Index: dns/c-ares/Makefile =================================================================== --- dns/c-ares/Makefile +++ dns/c-ares/Makefile @@ -1,7 +1,7 @@ # Created by: roam@FreeBSD.org PORTNAME= c-ares -PORTVERSION= 1.17.1 +PORTVERSION= 1.17.2 CATEGORIES= dns MASTER_SITES= https://c-ares.haxx.se/download/ \ ZI @@ -39,5 +39,6 @@ post-install: ${INSTALL_PROGRAM} ${PROGRAMS:S@^@${WRKSRC}/src/tools/.libs/@} ${STAGEDIR}${PREFIX}/bin/ + ${INSTALL_DATA} ${WRKSRC}/src/lib/ares_nameser.h ${STAGEDIR}${PREFIX}/include .include Index: dns/c-ares/distinfo =================================================================== --- dns/c-ares/distinfo +++ dns/c-ares/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1610054381 -SHA256 (c-ares-1.17.1.tar.gz) = d73dd0f6de824afd407ce10750ea081af47eba52b8a6cb307d220131ad93fc40 -SIZE (c-ares-1.17.1.tar.gz) = 1518701 +TIMESTAMP = 1629145622 +SHA256 (c-ares-1.17.2.tar.gz) = 4803c844ce20ce510ef0eb83f8ea41fa24ecaae9d280c468c582d2bb25b3913d +SIZE (c-ares-1.17.2.tar.gz) = 1538276 Index: dns/c-ares/pkg-plist =================================================================== --- dns/c-ares/pkg-plist +++ dns/c-ares/pkg-plist @@ -4,12 +4,13 @@ include/ares.h include/ares_build.h include/ares_dns.h +include/ares_nameser.h include/ares_rules.h include/ares_version.h lib/libcares.a lib/libcares.so lib/libcares.so.2 -lib/libcares.so.2.4.2 +lib/libcares.so.2.4.3 libdata/pkgconfig/libcares.pc man/man3/ares_cancel.3.gz man/man3/ares_create_query.3.gz Index: security/vuxml/vuln-2021.xml =================================================================== --- security/vuxml/vuln-2021.xml +++ security/vuxml/vuln-2021.xml @@ -1,3 +1,50 @@ + + node14 -- Multiple vulnerabilities + + + node14 + 14.17.4 + + + + +

Node.js team reports:

+
CVE-2021-3672/CVE-2021-22931: Improper handling of untypical + characters in domain names: Node.js was vulnerable to Remote Code + Execution, XSS, application crashes due to missing input validation + of hostnames returned by Domain Name Servers in the Node.js DNS + library which can lead to the output of wrong hostnames (leading to + Domain Hijacking) and injection vulnerabilities in applications using + the library.
+
CVE-2021-22930: Use after free on close http2 on stream canceling + (High): Node.js was vulnerable to a use after free attack where an + attacker might be able to exploit memory corruption to change process + behavior. This release includes a follow-up fix for CVE-2021-22930 as + the issue was not completely resolved by the previous fix.
+
CVE-2021-22939: Incomplete validation of rejectUnauthorized + parameter: If the Node.js HTTPS API was used incorrectly and + "undefined" was in passed for the "rejectUnauthorized" parameter, no + error was returned and connections to servers with an expired + certificate would have been accepted.
+

