Commit graph

31 commits

Author SHA1 Message Date
fhajny
7193c4d086 lang/nodejs6: Update to 6.14.4.
- buffer: Fix out-of-bounds (OOB) write in Buffer.write() for UCS-2
  encoding (CVE-2018-12115)
2018-08-16 13:40:26 +00:00
fhajny
d086ce17ab lang/nodejs6: Update to 6.14.3.
- buffer (CVE-2018-7167): Fixes Denial of Service vulnerability where
  calling Buffer.fill() could hang
2018-06-14 10:52:32 +00:00
fhajny
02d9e00033 lang/nodejs: Use pkgsrc http-parser, libuv, libcares instead of bundled versions.
Switch back to bundled nghttp2 on lang/nodejs to reconcile a conflict
of OpenSSL versions.
2018-05-12 08:59:56 +00:00
fhajny
a55910ca7a lang/nodejs*: Provide bl3 to nodejs packages to provide headers. 2018-05-04 14:28:32 +00:00
fhajny
e839cc63b4 lang/nodejs{6,8}: Decouple respective options.mk from main package. 2018-05-03 21:12:23 +00:00
fhajny
d537318754 lang/nodejs6: Update to 6.14.2.
- n-api has been backported to v6.x. It is being landed as an
  experimental interface, and as such is landing in
  a Semver-Patch release.
2018-05-03 10:29:16 +00:00
fhajny
428f89ca81 lang/nodejs*: Remove the npm package manager from nodejs packages. Introduce nodeversion.mk framework to pick and depend on one of the supported nodejs version packages. Bump respective PKGREVISIONs. 2018-05-02 16:33:02 +00:00
fhajny
6f39786389 lang/nodejs6: Update to 6.14.1.
Fixes for the following CVEs are included in this release:

- CVE-2018-7158
- CVE-2018-7159
- CVE-2018-7160

Notable Changes

- Fix for inspector DNS rebinding vulnerability (CVE-2018-7160): A
  malicious website could use a DNS rebinding attack to trick a web
  browser to bypass same-origin-policy checks and allow HTTP connections
  to localhost or to hosts on the local network, potentially to an open
  inspector port as a debugger, therefore gaining full code execution
  access. The inspector now only allows connections that have a browser
  Host value of localhost or localhost6.
- Fix for 'path' module regular expression denial of service
  (CVE-2018-7158): A regular expression used for parsing POSIX paths
  could be used to cause a denial of service if an attacker were able to
  have a specially crafted path string passed through one of the
  impacted 'path' module functions.
- Reject spaces in HTTP Content-Length header values (CVE-2018-7159):
  The Node.js HTTP parser allowed for spaces inside Content-Length
  header values. Such values now lead to rejected connections in the
  same way as non-numeric values.
- Update root certificates: 5 additional root certificates have been
  added to the Node.js binary and 30 have been removed.
2018-04-04 10:35:55 +00:00
fhajny
fcdac88d84 lang/nodejs6: Update to 6.13.1.
http, tls:
- better support for IPv6 addresses
2018-03-07 11:45:48 +00:00
fhajny
2ad4cb62d5 lang/nodejs6: Update to 6.13.0.
- console:
  - added console.count() and console.clear()
- crypto:
  - expose ECDH class
  - added cypto.randomFill() and crypto.randomFillSync()
  - warn on invalid authentication tag length
- deps:
  - upgrade libuv to 1.16.1
- dgram:
  - added socket.setMulticastInterface()
- http:
  - add agent.keepSocketAlive and agent.reuseSocket as to allow
    overridable keep-alive behavior of `Agent`
- lib:
  - return this from net.Socket.end()
- module:
  - add builtinModules api that provides list of all builtin modules
    in Node
- net:
  - return this from getConnections()
- promises:
  - more robust stringification for unhandled rejections
- repl:
  - improve require() autocompletion
- src:
  - add openssl-system-ca-path configure option
  - add --use-bundled-ca --use-openssl-ca check
  - add process.ppid
- tls:
  - accept `lookup` option for `tls.connect()`
- tools, build:
  - a new macOS installer!
- url:
  - WHATWG URL api support
- util:
  - add %i and %f formatting specifiers
2018-02-16 11:53:54 +00:00
fhajny
73301fc05e Update lang/nodejs6 to 6.12.2.
- deps: openssl updated to 1.0.2n
2017-12-09 17:55:03 +00:00
fhajny
59db92b47d Update lang/nodejs6 to 6.12.1.
- build: fix npm install with --shared
- build: building with python 3 is now supported
- src: v8 options can be specified with either '_' or '-' in NODE_OPTIONS
2017-12-07 22:09:46 +00:00
fhajny
89d9e4df00 Update lang/nodejs6 to 6.12.0.
assert:
- assert.fail() can now take one or two arguments

