package/nodejs: security bump to v20.15.1

Release Notes: https://nodejs.org/en/blog/release/v20.15.1 Fixes the following CVE's: CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High) CVE-2024-22020 - Bypass network import restriction via data URL (Medium) CVE-2024-22018 - fs.lstat bypasses permission model (Low) CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low) CVE-2024-37372 - Permission model improperly processes UNC paths (Low) Also these additional CVE's were fixed in the v20.12.1 and v20.12.2 releases [1][2]: CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High) CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium) CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows NodeJS tests are passing: $ ./support/testing/run-tests -o ./outputs/ -k tests.package.test_nodejs -d dl 12:02:58 TestNodeJSModuleHostSrc Starting 12:02:58 TestNodeJSModuleHostSrc Building 13:17:15 TestNodeJSModuleHostSrc Building done 13:17:23 TestNodeJSModuleHostSrc Cleaning up .13:17:23 TestNodeJSModuleHostBin Starting 13:17:23 TestNodeJSModuleHostBin Building 14:06:15 TestNodeJSModuleHostBin Building done 14:06:20 TestNodeJSModuleHostBin Cleaning up .14:06:20 TestNodeJSBasic Starting 14:06:20 TestNodeJSBasic Building 14:55:40 TestNodeJSBasic Building done 14:55:45 TestNodeJSBasic Cleaning up LICENSE hash changed due to changes in vendored components: * copyright year update and adding spdx identifier [1] [1] https://nodejs.org/en/blog/release/v20.12.1 [2] https://nodejs.org/en/blog/release/v20.12.2 [3] nodejs/node@d5a316f Signed-off-by: Marcus Hoffmann <[email protected]> Signed-off-by: Thomas Petazzoni <[email protected]>
home-assistant · Jul 16, 2024 · bffb6a2 · bffb6a2
1 parent a4a1e36
commit bffb6a2
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 8 deletions.
diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
@@ -1,8 +1,8 @@
-# From https://nodejs.org/dist/v20.12.0/SHASUMS256.txt.asc
-sha256  007ca2699cf6e84290e5bed844ed66ef9d707d23561dfaf117212b7dce216ba7  node-v20.12.0-linux-arm64.tar.xz
-sha256  668fb421a24be596c98f00a31049fbf6ada14d221b7382e0f1caa55ab421431a  node-v20.12.0-linux-armv7l.tar.xz
-sha256  78dc3b7ad993c332684802e35c1f0de2b76193d13394bc89e3bab216828587c7  node-v20.12.0-linux-ppc64le.tar.xz
-sha256  0a126adf5b6a5eb11a37bad76a0c626a18f20b6811322e68aae0e3cf9bf580bd  node-v20.12.0-linux-x64.tar.xz
-sha256  76e5346cebfd581528f699f764f4d1a6e87cb818b696708f235ddcb625a0f78d  node-v20.12.0.tar.xz
+# From https://nodejs.org/dist/v20.15.1/SHASUMS256.txt.asc
+sha256  10d47a46ef208b3e4b226e4d595a82659123b22397ed77b7975d989114ec317e  node-v20.15.1-linux-arm64.tar.xz
+sha256  7bc120efdd8018f6915471b963d9b80adf4ed406d6dc9edb4ae944b85f505c4c  node-v20.15.1-linux-armv7l.tar.xz
+sha256  b33e684802251397ad62ad3f8a1836267ee8b7723f87f669470018ad0035287b  node-v20.15.1-linux-ppc64le.tar.xz
+sha256  26700f8d3e78112ad4a2618a9c8e2816e38a49ecf0213ece80e54c38cb02563f  node-v20.15.1-linux-x64.tar.xz
+sha256  fdd53a5729d936691a2a1151046fb4897721cb8b0fca2af957823a9b40fe0c34  node-v20.15.1.tar.xz
 # Locally calculated
-sha256  d3a9fbfe0a1fb78627ee296cd5ca5b498822d4d1c5da3b8e8100c41bd7b791fd  LICENSE
+sha256  49cd410e0fe6a8879a40d0764092d1e6114cc85fe41d4efed990d028eec25582  LICENSE
diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
@@ -5,7 +5,7 @@
 ################################################################################
 
 # _VERSION, _SOURCE and _SITE must be kept empty to avoid downloading anything
-NODEJS_COMMON_VERSION = 20.12.0
+NODEJS_COMMON_VERSION = 20.15.1
 NODEJS_COMMON_SOURCE = node-v$(NODEJS_COMMON_VERSION).tar.xz
 NODEJS_COMMON_SITE = http://nodejs.org/dist/v$(NODEJS_COMMON_VERSION)