From f797cf61a469416c0f0720f2ebfbaf7b4f198e1a Mon Sep 17 00:00:00 2001 From: nicolas guibourge Date: Fri, 18 Mar 2022 17:05:13 -0700 Subject: [PATCH] Upgrade nodejs to 16.14.0 (#2485) * upgrade nodejs to 16.14.0 * upgrade nodejs to 16.14.0 * upgrade nodejs to 16.14.0 * upgrade nodejs Co-authored-by: Nicolas Guibourge --- SPECS/nodejs/clean-source-tarball.sh | 59 ++++++++++++++++++ SPECS/nodejs/disable-tlsv1-tlsv1-1.patch | 42 +++++++++++++ SPECS/nodejs/nodejs.signatures.json | 2 +- SPECS/nodejs/nodejs.spec | 78 +++++++++++++++++++----- SPECS/nodejs/patch_tls_nodejs14.patch | 20 ------ cgmanifest.json | 4 +- 6 files changed, 166 insertions(+), 39 deletions(-) create mode 100644 SPECS/nodejs/clean-source-tarball.sh create mode 100644 SPECS/nodejs/disable-tlsv1-tlsv1-1.patch delete mode 100644 SPECS/nodejs/patch_tls_nodejs14.patch diff --git a/SPECS/nodejs/clean-source-tarball.sh b/SPECS/nodejs/clean-source-tarball.sh new file mode 100644 index 00000000000..e3b35b9a353 --- /dev/null +++ b/SPECS/nodejs/clean-source-tarball.sh @@ -0,0 +1,59 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# +# The nodejs source tarball contains a copy of the OpenSSL source tree. +# OpenSSL contains patented algorithms that should not be distributed +# as part of the SRPM. Since we use the shared OpenSSL libraries, we +# can just remove the entire OpenSSL source tree from the tarball. + +print_usage() { + echo "Usage:" + echo "clean-source-tarball.sh {version}" + echo "Example: clean-source-tarball.sh 14.18.1" + echo + exit +} + +VERSION=$1 + +if [ -z "$1" ]; then + print_usage +fi + + +# Quit on failure +set -e + +namever="node-v${VERSION}" +upstream_tarball_name="${namever}.tar.xz" +clean_tarball_name="${namever}-clean.tar.xz" +download_url="https://nodejs.org/download/release/v${VERSION}/${upstream_tarball_name}" + +tmpdir=$(mktemp -d) +echo "Using temporary directory: $tmpdir" +pushd $tmpdir > /dev/null + +echo "Downloading upstream source tarball..." +curl -s -O $download_url + +echo "Unpacking upstream source tarball..." +tar -xf $upstream_tarball_name + +echo "Removing bad vendored dependencies from source tree..." +rm -rf ./$namever/deps/openssl/openssl + +# Create a reproducible tarball +# Credit to https://reproducible-builds.org/docs/archives/ for instructions +# Do not update mtime value for new versions- keep the same value for ease of +# reproducing old tarball versions in the future if necessary +echo "Repacking source tarball..." +tar --sort=name --mtime="2021-11-10 00:00Z" \ + --owner=0 --group=0 --numeric-owner \ + --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ + -cJf $clean_tarball_name ./$namever + +popd > /dev/null +cp "${tmpdir}/${clean_tarball_name}" . +echo "Clean nodejs source tarball available at $PWD/$clean_tarball_name" +rm -rf $tmpdir diff --git a/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch b/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch new file mode 100644 index 00000000000..0a40760b4f7 --- /dev/null +++ b/SPECS/nodejs/disable-tlsv1-tlsv1-1.patch @@ -0,0 +1,42 @@ +diff -ru node-v16.14.0-orig/src/crypto/crypto_context.cc node-v16.14.0/src/crypto/crypto_context.cc +--- node-v16.14.0-orig/src/crypto/crypto_context.cc 2022-02-08 04:37:50.000000000 -0800 ++++ node-v16.14.0/src/crypto/crypto_context.cc 2022-02-25 09:17:21.964960342 -0800 +@@ -467,28 +467,16 @@ + min_version = 0; + max_version = kMaxSupportedVersion; + method = TLS_client_method(); +- } else if (sslmethod == "TLSv1_method") { +- min_version = TLS1_VERSION; +- max_version = TLS1_VERSION; +- } else if (sslmethod == "TLSv1_server_method") { +- min_version = TLS1_VERSION; +- max_version = TLS1_VERSION; +- method = TLS_server_method(); +- } else if (sslmethod == "TLSv1_client_method") { +- min_version = TLS1_VERSION; +- max_version = TLS1_VERSION; +- method = TLS_client_method(); +- } else if (sslmethod == "TLSv1_1_method") { +- min_version = TLS1_1_VERSION; +- max_version = TLS1_1_VERSION; +- } else if (sslmethod == "TLSv1_1_server_method") { +- min_version = TLS1_1_VERSION; +- max_version = TLS1_1_VERSION; +- method = TLS_server_method(); +- } else if (sslmethod == "TLSv1_1_client_method") { +- min_version = TLS1_1_VERSION; +- max_version = TLS1_1_VERSION; +- method = TLS_client_method(); ++ } else if (sslmethod == "TLSv1_method" || ++ sslmethod == "TLSv1_server_method" || ++ sslmethod == "TLSv1_client_method") { ++ THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1 methods disabled"); ++ return; ++ } else if (sslmethod == "TLSv1_1_method" || ++ sslmethod == "TLSv1_1_server_method" || ++ sslmethod == "TLSv1_1_client_method") { ++ THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "TLSv1_1 methods disabled"); ++ return; + } else if (sslmethod == "TLSv1_2_method") { + min_version = TLS1_2_VERSION; + max_version = TLS1_2_VERSION; diff --git a/SPECS/nodejs/nodejs.signatures.json b/SPECS/nodejs/nodejs.signatures.json index 3a0aa1d51de..ffa3ce72429 100644 --- a/SPECS/nodejs/nodejs.signatures.json +++ b/SPECS/nodejs/nodejs.signatures.json @@ -1,5 +1,5 @@ { "Signatures": { - "node-v14.17.2.tar.xz": "4f5fb2b87e2255da3b200ed73ab076002e4b088df0027ec85e25541a6830583e" + "node-v16.14.0.tar.xz": "6dc499ca9cb9d3f4fa1c08730ce39fc9caafdac1bb5a2f2384389c0072931bba" } } \ No newline at end of file diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec index 82994dd2dd0..43af3b9c22e 100644 --- a/SPECS/nodejs/nodejs.spec +++ b/SPECS/nodejs/nodejs.spec @@ -1,56 +1,91 @@ # Retrieved from 'deps/npm/package.json' inside the sources tarball. -%define npm_version 6.14.13 +%define npm_version 8.3.1 Summary: A JavaScript runtime built on Chrome's V8 JavaScript engine. Name: nodejs # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. # The version of NPM can be found inside the sources under 'deps/npm/package.json'. -Version: 14.17.2 -Release: 2%{?dist} +Version: 16.14.0 +Release: 1%{?dist} License: BSD and MIT and Public Domain and naist-2003 Group: Applications/System Vendor: Microsoft Corporation Distribution: Mariner URL: https://github.com/nodejs/node +# !!!! Nodejs code has a vendored version of OpenSSL code that must be removed from source tarball +# !!!! because it contains patented algorithms. +# !!! => use clean-source-tarball.sh script to create a clean and reproducible source tarball. Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz -Patch0: patch_tls_nodejs14.patch - -BuildRequires: coreutils >= 8.22, openssl-devel >= 1.0.1 +Patch0: disable-tlsv1-tlsv1-1.patch + +BuildRequires: brotli-devel +BuildRequires: coreutils >= 8.22 +BuildRequires: gcc +BuildRequires: make +BuildRequires: ninja-build +BuildRequires: openssl-devel >= 1.1.1 BuildRequires: python3 BuildRequires: which +BuildRequires: zlib-devel + +Requires: brotli Requires: coreutils >= 8.22 -Requires: openssl >= 1.0.1 +Requires: openssl >= 1.1.1 Requires: python3 Provides: npm = %{npm_version}.%{version}-%{release} %description -Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. The Node.js package ecosystem, npm, is the largest ecosystem of open source libraries in the world. +Node.js is a JavaScript runtime built on Chrome's V8 JavaScript engine. +Node.js uses an event-driven, non-blocking I/O model that makes it lightweight and efficient. +The Node.js package ecosystem, npm, is the largest ecosystem of open source libraries in the world. %package devel Summary: Development files node Group: System Environment/Base Requires: %{name} = %{version}-%{release} +Requires: brotli-devel +Requires: openssl-devel >= 1.1.1 +Requires: zlib-devel %description devel The nodejs-devel package contains libraries, header files and documentation for developing applications that use nodejs. %prep -%setup -q -n node-v%{version} -%patch0 -p1 +%autosetup -p1 -n node-v%{version} %build -sh configure --prefix=%{_prefix} \ - --shared-openssl \ - --shared-zlib - -make %{?