diff --git a/SPECS/nodejs/clean-source-tarball.sh b/SPECS/nodejs/clean-source-tarball.sh new file mode 100755 index 00000000000..8b39ffdbdf2 --- /dev/null +++ b/SPECS/nodejs/clean-source-tarball.sh @@ -0,0 +1,59 @@ +#!/bin/bash +# Copyright (c) Microsoft Corporation. +# Licensed under the MIT License. +# +# The nodejs source tarball contains a copy of the OpenSSL source tree. +# OpenSSL contains patented algorithms that should not be distributed +# as part of the SRPM. Since we use the shared OpenSSL libraries, we +# can just remove the entire OpenSSL source tree from the tarball. + +print_usage() { + echo "Usage:" + echo "clean-source-tarball.sh {version}" + echo "Example: clean-source-tarball.sh 14.18.1" + echo + exit +} + +VERSION=$1 + +if [ -z "$1" ]; then + print_usage +fi + + +# Quit on failure +set -e + +namever="node-v${VERSION}" +upstream_tarball_name="${namever}.tar.xz" +clean_tarball_name="${namever}-clean.tar.xz" +download_url="https://nodejs.org/download/release/v${VERSION}/${upstream_tarball_name}" + +tmpdir=$(mktemp -d) +echo "Using temporary directory: $tmpdir" +pushd $tmpdir > /dev/null + +echo "Downloading upstream source tarball..." +curl -s -O $download_url + +echo "Unpacking upstream source tarball..." +tar -xf $upstream_tarball_name + +echo "Removing bad vendored dependencies from source tree..." +rm -rf ./$namever/deps/openssl + +# Create a reproducible tarball +# Credit to https://reproducible-builds.org/docs/archives/ for instructions +# Do not update mtime value for new versions- keep the same value for ease of +# reproducing old tarball versions in the future if necessary +echo "Repacking source tarball..." +tar --sort=name --mtime="2021-11-10 00:00Z" \ + --owner=0 --group=0 --numeric-owner \ + --pax-option=exthdr.name=%d/PaxHeaders/%f,delete=atime,delete=ctime \ + -cJf $clean_tarball_name ./$namever + +popd > /dev/null +cp "${tmpdir}/${clean_tarball_name}" . +echo "Clean nodejs source tarball available at $PWD/$clean_tarball_name" +rm -rf $tmpdir diff --git a/SPECS/nodejs/nodejs.signatures.json b/SPECS/nodejs/nodejs.signatures.json index 3a0aa1d51de..180c8b0fe0d 100644 --- a/SPECS/nodejs/nodejs.signatures.json +++ b/SPECS/nodejs/nodejs.signatures.json @@ -1,5 +1,6 @@ { "Signatures": { - "node-v14.17.2.tar.xz": "4f5fb2b87e2255da3b200ed73ab076002e4b088df0027ec85e25541a6830583e" + "node-v14.18.3-clean.tar.xz": "51fa0865b597e131219e6a6398961b372d773b72d28e3c75524154bd2792e0bd", + "clean-source-tarball.sh": "ab579872ec2f4e85a00fc1651b40a26876012256c722c3701ef3cdcb378c93d5" } -} \ No newline at end of file +} diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec index 82994dd2dd0..2e4e68c0db7 100644 --- a/SPECS/nodejs/nodejs.spec +++ b/SPECS/nodejs/nodejs.spec @@ -1,23 +1,28 @@ # Retrieved from 'deps/npm/package.json' inside the sources tarball. -%define npm_version 6.14.13 - +%define npm_version 6.14.15 Summary: A JavaScript runtime built on Chrome's V8 JavaScript engine. Name: nodejs # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package. # The version of NPM can be found inside the sources under 'deps/npm/package.json'. -Version: 14.17.2 -Release: 2%{?dist} -License: BSD and MIT and Public Domain and naist-2003 -Group: Applications/System +Version: 14.18.3 +Release: 1%{?dist} +License: BSD AND MIT AND Public Domain AND naist-2003 Vendor: Microsoft Corporation Distribution: Mariner +Group: Applications/System URL: https://github.com/nodejs/node -Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz +# Source0 has a vendored OpenSSL source tree with patented algorithms. +# Use Source1 to create a clean and reproducible source tarball. +Source0: https://nodejs.org/download/release/v%{version}/node-v%{version}.tar.xz#/node-v%{version}-clean.tar.xz +Source1: clean-source-tarball.sh Patch0: patch_tls_nodejs14.patch +Patch1: remove_unsupported_tlsv13_ciphers.patch -BuildRequires: coreutils >= 8.22, openssl-devel >= 1.0.1 +BuildRequires: coreutils >= 8.22 +BuildRequires: openssl-devel >= 1.0.1 BuildRequires: python3 BuildRequires: which + Requires: coreutils >= 8.22 Requires: openssl >= 1.0.1 Requires: python3 @@ -37,19 +42,19 @@ The nodejs-devel package contains libraries, header files and documentation for developing applications that use nodejs. %prep -%setup -q -n node-v%{version} -%patch0 -p1 +%autosetup -p1 -n node-v%{version} %build -sh configure --prefix=%{_prefix} \ - --shared-openssl \ - --shared-zlib - -make %{?_smp_mflags} +python3 configure.py \ + --prefix=%{_prefix} \ + --shared-openssl \ + --shared-zlib \ + --openssl-use-def-ca-store +%make_build %install -make %{?_smp_mflags} install DESTDIR=$RPM_BUILD_ROOT +%make_install rm -fr %{buildroot}%{_libdir}/dtrace/ # No systemtap support. install -m 755 -d %{buildroot}%{_libdir}/node_modules/ install -m 755 -d %{buildroot}%{_datadir}/%{name} @@ -63,15 +68,15 @@ done %check make cctest -%post -p /sbin/ldconfig +%ldconfig_scriptlets %files %defattr(-,root,root) %license LICENSE +%doc CHANGELOG.md README.md %{_bindir}/* %{_libdir}/node_modules/* %{_mandir}/man*/* -%doc CHANGELOG.md LICENSE README.md %files devel %defattr(-,root,root) @@ -80,36 +85,55 @@ make cctest %{_datadir}/systemtap/tapset/node.stp %changelog -* Thu Sep 23 2021 Pawel Winogrodzki - 14.17.2-2 -- Adding 'Provides' for 'npm'. -* Mon Jul 19 2021 Neha Agarwal - 14.17.2-1 -- Update to version 14.17.2 to fix CVE-2021-22918 -* Mon Jun 07 2021 Henry Beberman - 14.17.0-1 -- Update to nodejs version 14.17.0 -* Sat May 09 2020 Nick Samson - 9.11.2-7 -- Added %%license line automatically -* Mon May 04 2020 Paul Monson 9.11.2-6 -- Add patch that enables building openssl without TLS versions less 1.2 -* Thu Apr 09 2020 Nicolas Ontiveros 9.11.2-5 -- Remove toybox and only use coreutils for requires. -* Wed Apr 08 2020 Pawel Winogrodzki 9.11.2-4 -- License verified. -- Removed "%%define sha1". -* Tue Sep 03 2019 Mateusz Malisz 9.11.2-3 -- Initial CBL-Mariner import from Photon (license: Apache2). -* Tue Jan 08 2019 Alexey Makhalov 9.11.2-2 -- Added BuildRequires python2, which -* Thu Sep 20 2018 Him Kalyan Bordoloi 9.11.2-1 -- Updated to version 9.11.2 -* Mon Sep 10 2018 Him Kalyan Bordoloi 9.9.0-1 -- Updated to version 9.9.0 -* Wed Feb 14 2018 Xiaolin Li 8.3.0-1 -- Updated to version 8.3.0 -* Fri Oct 13 2017 Alexey Makhalov 7.7.4-4 -- Remove BuildArch -* Mon Sep 18 2017 Alexey Makhalov 7.7.4-3 -- Requires coreutils or toybox -* Fri Jul 14 2017 Chang Lee 7.7.4-2 -- Updated %check -* Mon Mar 20 2017 Xiaolin Li 7.7.4-1 -- Initial packaging for Photon +* Thu Mar 10 2022 Pawel Winogrodzki - 14.18.3-1 +- Update to version 14.18.3 to fix CVE-2021-44531. +- Migrating patches and source tarball scripts from Mariner's 1.0 version. + +* Thu Sep 23 2021 Pawel Winogrodzki - 14.17.2-2 +- Adding 'Provides' for 'npm'. + +* Mon Jul 19 2021 Neha Agarwal - 14.17.2-1 +- Update to version 14.17.2 to fix CVE-2021-22918 + +* Mon Jun 07 2021 Henry Beberman - 14.17.0-1 +- Update to nodejs version 14.17.0 + +* Sat May 09 2020 Nick Samson - 9.11.2-7 +- Added %%license line automatically + +* Mon May 04 2020 Paul Monson - 9.11.2-6 +- Add patch that enables building openssl without TLS versions less 1.2 + +* Thu Apr 09 2020 Nicolas Ontiveros - 9.11.2-5 +- Remove toybox and only use coreutils for requires. + +* Wed Apr 08 2020 Pawel Winogrodzki - 9.11.2-4 +- License verified. +- Removed "%%define sha1". + +* Tue Sep 03 2019 Mateusz Malisz - 9.11.2-3 +- Initial CBL-Mariner import from Photon (license: Apache2). + +* Tue Jan 08 2019 Alexey Makhalov - 9.11.2-2 +- Added BuildRequires python2, which + +* Thu Sep 20 2018 Him Kalyan Bordoloi - 9.11.2-1 +- Updated to version 9.11.2 + +* Mon Sep 10 2018 Him Kalyan Bordoloi - 9.9.0-1 +- Updated to version 9.9.0 + +* Wed Feb 14 2018 Xiaolin Li - 8.3.0-1 +- Updated to version 8.3.0 + +* Fri Oct 13 2017 Alexey Makhalov - 7.7.4-4 +- Remove BuildArch + +* Mon Sep 18 2017 Alexey Makhalov - 7.7.4-3 +- Requires coreutils or toybox + +* Fri Jul 14 2017 Chang Lee - 7.7.4-2 +- Updated %check + +* Mon Mar 20 2017 Xiaolin Li - 7.7.4-1 +- Initial packaging for Photon diff --git a/SPECS/nodejs/remove_unsupported_tlsv13_ciphers.patch b/SPECS/nodejs/remove_unsupported_tlsv13_ciphers.patch new file mode 100644 index 00000000000..be09b07b3ea --- /dev/null +++ b/SPECS/nodejs/remove_unsupported_tlsv13_ciphers.patch @@ -0,0 +1,30 @@ +From bc1684951d93403cb8a4453ef0e4ce9b37c8c798 Mon Sep 17 00:00:00 2001 +From: Thomas Crain +Date: Thu, 18 Nov 2021 07:22:22 -0800 +Subject: [PATCH] Remove TLS_CHACHA20_POLY1305_SHA256 from default cipher list + +Mariner's OpenSSL configuration does not allow for this TLSv1.3 +cipher. OpenSSL does not like being asked to use TLSv1.3 ciphers +it doesn't support (despite being fine processing similar cipher +requests for TLS < 1.3). This cipher's presence in the default +cipher list causes failures when initializing secure contexts +in the context of Node's TLS library. +--- + src/node_constants.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/node_constants.h b/src/node_constants.h +index d7de705f..750c00a1 100644 +--- a/src/node_constants.h ++++ b/src/node_constants.h +@@ -48,7 +48,6 @@ + // https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html + #define DEFAULT_CIPHER_LIST_CORE \ + "TLS_AES_256_GCM_SHA384:" \ +- "TLS_CHACHA20_POLY1305_SHA256:" \ + "TLS_AES_128_GCM_SHA256:" \ + "ECDHE-RSA-AES128-GCM-SHA256:" \ + "ECDHE-ECDSA-AES128-GCM-SHA256:" \ +-- +2.25.1 + diff --git a/cgmanifest.json b/cgmanifest.json index 4fab4d21f0c..04e68b0d74f 100644 --- a/cgmanifest.json +++ b/cgmanifest.json @@ -14463,8 +14463,8 @@ "type": "other", "other": { "name": "nodejs", - "version": "14.17.2", - "downloadUrl": "https://nodejs.org/download/release/v14.17.2/node-v14.17.2.tar.xz" + "version": "14.18.3", + "downloadUrl": "https://nodejs.org/download/release/v14.18.3/node-v14.18.3.tar.xz" } } },