crypto:
- add sign/verify support for RSASSA-PSS

deps:
- upgrade openssl sources to 1.0.2m
- upgrade libuv to 1.15.0

fs:
- Add support for fs.write/fs.writeSync(fd, buffer, cb) and
  fs.write/fs.writeSync(fd, buffer, offset, cb) as documented

inspector:
- enable --inspect-brk

process:
- add --redirect-warnings command line argument

src:
- allow CLI args in env with NODE_OPTIONS
- --abort-on-uncaught-exception in NODE_OPTIONS
- allow --tls-cipher-list in NODE_OPTIONS
- use SafeGetenv() for NODE_REDIRECT_WARNINGS

test:
- remove common.fail()
2017-11-08 18:31:15 +00:00
fhajny
6254d2aab3 Update lang/nodejs6 to 6.11.5.
zlib:
- CVE-2017-14919 - In zlib v1.2.9, a change was made that causes an
  error to be raised when a raw deflate stream is initialized with
  windowBits set to 8. On some versions this crashes Node and you cannot
  recover from it, while on some versions it throws an exception.
  Node.js will now gracefully set windowBits to 9 replicating the legacy
  behavior to avoid a DOS vector.
2017-10-25 13:45:18 +00:00
fhajny
38c76f0f4f Update lang/nodejs6 to 6.11.4.
- net: support passing undefined to listen() to match behavior
  in v4.x and v8.x
2017-10-04 16:20:58 +00:00
fhajny
607cccfe3e Update lang/nodejs6 to 6.11.3
- build: Codesigning is fixed on macOS
- deps: Snapshots are turned back on!!!
- path: win32 volume-relative paths are working again!
- tools: v6.x can now build with ICU 59
2017-09-06 11:59:37 +00:00
fhajny
543a495408 Update lang/nodejs6 to 6.11.2.
### Notable Changes

- configure:
  - add mips64el to valid_arch
- crypto:
  - Updated root certificates based on NSS 3.30
- deps:
  - upgrade OpenSSL to version 1.0.2.l
- http:
  - parse errors are now reported when NODE_DEBUG=http
  - Agent construction can now be envoked without `new`
- zlib:
  - node will now throw an Error when zlib rejects the value of
    windowBits, instead of crashing
2017-08-02 16:05:20 +00:00
fhajny
e042e7228b Update lang/nodejs6 to 6.11.1.
- Disable V8 snapshots - The hashseed embedded in the snapshot is
  currently the same for all runs of the binary. This opens node up to
  collision attacks which could result in a Denial of Service. We have
  temporarily disabled snapshots until a more robust solution is found
- CVE-2017-1000381 - The c-ares function ares_parse_naptr_reply(), which
  is used for parsing NAPTR responses, could be triggered to read memory
  outside of the given input buffer if the passed in DNS response packet
  was crafted in a particular way. This patch checks that there is
  enough data for the required elements of an NAPTR record (2 int16, 3
  bytes for string lengths) before processing a record.
2017-07-11 19:10:32 +00:00
fhajny
976a3a17cc Update lang/nodejs6 to 6.11.0
Notable Changes