+ + + + CVE-2021-3672 + CVE-2021-22931 + https://nvd.nist.gov/vuln/detail/CVE-2021-22931 + CVE-2021-22930 + https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22930 + CVE-2021-22939 + https://nvd.nist.gov/vuln/detail/CVE-2021-22939 + + + 2021-01-06 + 2021-08-16 + + + lynx -- SSL certificate validation error Index: www/node14/Makefile =================================================================== --- www/node14/Makefile +++ www/node14/Makefile @@ -1,6 +1,6 @@ PORTNAME= node DISTVERSIONPREFIX= v -DISTVERSION= 14.17.0 +DISTVERSION= 14.17.5 CATEGORIES= www MASTER_SITES= http://nodejs.org/dist/v${DISTVERSION}/ PKGNAMESUFFIX= 14 @@ -70,7 +70,7 @@ LINK.host=${CXX} LDFLAGS.host="${LDFLAGS}" BUILD_DEPENDS+= brotli>=1.0.9,1:archivers/brotli \ - c-ares>=1.17.1:dns/c-ares \ + c-ares>=1.17.2:dns/c-ares \ libuv>=1.41.0:devel/libuv \ libnghttp2>=1.42.0:www/libnghttp2 \ objdump:devel/binutils Index: www/node14/distinfo =================================================================== --- www/node14/distinfo +++ www/node14/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1621284032 -SHA256 (node-v14.17.0.tar.gz) = 6114e82d3256136dc85a509d835442fbdf2f8430dcd8bfa7c304097344d06fb7 -SIZE (node-v14.17.0.tar.gz) = 63562031 +TIMESTAMP = 1629145331 +SHA256 (node-v14.17.5.tar.gz) = bd1bb74eae48c7aa7d4519736385e99477d954c6915adefdc3c373be461d1aaa +SIZE (node-v14.17.5.tar.gz) = 63709824 Index: www/node14/files/patch-deps_v8_src_objects_js-list-format.cc =================================================================== --- www/node14/files/patch-deps_v8_src_objects_js-list-format.cc +++ /dev/null @@ -1,83 +0,0 @@ -https://github.com/v8/v8/commit/035c305ce7761f51328b45f1bd83e26aef267c9d - -../deps/v8/src/objects/js-list-format.cc:145:55: error: 'createInstance' is a private member of 'icu::ListFormatter' - icu::ListFormatter* formatter = icu::ListFormatter::createInstance( - ~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~ -/usr/local/include/unicode/listformatter.h:267:27: note: declared private here - static ListFormatter* createInstance(const Locale& locale, const char* style, UErrorCode& errorCode); - ^ - ---- deps/v8/src/objects/js-list-format.cc.orig 2021-04-06 19:42:15 UTC -+++ deps/v8/src/objects/js-list-format.cc -@@ -29,46 +29,27 @@ namespace v8 { - namespace internal { - - namespace { --const char* kStandard = "standard"; --const char* kOr = "or"; --const char* kUnit = "unit"; --const char* kStandardShort = "standard-short"; --const char* kOrShort = "or-short"; --const char* kUnitShort = "unit-short"; --const char* kStandardNarrow = "standard-narrow"; --const char* kOrNarrow = "or-narrow"; --const char* kUnitNarrow = "unit-narrow"; - --const char* GetIcuStyleString(JSListFormat::Style style, -- JSListFormat::Type type) { -+UListFormatterWidth GetIcuWidth(JSListFormat::Style style) { -+ switch (style) { -+ case JSListFormat::Style::LONG: -+ return ULISTFMT_WIDTH_WIDE; -+ case JSListFormat::Style::SHORT: -+ return ULISTFMT_WIDTH_SHORT; -+ case JSListFormat::Style::NARROW: -+ return ULISTFMT_WIDTH_NARROW; -+ } -+ UNREACHABLE(); -+} -+ -+UListFormatterType GetIcuType(JSListFormat::Type type) { - switch (type) { - case JSListFormat::Type::CONJUNCTION: -- switch (style) { -- case JSListFormat::Style::LONG: -- return kStandard; -- case JSListFormat::Style::SHORT: -- return kStandardShort; -- case JSListFormat::Style::NARROW: -- return kStandardNarrow; -- } -+ return ULISTFMT_TYPE_AND; - case JSListFormat::Type::DISJUNCTION: -- switch (style) { -- case JSListFormat::Style::LONG: -- return kOr; -- case JSListFormat::Style::SHORT: -- return kOrShort; -- case JSListFormat::Style::NARROW: -- return kOrNarrow; -- } -+ return ULISTFMT_TYPE_OR; - case JSListFormat::Type::UNIT: -- switch (style) { -- case JSListFormat::Style::LONG: -- return kUnit; -- case JSListFormat::Style::SHORT: -- return kUnitShort; -- case JSListFormat::Style::NARROW: -- return kUnitNarrow; -- } -+ return ULISTFMT_TYPE_UNITS; - } - UNREACHABLE(); - } -@@ -143,7 +124,7 @@ MaybeHandle JSListFormat::New(Isolate* i - icu::Locale icu_locale = r.icu_locale; - UErrorCode status = U_ZERO_ERROR; - icu::ListFormatter* formatter = icu::ListFormatter::createInstance( -- icu_locale, GetIcuStyleString(style_enum, type_enum), status); -+ icu_locale, GetIcuType(type_enum), GetIcuWidth(style_enum), status); - if (U_FAILURE(status) || formatter == nullptr) { - delete formatter; - THROW_NEW_ERROR(isolate, NewRangeError(MessageTemplate::kIcuError),