* [Buildroot] [git commit] package/nodejs: security bump to version 12.22.6
@ 2021-09-18 17:42 Yann E. MORIN
2021-09-29 15:08 ` Peter Korsgaard
0 siblings, 1 reply; 2+ messages in thread
From: Yann E. MORIN @ 2021-09-18 17:42 UTC (permalink / raw)
To: buildroot
commit: https://git.buildroot.net/buildroot/commit/?id=e3bdcdd596f916458f86aafc628608ba977d953f
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
Fixes the following security issues:
- CVE-2021-37701: Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning using symbolic links
- CVE-2021-37712: Arbitrary File Creation/Overwrite via insufficient symlink
protection due to directory cache poisoning using symbolic links
- CVE-2021-37713: Arbitrary File Creation/Overwrite on Windows via
insufficient relative path sanitization
- CVE-2021-39134: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
- CVE-2021-39135: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
For more details, see the advisory:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
---
package/nodejs/nodejs.hash | 4 ++--
package/nodejs/nodejs.mk | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/package/nodejs/nodejs.hash b/package/nodejs/nodejs.hash
index 1552e937b7..8d39ef489d 100644
--- a/package/nodejs/nodejs.hash
+++ b/package/nodejs/nodejs.hash
@@ -1,5 +1,5 @@
-# From https://nodejs.org/dist/v12.22.5/SHASUMS256.txt
-sha256 f927ff6c2ac5a7234596031b18ba03febbcadd2650d375f1a3fd02426687fd14 node-v12.22.5.tar.xz
+# From https://nodejs.org/dist/v12.22.6/SHASUMS256.txt
+sha256 c2022f16b8f689620c3472c2b5261fdabbd0ab976bf9ac3b7db6747a2e9b0f7a node-v12.22.6.tar.xz
# Hash for license file
sha256 221417a7ca275112a5ac54639b36ee3c5184e74631ea1e1b01b701293b655190 LICENSE
diff --git a/package/nodejs/nodejs.mk b/package/nodejs/nodejs.mk
index 39099b53dc..38e8936986 100644
--- a/package/nodejs/nodejs.mk
+++ b/package/nodejs/nodejs.mk
@@ -4,7 +4,7 @@
#
################################################################################
-NODEJS_VERSION = 12.22.5
+NODEJS_VERSION = 12.22.6
NODEJS_SOURCE = node-v$(NODEJS_VERSION).tar.xz
NODEJS_SITE = http://nodejs.org/dist/v$(NODEJS_VERSION)
NODEJS_DEPENDENCIES = host-python host-nodejs c-ares \
_______________________________________________
buildroot mailing list
buildroot@lists.buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [Buildroot] [git commit] package/nodejs: security bump to version 12.22.6
2021-09-18 17:42 [Buildroot] [git commit] package/nodejs: security bump to version 12.22.6 Yann E. MORIN
@ 2021-09-29 15:08 ` Peter Korsgaard
0 siblings, 0 replies; 2+ messages in thread
From: Peter Korsgaard @ 2021-09-29 15:08 UTC (permalink / raw)
To: Yann E. MORIN; +Cc: buildroot
>>>>> "Yann" == Yann E MORIN <yann.morin.1998@free.fr> writes:
> commit: https://git.buildroot.net/buildroot/commit/?id=e3bdcdd596f916458f86aafc628608ba977d953f
> branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master
> Fixes the following security issues:
> - CVE-2021-37701: Arbitrary File Creation/Overwrite via insufficient symlink
> protection due to directory cache poisoning using symbolic links
> - CVE-2021-37712: Arbitrary File Creation/Overwrite via insufficient symlink
> protection due to directory cache poisoning using symbolic links
> - CVE-2021-37713: Arbitrary File Creation/Overwrite on Windows via
> insufficient relative path sanitization
> - CVE-2021-39134: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
> - CVE-2021-39135: UNIX Symbolic Link (Symlink) Following in @npmcli/arborist
> For more details, see the advisory:
> https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases2/
> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
> Signed-off-by: Yann E. MORIN <yann.morin.1998@free.fr>
Committed to 2021.02.x, 2021.05.x and 2021.08.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-09-29 15:15 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-09-18 17:42 [Buildroot] [git commit] package/nodejs: security bump to version 12.22.6 Yann E. MORIN
2021-09-29 15:08 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.