Page MenuHomeFreeBSD

www/node14: Update to 14.17.6
AbandonedPublic

Authored by otis on Sep 19 2021, 10:36 AM.

Details

Summary

This is a security release.

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803 and CVE-2021-32804.

Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

FreeBSD-specific note: As c-ares does not expose ares_nameser.h to the public yet, add it as a local patch and is to be removed once c-ares will install the file (scheduled for version 1.17.3)

PR: 257903
Security: CVE-2021-37701
Security: CVE-2021-37712
Security: CVE-2021-37713
Security: CVE-2021-39134
Security: CVE-2021-39135

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 41598
Build 38487: arc lint + arc unit

Event Timeline

otis requested review of this revision.Sep 19 2021, 10:36 AM
otis added a reviewer: rene.

@rene I'm asking you for a quick assistence, as @bhughes (current maintainer) is not responding and we need www/node14 to be updated becuase it's needed for www/kibana7 to work properly (and even start). What should be the correct process, please?

This revision is now accepted and ready to land.Sep 19 2021, 10:04 PM

It has been updated! (Without the c-ares bump, nor the portlint) Thank you all for taking care of it!

In D32019#722478, @otis wrote:

@rene I'm asking you for a quick assistence, as @bhughes (current maintainer) is not responding and we need www/node14 to be updated becuase it's needed for www/kibana7 to work properly (and even start). What should be the correct process, please?

Howdy! I'm sorry for the very delayed response and updates for www/node and www/node14. I have pushed the update now, using a slightly different approach to solve the build breakage after Node.js starting using a c-ares private header.