Skip to content

Nodejs: Minor updates#31494

Closed
adisbladis wants to merge 3 commits intoNixOS:masterfrom
adisbladis:nodejs-CVE-2017-3736
Closed

Nodejs: Minor updates#31494
adisbladis wants to merge 3 commits intoNixOS:masterfrom
adisbladis:nodejs-CVE-2017-3736

Conversation

@adisbladis
Copy link
Copy Markdown
Member

@adisbladis adisbladis commented Nov 10, 2017
edited
Loading

Motivation for this change

Fix for CVE-2017-3736.

From upstream PR nodejs/node#16691
This upgrades to OpenSSL-1.0.2m . It includes the fix of the moderate severity of CVE-2017-3736 that affects Node in RSA calculations of TLS and crypto modules but the attack is said to be very difficult.

Edit: As @vcunat points out we are already using the system OpenSSL so it does not have any security impact. This is just a normal update.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option build-use-sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Fits CONTRIBUTING.md.

@adisbladis adisbladis changed the title Nodejs cve 2017 3736 Nodejs: Fixes for CVE-2017-3736 Nov 10, 2017
@c0bw3b c0bw3b added 1.severity: security Issues which raise a security issue, or PRs that fix one 8.has: package (update) This PR updates a package to a newer version labels Nov 10, 2017
@c0bw3b
Copy link
Copy Markdown
Contributor

c0bw3b commented Nov 10, 2017

@adisbladis in your opinion, does this needs backporting to 17.09 ?

@vcunat
Copy link
Copy Markdown
Member

vcunat commented Nov 10, 2017

Our expressions look like we use system openssl instead of the builtin one, meaning this update probably wouldn't have security impact.

@adisbladis adisbladis changed the title Nodejs: Fixes for CVE-2017-3736 Nodejs: Minor updates Nov 10, 2017
@adisbladis
Copy link
Copy Markdown
Member Author

adisbladis commented Nov 10, 2017

@vcunat You are right. No security implications here.

@c0bw3b I think the 8.x one at least should be backported as this release contained a fix for a regression.

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. labels Nov 10, 2017
@disassembler disassembler removed the 1.severity: security Issues which raise a security issue, or PRs that fix one label Nov 10, 2017
@adisbladis
Copy link
Copy Markdown
Member Author

adisbladis commented Nov 15, 2017

ccing maintainers @cillianderoiste @Havvy @gilligan @cko

@adisbladis
Copy link
Copy Markdown
Member Author

adisbladis commented Nov 15, 2017
edited
Loading

There is a new release of nodejs-9_x (9.2.0).
I have updated and rebased this PR (does not currently build).

9.2.0 build fixed by updating libuv.

@GrahamcOfBorg GrahamcOfBorg added 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches. labels Nov 15, 2017
@adisbladis
Copy link
Copy Markdown
Member Author

adisbladis commented Nov 15, 2017
edited
Loading

Because of the mass-rebuild caused by the libuv upgrade I have decided to split this into separate PRs:
#31710
#31711

@adisbladis adisbladis closed this Nov 15, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

8.has: package (update) This PR updates a package to a newer version 10.rebuild-darwin: 1-10 This PR causes between 1 and 10 packages to rebuild on Darwin. 10.rebuild-darwin: 501+ This PR causes many rebuilds on Darwin and should normally target the staging branches. 10.rebuild-linux: 1-10 This PR causes between 1 and 10 packages to rebuild on Linux. 10.rebuild-linux: 501+ This PR causes many rebuilds on Linux and should normally target the staging branches.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@adisbladis @c0bw3b @vcunat @disassembler @GrahamcOfBorg