Wed Jun 21 15:13:43 2023 UTC ()

nodejs: updated to 20.3.1

Version 20.3.1 (Current)

This is a security release.

Notable Changes

The following CVEs are fixed in this release:

CVE-2023-30581: mainModule.__proto__ Bypass Experimental Policy Mechanism (High)
CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
OpenSSL Security Releases
OpenSSL security advisory 28th March.
OpenSSL security advisory 20th April.
OpenSSL security advisory 30th May


(adam)

diff -r1.263 -r1.264 pkgsrc/lang/nodejs/Makefile
diff -r1.238 -r1.239 pkgsrc/lang/nodejs/distinfo

--- pkgsrc/lang/nodejs/Makefile 2023/06/13 15:45:55 1.263
+++ pkgsrc/lang/nodejs/Makefile 2023/06/21 15:13:43 1.264

 @@ -1,16 +1,16 @@
-# $NetBSD: Makefile,v 1.263 2023/06/13 15:45:55 adam Exp $
+# $NetBSD: Makefile,v 1.264 2023/06/21 15:13:43 adam Exp $
-DISTNAME=	node-v20.3.0
+DISTNAME=	node-v20.3.1
 EXTRACT_SUFX=	.tar.xz
 USE_LANGUAGES=	c gnu++17
 GCC_REQD+=	8
 TOOL_DEPENDS+=	${PYPKGPREFIX}-expat>=0:../../textproc/py-expat
 .include "../../mk/bsd.prefs.mk"
 # XXX: figure out a way to add rpaths to torque
 MAKE_ENV+=	LD_LIBRARY_PATH=${PREFIX}/lib
 CONFIGURE_ARGS+=	--shared-nghttp3

--- pkgsrc/lang/nodejs/distinfo 2023/06/13 15:45:55 1.238
+++ pkgsrc/lang/nodejs/distinfo 2023/06/21 15:13:43 1.239

 @@ -1,18 +1,18 @@
-$NetBSD: distinfo,v 1.238 2023/06/13 15:45:55 adam Exp $
+$NetBSD: distinfo,v 1.239 2023/06/21 15:13:43 adam Exp $
-BLAKE2s (node-v20.3.0.tar.xz) = e23700714d750a95b66d10c1bb9e5c8a0ab69a9705f46a629b1cc11729cfb367
+BLAKE2s (node-v20.3.1.tar.xz) = cc2a81bc263192de8c5e60ddbdb907df7b48b815378fe62c1f1ef88a2e9b5c5b
-SHA512 (node-v20.3.0.tar.xz) = 6aade4c1cc0ef8f47f403286d88099a3c0bf43f6e1e2b6d50e777eb9327fc1f0a8ba73c943306a431fd422fdda9017b1931bcb31c48badcfcadde8a260840d7c
+SHA512 (node-v20.3.1.tar.xz) = f9f7a3905aa05f9708d3dddcbbe8ad729db3a123ccbdbcade402c6faa6b36905239aca9ac19ca4ebb4682dde2c39058c58197f5015556ab2351f8035d35da5e1
-Size (node-v20.3.0.tar.xz) = 41709484 bytes
+Size (node-v20.3.1.tar.xz) = 41712208 bytes
 SHA1 (patch-common.gypi) = f50615affd26c2c7902d2112c8e9f2704c057b9c
 SHA1 (patch-deps_cares_cares.gyp) = 22b44f2ac59963f694dfe4f4585e08960b3dec32
 SHA1 (patch-deps_uv_common.gypi) = 29f0c382b68f77749a71ce39fa2ca37338ca18ec
 SHA1 (patch-deps_uvwasi_include_wasi__serdes.h) = 32b85ef5824b96b35aba9280bbe7aa7899d9e5cf
 SHA1 (patch-deps_v8_src_base_platform_memory.h) = 0921b5eeecfe03b774f85a15628c559901e7fea8
 SHA1 (patch-deps_v8_src_base_platform_platform-freebsd.cc) = b47025f33d2991275bbcd15dbabb28900afab0e1
 SHA1 (patch-deps_v8_src_base_platform_platform-openbsd.cc) = 5e593879dbab095f99e82593272a0de91043f9a8
 SHA1 (patch-deps_v8_src_base_platform_platform-posix.cc) = e797043e7fa1379f086ffe3a919e140260b0632e
 SHA1 (patch-deps_v8_src_base_platform_semaphore.cc) = 802a95f1b1d131e0d85c1f99c659cc68b31ba2f6
 SHA1 (patch-deps_v8_src_base_strings.h) = 4d2b37491f2f74f1a573f8c1942790204e23a8bb
 SHA1 (patch-deps_v8_src_codegen_arm_cpu-arm.cc) = 84c75d61bc99c2ff9adeac3152f5b11ebb0e582b
 SHA1 (patch-deps_v8_src_common_globals.h) = 86637724864389f2b24251904de41669a2f00fbc
 SHA1 (patch-deps_v8_src_compiler_types.h) = 2a212282ab9d71e98ae56827fdb1d9778a6047a5