVE-2023-30590: Fix documentation and clarify API call for crypto.createDiffieHellman() The DiffieHellman class is an old and thin wrapper around certain OpenSSL functions, many of which are deprecated in OpenSSL 3.0. Because the Node.js API mirrors the OpenSSL API, it adopts some of its peculiarities, but the Node.js documentation does not properly reflect these. Most importantly, despite the documentation saying otherwise, diffieHellman.generateKeys() does not generate a new private key when one has already been set or generated. Based on the documentation alone, users may be led to misuse the API in a way that results in key reuse, which can have drastic negative consequences for subsequent operations that consume the shared secret. These design issues in this old API have been around for many years, and we are not currently aware of any misuse in the ecosystem that falls into the above scenario. Changing the behavior of the API would be a significant breaking change and is thus not appropriate for a security release (nor is it a goal.) The reported issue is treated as CWE-1068 (after a vast amount of uncertainty whether to treat it as a vulnerability at all), therefore, this change only updates the documentation to match the actual behavior. Tests are also added that demonstrate this particular oddity. Newer APIs exist that can be used for some, but not all, Diffie-Hellman operations (e.g., crypto.diffieHellman() that was added in 2020). We should keep modernizing crypto APIs, but that is a non-goal for this security release. The ECDH class mirrors the DiffieHellman class in many ways, but it does not appear to be affected by this particular peculiarity. In particular, ecdh.generateKeys() does appear to always generate a new private key. PR-URL: https://github.com/nodejs-private/node-private/pull/426 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> CVE-ID: CVE-2023-30590 |
=?utf-8?q?Tobias_Nie=C3=9Fen?= <tobias.niessen@tuwien.ac.at> | no | 2023-06-12 | ||
| 0029-CVE-2023-32559-policy-disable-process.binding-when-e.patch | CVE-2023-32559: policy: disable process.binding() when enabled process.binding() can be used to trivially bypass restrictions imposed through a policy. Since the function is deprecated already, simply replace it with a stub when a policy is being enabled. |
=?utf-8?q?Tobias_Nie=C3=9Fen?= <tobias.niessen@tuwien.ac.at> | yes | upstream | https://github.com/nodejs-private/node-private/pull/459 | 2023-04-16 |
| 0030-CVE-2023-46809-crypto-disable-PKCS-1-padding-for-pri.patch | CVE-2023-46809 crypto: disable PKCS#1 padding for privateDecrypt Disable RSA_PKCS1_PADDING for crypto.privateDecrypt() in order to protect against the Marvin attack. Includes a security revert flag that can be used to restore support. |
Michael Dawson <midawson@redhat.com> | yes | upstream | backport, https://github.com/nodejs/node/commit/d3d357ab096884f10f5d2f164149727eea875635 | 2024-01-04 |
| 0031-CVE-2024-22019-http-add-maximum-chunk-extension-size.patch | CVE-2024-22019: http: add maximum chunk extension size | Paolo Insogna <paolo@cowtech.it> | yes | upstream | backport, https://github.com/nodejs/node/commit/911cb33cdadab57a75f97186290ea8f3903a6171.patch | 2024-01-09 |
| 0032-CVE-2024-22025-zlib-pause-stream-if-outgoing-buffer-.patch | CVE-2024-22025 zlib: pause stream if outgoing buffer is full A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration |
Matteo Collina <hello@matteocollina.com> | yes | upstream | backport, https://github.com/nodejs/node/commit/9052ef43dc2d1b0db340591a9bc9e45a25c01d90.patch | 2024-02-06 |
| 0033-CVE-2024-27982-http-do-not-allow-OBS-fold-in-headers.patch | CVE-2024-27982 http: do not allow OBS fold in headers by default The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first. |
Paolo Insogna <paolo@cowtech.it> | yes | upstream | backport, https://github.com/nodejs/node/commit/5d4d5848cf557fba6dc0bfdd020471ea607950ca.patch | 2024-03-15 |
| 0034-CVE-2024-27983-ensure-to-close-stream-when-destroyin.patch | CVE-2024-27983 ensure to close stream when destroying session | RafaelGSS <rafael.nunu@hotmail.com> | no | backport, https://github.com/nodejs/node/commit/0fb816dbccde955cd24acc1b16497a91fab507c8.patch | 2024-03-26 |