Hello community, here is the log from the commit of package nodejs for openSUSE:Factory checked in at 2015-10-19 22:52:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nodejs (Old) and /work/SRC/openSUSE:Factory/.nodejs.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nodejs" Changes: -------- --- /work/SRC/openSUSE:Factory/nodejs/nodejs.changes 2015-09-17 09:18:47.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.nodejs.new/nodejs.changes 2015-10-20 00:06:46.000000000 +0200 @@ -1,0 +2,95 @@ +Sat Oct 17 17:43:19 UTC 2015 - i...@marguerite.su + +- fixed boo#948602/CVE-2015-7384: + * nodejs: HTTP Denial of Service Vulnerability +- drop nodejs-no-fips.patch, upstreamed +- update to 4.2.1 + * Includes fixes for two regressions + + Assertion error in WeakCallback + + Undefined timeout regression +- changes in 4.2.0 + * icu: Updated to version 56 with significant performance + improvements + * node: + + Added new -c (or --check) command line argument for checking + script syntax without executing the code + + Added process.versions.icu to hold the current ICU library + version + + Added process.release.lts to hold the current LTS codename + when the binary is from an active LTS release line + * npm: Upgraded to npm 2.14.7 from 2.14.4 +- changes in 4.1.2 + * http: + + Fix out-of-order 'finish' event bug in pipelining that can + abort execution, fixes DoS vulnerability CVE-2015-7384 + + Account for pending response data instead of just the data + on the current request to decide whether pause the socket + or not + + libuv: Upgraded from v1.7.4 to v1.7.5 + + Improved AIX support + * v8: + + Upgraded from v4.5.103.33 to v4.5.103.35 + + Backported f782159 from v8's upstream to help speed up Promise + introspection + + Backported c281c15 from v8's upstream to add JSTypedArray + length in post-mortem metadata +- changes in 4.1.1 + * buffer: Fixed a bug introduced in v4.1.0 where allocating a new + zero-length buffer can result in the next allocation of a + TypedArray in JavaScript not being zero-filled. In certain + circumstances this could result in data leakage via reuse of + memory space in TypedArrays, breaking the normally safe assumption + that TypedArrays should be always zero-filled. + * http: Guard against response-splitting of HTTP trailing headers + added via response.addTrailers() by removing new-line ([\r\n]) + characters from values. Note that standard header values are + already stripped of new-line characters. The expected security + impact is low because trailing headers are rarely used. + * npm: + + Upgrade to npm 2.14.4 from 2.14.3 + + Upgrades graceful-fs on multiple dependencies to no longer + rely on monkey-patching fs + + Fix npm link for pre-release / RC builds of Node + * v8: + + Update post-mortem metadata to allow post-mortem debugging + tools to find and inspect: + + JavaScript objects that use dictionary properties ScopeInfo + and thus closures +- changes in 4.1.0 + * buffer: + + Buffers are now created in JavaScript, rather than C++. + This increases the speed of buffer creation + + Buffer#slice() now uses Uint8Array#subarray() internally, + increasing slice() performance + * fs: + + fs.utimes() now properly converts numeric strings, NaN, + and Infinity + + fs.WriteStream now implements _writev, allowing for + super-fast bulk writes + * http: Fixed an issue with certain write() sizes causing errors + when using http.request() + * npm: Upgrade to version 2.14.3 + * src: V8 cpu profiling no longer erroneously shows idle time + * timers: #ref() and #unref() now return the timer they belong to + * v8: Lateral upgrade to 4.5.103.33 from 4.5.103.30, contains minor + fixes. This fixes a previously known bug where some computed + object shorthand properties did not work correctly. + +------------------------------------------------------------------- +Fri Oct 2 13:14:03 UTC 2015 - devel...