mirrors/meta-openembedded
1
0
Fork 0
mirror of https://github.com/openembedded/meta-openembedded.git synced 2026-06-14 05:49:57 +00:00
Code Issues Projects Releases Wiki Activity
24,352 Commits 64 Branches 0 Tags
38bfafb8c4de06c40733ee7d12e4e73903a5efb7
Commit Graph

14 Commits

Author SHA1 Message Date
Gyorgy Sarvari 3dc63bce4d nodejs: ignore CVE-2024-36137 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-36137

The vulnerability affects the permission model, which was introduced[1]
in v20 - the recipe version isn't vulerable yet.

[1]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 2026-01-08 22:03:03 +01:00
Gyorgy Sarvari e88e353f30 nodejs: ignore CVE-2024-3566 and CVE-2024-36138 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-3566
https://nvd.nist.gov/vuln/detail/CVE-2024-36138

This vulnerabilities affect Windows only.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 2026-01-08 22:03:03 +01:00
Gyorgy Sarvari 8e69851e6d nodejs: patch CVE-2024-27983 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-27983

Pick the patch that mentions this CVE ID explcitly in its commit message.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 2026-01-08 22:03:03 +01:00
Gyorgy Sarvari ab83c61385 nodejs: ignore CVE-2024-22017 
Details: https://nvd.nist.gov/vuln/detail/CVE-2024-22017

The vulnerability is related to the io_uring usage of libuv.

Libuv first introduced io_uring support in v1.45[1].
oe-core ships a non-vulnerable version (1.44.2), and nodejs
vendors also an older version (1.43).

Mark this CVE as ignored for this recipe version.

[1]: https://github.com/libuv/libuv/commit/d2c31f429b87b476a7f1344d145dad4752a406d4

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 2026-01-08 22:03:03 +01:00
Gyorgy Sarvari f9ed3b8197 nodejs: patch CVE-2023-39333 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-39333

Backport the patch that mentions this CVE ID explicitly in its
commit message.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 2026-01-08 22:03:03 +01:00
Gyorgy Sarvari 04f577d527 nodejs: ignore CVE-2023-30583, CVE-2023-30584 and CVE-2023-30587 
Details: https://nvd.nist.gov/vuln/detail/CVE-2023-30583
https://nvd.nist.gov/vuln/detail/CVE-2023-30584
https://nvd.nist.gov/vuln/detail/CVE-2023-30587

None of these vulnerabilities are present in the recipe version.

CVE-2023-30583: While the main feature (blob) was intruced in v16, the vulnerable
code (load blobs from file) was introduced in v20[1], and as such,
the vulnerability is not present in the recipe version.

CVE-2023-30584, CVE-2023-30587: The whole vulnerable feature (permission model) was
introduced[2] in v20.

Ignore these CVE IDs.

[1]: https://github.com/nodejs/node/commit/950cec4c2642c15e2913f35babadda56c1d8a723
[2]: https://github.com/nodejs/node/commit/00c222593e49d817281bc88a322f41f8dca95885

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 2026-01-08 22:03:03 +01:00
Gyorgy Sarvari d2894888c9 nodejs: fix CVE_PRODUCT 
The CVE_PRODUCT is set with a weak default assignment in the cve-check.bbclass,
which means that when the recipe uses +=, it overrides the original weak adefault
value instead of appending to it.

Set all applicable values in CVE_PRODUCT variable explicitly.

Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
 2025-12-22 20:56:37 +01:00
akash hadke 198cf66134 meta-oe: Remove True option to getVar calls 
getVar() now defaults to expanding by default, thus remove the True
option from getVar() calls with a regex search and replace.

Signed-off-by: Akash Hadke <akash.hadke27@gmail.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2025-01-22 19:12:54 -05:00
Archana Polampalli 3eb9002ce7 nodejs: fix CVE-2023-46809 
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-02 15:10:59 -04:00
Archana Polampalli 17db7e96c4 nodejs: fix CVE-2024-22025 
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-02 15:09:02 -04:00
Archana Polampalli 7b468c6f83 nodejs: fix CVE-2024-22019 
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-06-02 15:08:41 -04:00
virendra thakur 1915dcb8e8 nodejs: Set CVE_PRODUCT to "node.js" 
Set CVE_PRODUCT to 'node.js' for nodjs recipe

Signed-off-by: virendra thakur <virendrak@kpit.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2024-02-28 08:18:18 -05:00
Polampalli, Archana d3ee870fb0 nodejs: fix CVE-2022-25883 
Versions of the package semver before 7.5.2 are vulnerable to Regular Expression
Denial of Service (ReDoS) via the function new Range, when untrusted user data is
provided as a range.

References:
https://nvd.nist.gov/vuln/detail/CVE-2022-25883

Upstream patches:
https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-09-04 11:59:59 -04:00
Polampalli, Archana 529620141e nodejs: upgrade 16.20.1 -> 16.20.2 
This release contains bug fixes only.
The following CVEs have been addressed:

CVE-2023-32002
CVE-2023-32006
CVE-2023-32559

$ git log --oneline v16.20.1..v16.20.2
dadbde963f (tag: v16.20.2) 2023-08-09, Version 16.20.2 'Gallium' (LTS)
d8ccfe9ad4 policy: handle Module.constructor and main.extensions bypass
242aaa0caa policy: disable process.binding() when enabled
40c3958a5a  deps: update archs files for OpenSSL-1.1.1v
a9ac9da89a deps: fix openssl crypto clean
362d4c7494 deps: upgrade openssl sources to OpenSSL_1_1_1v
7447de2794 Working on v16.20.2

https://github.com/nodejs/node/releases/tag/v16.20.2

Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
Signed-off-by: Armin Kuster <akuster808@gmail.com>
 2023-08-11 10:32:04 -04:00