Page MenuHomeFreeBSD
Differential D32019

www/node14: Update to 14.17.6
AbandonedPublic
Actions

Authored by otis on Sep 19 2021, 10:36 AM.
Tags
None
Referenced Files
Unknown Object (File)
Mon, Apr 8, 12:41 PM
Unknown Object (File)
Dec 25 2023, 3:07 AM
Unknown Object (File)
Dec 19 2023, 6:15 AM
Unknown Object (File)
Nov 5 2023, 12:52 AM
Unknown Object (File)
Nov 4 2023, 4:35 PM
Unknown Object (File)
Aug 1 2023, 10:58 AM
Unknown Object (File)
Mar 27 2023, 9:14 PM
Unknown Object (File)
Mar 5 2023, 7:43 AM
View All 11 Files
Subscribers
mat

Details

Reviewers
jlduran_gmail.com
bhughes
rene
Summary

This is a security release.

These are vulnerabilities in the node-tar, arborist, and npm cli modules which
are related to the initial reports and subsequent remediation of node-tar
vulnerabilities CVE-2021-32803 and CVE-2021-32804.

Subsequent internal security review of node-tar and additional external bounty
reports have resulted in another 5 CVE being remediated in core npm CLI
dependencies including node-tar, and npm arborist.

FreeBSD-specific note: As c-ares does not expose ares_nameser.h to the public yet, add it as a local patch and is to be removed once c-ares will install the file (scheduled for version 1.17.3)

PR: 257903
Security: CVE-2021-37701
Security: CVE-2021-37712
Security: CVE-2021-37713
Security: CVE-2021-39134
Security: CVE-2021-39135

Diff Detail

Repository
rP FreeBSD ports repository
Lint
No Lint Coverage
Unit
No Test Coverage
Build Status
Buildable 41598
Build 38487: arc lint + arc unit

Event Timeline

otis created this revision.Sep 19 2021, 10:36 AM
Herald added a subscriber: mat. · View Herald TranscriptSep 19 2021, 10:36 AM
otis requested review of this revision.Sep 19 2021, 10:36 AM
Harbormaster completed remote builds in B41598: Diff 95354.Sep 19 2021, 10:36 AM
otis edited the summary of this revision. (Show Details)Sep 19 2021, 10:38 AM
otis added a reviewer: rene.

@rene I'm asking you for a quick assistence, as @bhughes (current maintainer) is not responding and we need www/node14 to be updated becuase it's needed for www/kibana7 to work properly (and even start). What should be the correct process, please?

otis mentioned this in D31433: www/node14: Update to 14.17.5.Sep 19 2021, 10:59 AM
jlduran_gmail.com accepted this revision.Sep 19 2021, 10:04 PM
This revision is now accepted and ready to land.Sep 19 2021, 10:04 PM
jlduran_gmail.com added a comment.Sep 21 2021, 11:47 PM

It has been updated! (Without the c-ares bump, nor the portlint) Thank you all for taking care of it!

bhughes added a comment.Sep 22 2021, 4:13 AM
In D32019#722478, @otis wrote:

@rene I'm asking you for a quick assistence, as @bhughes (current maintainer) is not responding and we need www/node14 to be updated becuase it's needed for www/kibana7 to work properly (and even start). What should be the correct process, please?

Howdy! I'm sorry for the very delayed response and updates for www/node and www/node14. I have pushed the update now, using a slightly different approach to solve the build breakage after Node.js starting using a c-ares private header.

otis abandoned this revision.Oct 2 2021, 11:41 AM

Revision Contents
Changeset List

Diff 95354

View Options

www/node14/Makefile

Loading...
View Options

www/node14/distinfo

Loading...
View Options

www/node14/files/patch-deps_v8_src_objects_js-list-format.cc

Loading...
View Options

www/node14/files/patch-src_ares__nameser.h

Loading...
View Options

www/node14/pkg-plist

Loading...