04f577d527
nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587
...
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583
https://nvd.nist.gov/vuln/detail/CVE-2023-30584
https://nvd.nist.gov/vuln/detail/CVE-2023-30587
None of these vulnerabilities are present in the recipe version.
CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable
code (load blobs from file) was introduced in v20[1], and as such,
the vulnerability is not present in the recipe version.
CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was
introduced[2] in v20.
Ignore these CVE IDs.
[1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723
[2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2026-01-08 22:03:03 +01:00
d2894888c9
nodejs: fix CVE_PRODUCT
...
The CVE_PRODUCT is set with a weak default assignment in the cve-check.bbclass,
which means that when the recipe uses +=, it overrides the original weak adefault
value instead of appending to it.
Set all applicable values in CVE_PRODUCT variable explicitly.
Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com >
2025-12-22 20:56:37 +01:00
198cf66134
meta-oe: Remove True option to getVar calls
...
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.
Signed-off-by: Akash Hadke <akash.hadke27@gmail.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2025-01-22 19:12:54 -05:00
3eb9002ce7
nodejs: fix CVE-2023-46809
...
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2024-06-02 15:10:59 -04:00
17db7e96c4
nodejs: fix CVE-2024-22025
...
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2024-06-02 15:09:02 -04:00
7b468c6f83
nodejs: fix CVE-2024-22019
...
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2024-06-02 15:08:41 -04:00
1915dcb8e8
nodejs: Set CVE_PRODUCT to "node.js"
...
Set CVE_PRODUCT to 'node.js' for nodjs recipe
Signed-off-by: virendra thakur <virendrak@kpit.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2024-02-28 08:18:18 -05:00
d3ee870fb0
nodejs: fix CVE-2022-25883
...
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression
Denial of Service (ReDoS) via the function new Range, when untrusted user data is
provided as a range.
References:
https://nvd.nist.gov/vuln/detail/CVE-2022-25883
Upstream patches:
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-09-04 11:59:59 -04:00
529620141e
nodejs: upgrade 16.20.1 -> 16.20.2
...
This release contains bug fixes only.
The following CVEs have been addressed:
CVE-2023-32002
CVE-2023-32006
CVE-2023-32559
$ git log --oneline v16.20.1..v16.20.2
dadbde963f (tag: v16.20.2) 2023-08-09, Version 16.20.2 'Gallium' (LTS)
d8ccfe9ad4 policy: handle Module.constructor and main.extensions bypass
242aaa0caa policy: disable process.binding() when enabled
40c3958a5a deps: update archs files for OpenSSL-1.1.1v
a9ac9da89a deps: fix openssl crypto clean
362d4c7494 deps: upgrade openssl sources to OpenSSL_1_1_1v
7447de2794 Working on v16.20.2
https://github.com/nodejs/node/releases/tag/v16.20.2
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com >
Signed-off-by: Armin Kuster <akuster808@gmail.com >
2023-08-11 10:32:04 -04:00
Gyorgy Sarvari
akash hadke
Archana Polampalli
virendra thakur