@develop7.info + +- replace node-no-fips.patch with upstream fix + +------------------------------------------------------------------- +Fri Oct 2 02:47:28 UTC 2015 - i...@marguerite.su + +- fix build by using internal openssl for openSUSE <= 1320 + which didn't provide openssl 1.0.2 +- install missing addon-rpm.gypi (boo#948045) + +------------------------------------------------------------------- +Tue Sep 29 04:46:20 UTC 2015 - meiss...@suse.com + +- Do not force enable FIPS mode. bsc#947747 + +------------------------------------------------------------------- Old: ---- node-v4.0.0.tar.xz New: ---- node-v4.2.1.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nodejs.spec ++++++ --- /var/tmp/diff_new_pack.5nclu9/_old 2015-10-20 00:06:47.000000000 +0200 +++ /var/tmp/diff_new_pack.5nclu9/_new 2015-10-20 00:06:47.000000000 +0200 @@ -17,7 +17,7 @@ Name: nodejs -Version: 4.0.0 +Version: 4.2.1 Release: 0 Summary: Evented I/O for V8 JavaScript License: MIT @@ -85,9 +85,9 @@ Summary: Package manager for Node.js (Bundled) Group: Development/Languages/NodeJS Requires: %{name} = %{version} -Provides: npm = 2.11.4 -Obsoletes: npm < 2.11.4 -Provides: npm(npm) = 2.11.4 +Provides: npm = 2.14.7 +Obsoletes: npm < 2.14.7 +Provides: npm(npm) = 2.14.7 Conflicts: otherproviders(npm(npm)) %description npm @@ -106,9 +106,13 @@ # We only delete the source and header files, because # the remaining build scripts are still used. ###for dir in v8 openssl zlib; do +%if 0%{?suse_version} > 1320 for dir in openssl zlib; do find deps/$dir -name *.[ch] -delete done +%else +find deps/zlib -name *.[ch] -delete +%endif %build # percent-configure pulls in something that confuses node's configure @@ -117,7 +121,9 @@ export CXXFLAGS="%{optflags}" ./configure \ --prefix=%{_prefix} \ +%if 0%{?suse_version} > 1320 --shared-openssl \ +%endif --shared-zlib \ %ifarch aarch64 --dest-cpu=arm64 \ @@ -149,7 +155,10 @@ #node-gyp needs common.gypi too mkdir -p %{buildroot}%{_datadir}/node -cp -p common.gypi %{buildroot}%{_datadir}/node +install -m 644 common.gypi %{buildroot}%{_datadir}/node + +# install addon-rpm.gypi +install -m 644 addon-rpm.gypi %{buildroot}%{_datadir}/node # Documentation install -d %{buildroot}%{_docdir}/%{name} ++++++ node-v4.0.0.tar.xz -> node-v4.2.1.tar.xz ++++++ /work/SRC/openSUSE:Factory/nodejs/node-v4.0.0.tar.xz /work/SRC/openSUSE:Factory/.nodejs.new/node-v4.2.1.tar.xz differ: char 26, line 1 ++++++ support-arm64-build.patch ++++++ --- /var/tmp/diff_new_pack.5nclu9/_old 2015-10-20 00:06:47.000000000 +0200 +++ /var/tmp/diff_new_pack.5nclu9/_new 2015-10-20 00:06:47.000000000 +0200 @@ -1,8 +1,8 @@ -Index: node-v4.0.0/Makefile +Index: node-v4.2.1/Makefile =================================================================== ---- node-v4.0.0.orig/Makefile -+++ node-v4.0.0/Makefile -@@ -270,6 +270,9 @@ else +--- node-v4.2.1.orig/Makefile ++++ node-v4.2.1/Makefile +@@ -272,6 +272,9 @@ else ifeq ($(DESTCPU),arm) ARCH=arm else @@ -12,7 +12,7 @@ ifeq ($(DESTCPU),ppc64) ARCH=ppc64 else -@@ -280,6 +283,7 @@ ARCH=x86 +@@ -282,6 +285,7 @@ ARCH=x86 endif endif endif @@ -20,15 +20,15 @@ endif # enforce "x86" over "ia32" as the generally accepted way of referring to 32-bit intel -Index: node-v4.0.0/configure +Index: node-v4.2.1/configure =================================================================== ---- node-v4.0.0.orig/configure -+++ node-v4.0.0/configure -@@ -560,6 +560,7 @@ def host_arch_cc(): +--- node-v4.2.1.orig/configure ++++ node-v4.2.1/configure +@@ -580,6 +580,7 @@ def host_arch_cc(): '__aarch64__' : 'arm64', '__arm__' : 'arm', '__i386__' : 'ia32', + '__aarch64__' : 'arm64', + '__MIPSEL__' : 'mipsel', '__mips__' : 'mips', '__PPC64__' : 'ppc64', - '__PPC__' : 'ppc',