build:
- support for building mips64el
cluster:
- disconnect() now returns a reference to the disconnected worker.
crypto:
- ability to select cert store at runtime
- Use system CAs instead of using bundled ones
- The Decipher methods setAuthTag() and setAAD now return this.
- adding support for OPENSSL_CONF again
- make LazyTransform compabile with Streams1
deps:
- upgrade libuv to 1.11.0
dns:
- Implemented {ttl: true} for resolve4() and resolve6().
process:
- add NODE_NO_WARNINGS environment variable
readline:
- add option to stop duplicates in history
src:
- support "--" after "-e" as end-of-options
tls:
- new tls.TLSSocket() supports sec ctx options
- Allow obvious key/passphrase combinations.
2017-06-07 11:09:44 +00:00
fhajny
ca46b4a1b6 Update lang/nodejs6 to 6.10.3
- module: The module loading global fallback to the Node executable's
  directory now works correctly on Windows.
- src: fix base64 decoding in rare edgecase
- tls: fix rare segmentation faults when using TLS
2017-05-03 11:03:43 +00:00
adam
75a9285105 Revbump after icu update 2017-04-22 21:03:07 +00:00
fhajny
829ddfe58e Update lang/nodejs6 to 6.10.2.
- crypto: fix memory leak if certificate is revoked
- upgrade zlib to 1.2.11
- backport V8 fixes for spread syntax regression causing segfaults
- repl: Revert commit that broke REPL display on Windows
2017-04-06 14:59:22 +00:00
fhajny
f90422e5ed Update lang/nodejs6 to 6.10.1
- performance: The performance of several APIs has been improved.
  - Buffer.compare() is up to 35% faster on average.
  - buffer.toJSON() is up to 2859% faster on average.
  - fs.*statSync() functions are now up to 9.3% faster on average.
  - os.loadavg is up to 151% faster.
  - process.memoryUsage() is up to 34% faster.
  - querystring.unescape() for Buffers is 15% faster on average.
  - querystring.stringify() is up to 7.8% faster on average.
  - querystring.parse() is up to 21% faster on average.
- IPC: Batched writes have been enabled for process IPC on platforms
  that support Unix Domain Sockets.
  - Performance gains may be up to 40% for some workloads.
- child_process: spawnSync now returns a null status when child is
  terminated by a signal.
  - This fixes the behavior to act like spawn() does.
- http:
  - Control characters are now always rejected when using
    http.request().
  - Debug messages have been added for cases when headers contain
    invalid values.
- node: Heap statistics now support values larger than 4GB.
- timers: Timer callbacks now always maintain order when interacting
  with domain error handling.
2017-03-30 16:20:25 +00:00
jperkin
0e076c34fd Fix build on Darwin with GCC 4.8 or newer. 2017-03-20 16:51:42 +00:00
fhajny
1e4b4d0d5d Update lang/nodejs6 to 6.10.0.
Notable Changes

- crypto: allow adding extra certs to well-known CAs
- deps: Upgrade INTL ICU to version 58
- process: add process.memoryUsage.external
- src: add wrapper for process.emitWarning()
- fs: cache non-symlinks in realpathSync.
- repl: allow autocompletion for scoped packages
2017-02-22 11:34:41 +00:00
fhajny
70f2cde30d Update lang/nodejs6 to 6.9.5.
Notable Changes

- deps: upgrade openssl sources to 1.0.2k
2017-02-13 14:05:50 +00:00
fhajny
53e54414df Update lang/nodejs6 to 6.9.4.
This is a special release that contains 0 commits. While promoting
additional platforms for v6.9.3 after the release, the tarballs on the
release server were overwritten and now have different shasums. In order
to remove any ambiguity around the release we have opted to do a semver
patch release with no changes.
2017-01-06 10:00:14 +00:00
fhajny
ac73b4af3a Update lang/nodejs6 to 6.9.3.
Notable Changes

- build: shared library support is now working for AIX builds
- deps:
  - npm: upgrade npm to 3.10.10
  - V8: Destructuring of arrow function arguments via computed property
    no longer throws
- inspector: /json/version returns object, not an object wrapped
  in an array
- module: using --debug-brk and --eval together now works as expected
- process: improve performance of nextTick up to 20%
- repl:
  - the division operator will no longer be accidentally parsed as regex
  - improved support for generator functions
- timers: Re canceling a cancelled timers will no longer throw
2017-01-04 13:01:48 +00:00
fhajny
f0c34501ff Update lang/nodejs6 to 6.9.2
- buffer: coerce slice parameters consistently
- deps:
  - npm: upgrade npm to 3.10.9
  - V8: Various fixes to destructuring edge cases
    - cherry-pick 3c39bac from V8 upstream
    - cherry pick 7166503 from upstream v8
- gtest: the test reporter now outputs tap comments as yamlish
- inspector: inspector now prompts user to use 127.0.0.1 rather
  than localhost
- tls: fix memory leak when writing data to TLSWrap instance
  during handshake
2016-12-08 23:02:13 +00:00
ryoon
36ed025474 Recursive revbump from textproc/icu 58.1 2016-12-04 05:17:03 +00:00
fhajny
c3646a58aa Import nodejs 6.9.1 (LTS) as lang/nodejs6.
Node.js is an evented I/O framework for the V8 JavaScript engine. It is
intended for writing scalable network programs such as web servers.

This package holds the 6.x LTS release.
2016-10-25 19:54:00 +00:00