_smp_mflags} +# remove unsupported TLSv1.3 cipher: +# Mariner's OpenSSL configuration does not allow for this TLSv1.3 +# cipher. OpenSSL does not like being asked to use TLSv1.3 ciphers +# it doesn't support (despite being fine processing similar cipher +# requests for TLS < 1.3). This cipher's presence in the default +# cipher list causes failures when initializing secure contexts +# in the context of Node's TLS library. +sed -i '/TLS_CHACHA20_POLY1305_SHA256/d' ./src/node_constants.h + +# remove brotli and zlib source code from deps folder +# keep the .gyp and .gypi files that are still used during configuration +find deps/zlib -name *.[ch] -delete +find deps/brotli -name *.[ch] -delete + +python3 configure.py \ + --prefix=%{_prefix} \ + --ninja \ + --shared-openssl \ + --shared-zlib \ + --shared-brotli \ + --with-intl=small-icu \ + --with-icu-source=deps/icu-small \ + --without-dtrace \ + --openssl-use-def-ca-store + +JOBS=4 make %{?_smp_mflags} V=0 %install make %{?_smp_mflags} install DESTDIR=$RPM_BUILD_ROOT -rm -fr %{buildroot}%{_libdir}/dtrace/ # No systemtap support. install -m 755 -d %{buildroot}%{_libdir}/node_modules/ install -m 755 -d %{buildroot}%{_datadir}/%{name} @@ -80,6 +115,17 @@ make cctest %{_datadir}/systemtap/tapset/node.stp %changelog +* Thu Feb 24 2022 Nicolas Guibourge - 16.14.0-1 +- Upgrade to 16.14.0. +* Thu Nov 18 2021 Thomas Crain - 14.18.1-1 +- Update to version 14.18.1 to fix CVE-2021-22959, CVE-2021-22960, CVE-2021-37701, + CVE-2021-37712, CVE-2021-37713, CVE-2021-39134, CVE-2021-39135 +- Add patch to remove problematic cipher from default list +- Add config flag to use OpenSSL cert store instead of built-in Mozilla certs +- Add script to remove vendored OpenSSL tree from source tarball +- Update required OpenSSL version to 1.1.1 +- Use python configure script directly +- Lint spec * Thu Sep 23 2021 Pawel Winogrodzki - 14.17.2-2 - Adding 'Provides' for 'npm'. * Mon Jul 19 2021 Neha Agarwal - 14.17.2-1 diff --git a/SPECS/nodejs/patch_tls_nodejs14.patch b/SPECS/nodejs/patch_tls_nodejs14.patch deleted file mode 100644 index 4122d58b19e..00000000000 --- a/SPECS/nodejs/patch_tls_nodejs14.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -Naur a/src/node_crypto.cc b/src/node_crypto.cc ---- a/src/node_crypto.cc 2021-05-11 11:47:49.000000000 -0700 -+++ b/src/node_crypto.cc 2021-06-07 15:35:30.941141552 -0700 -@@ -604,6 +604,8 @@ - min_version = 0; - max_version = MAX_SUPPORTED_VERSION; - method = TLS_client_method(); -+// TLS1 and TSL1.1 are disabled in openssl -+#if 0 - } else if (sslmethod == "TLSv1_method") { - min_version = TLS1_VERSION; - max_version = TLS1_VERSION; -@@ -626,6 +628,7 @@ - min_version = TLS1_1_VERSION; - max_version = TLS1_1_VERSION; - method = TLS_client_method(); -+#endif - } else if (sslmethod == "TLSv1_2_method") { - min_version = TLS1_2_VERSION; - max_version = TLS1_2_VERSION; diff --git a/cgmanifest.json b/cgmanifest.json index de4aa175885..649ad11b787 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -14463,8 +14463,8 @@ "type": "other", "other": { "name": "nodejs", - "version": "14.17.2", - "downloadUrl": "https://nodejs.org/download/release/v14.17.2/node-v14.17.2.tar.xz" + "version": "16.14.0", + "downloadUrl": "https://nodejs.org/download/release/v16.14.0/node-v16.14.0.tar.xz" } } },