From 08dd7969df01e8197af30d680895122664531274 Mon Sep 17 00:00:00 2001 From: xiaoji <345865759@163.com> Date: Thu, 7 May 2026 19:21:05 +0800 Subject: [PATCH 1/5] updated to upstream version 20.20.2 and fixed CVEs --- sources | 1 - 1 file changed, 1 deletion(-) diff --git a/sources b/sources index 9ef9c5c..56ce7cb 100644 --- a/sources +++ b/sources @@ -1,4 +1,3 @@ SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e SHA512 (node-v20.20.0.tar.gz) = 3c6238cfb46f2ca1b77dd6150b692a6715befd2dcdbdb8b59b076d3ead05e06344ed762321995105eab34837d527d0b69119d7686038bfcc86e7ab9d0d81072d -SHA512 (undici-6.24.0-nodejs.tar.gz) = 25bd80df7c2d561bc8362a77dc304f5f3c974ba0ade53b4dccf29bcce6be50ab34005ca10c3688cd79c673afb8af80f086061ad57fb5f5e964458132714af526 -- Gitee From fdf00c55df338454b43d4ae598c2a09ad575f42d Mon Sep 17 00:00:00 2001 From: xiaoji <345865759@163.com> Date: Thu, 7 May 2026 19:22:04 +0800 Subject: [PATCH 2/5] updated to upstream version 20.20.2 and fixed CVEs --- nodejs20.spec | 29 ++++++++++++----------------- 1 file changed, 12 insertions(+), 17 deletions(-) diff --git a/nodejs20.spec b/nodejs20.spec index ed511da..081ecba 100644 --- a/nodejs20.spec +++ b/nodejs20.spec @@ -1,8 +1,8 @@ # == Node.js Version == %global nodejs_major 20 %global nodejs_minor 20 -%global nodejs_patch 0 -%global nodejs_rel 4 +%global nodejs_patch 2 +%global nodejs_rel 1 # nodejs_soversion - from NODE_MODULE_VERSION in src/node_version.h %global nodejs_soversion 115 %global nodejs_abi %{nodejs_soversion} @@ -20,13 +20,13 @@ %global v8_version %{v8_major}.%{v8_minor}.%{v8_build}.%{v8_patch} # zlib - from deps/zlib/zlib.h -%global zlib_version 1.3.1 +%global zlib_version 1.3.1-e00f703 # c-ares - from deps/cares/include/ares_version.h %global c_ares_version 1.34.6 # llhttp - from deps/llhttp/include/llhttp.h -%global llhttp_version 9.3.0 +%global llhttp_version 9.3.1 # libuv - from deps/uv/include/uv/version.h %global libuv_version 1.46.0 @@ -41,8 +41,8 @@ %global ngtcp2_version 1.1.0 # ICU - from tools/icu/current_ver.dep -%global icu_major 77 -%global icu_minor 1 +%global icu_major 78 +%global icu_minor 2 %global icu_version %{icu_major}.%{icu_minor} %global icudatadir %{nodejs_datadir}/icudata @@ -64,12 +64,12 @@ %global npm_version 10.8.2 # uvwasi - from deps/uvwasi/include/uvwasi.h -%global uvwasi_version 0.0.21 +%global uvwasi_version 0.0.23 # histogram_c - assumed from timestamps %global histogram_version 0.9.7 -%global undici_version 6.24.0 +%global undici_version 6.24.1 %global ada_version 2.9.2 @@ -116,9 +116,6 @@ Source2: btest402.js # The binary data that icu-small can use to get icu-full capability Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-b.zip Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-l.zip -# fixed CVEs that nodejs has not fixed -# from build-undici-tarball.sh -Source5: undici-6.24.0-nodejs.tar.gz Source200: nodejs-sources.sh Source201: npmrc.builtin.in Source202: nodejs.pc.in @@ -181,7 +178,7 @@ BuildRequires: zlib-devel %endif %if %{with bundled_cjs_module_lexer} -Provides: bundled(nodejs-cjs-module-lexer) = 2.1.0 +Provides: bundled(nodejs-cjs-module-lexer) = 2.2.0 %else BuildRequires: nodejs-cjs-module-lexer Requires: nodejs-cjs-module-lexer @@ -291,11 +288,6 @@ rm -rf deps/undici pfiles=( $(grep -rl python) ) %py3_shebang_fix ${pfiles[@]} -# fixed CVEs in undici -pushd deps -rm -rf undici -tar axvf %{SOURCE5} -popd %build @@ -561,6 +553,9 @@ end %changelog +* Thu May 07 2026 Zhao Zhen - 20.20.2-4 +- fixed CVE-2026-27904 CVE-2026-27903 CVE-2026-26996 + * Mon Mar 30 2026 Zhao Zhen - 20.20.0-4 - fixed install error -- Gitee From 39ae151486c0b94d92e34c73b4a3bcc67c1c97a9 Mon Sep 17 00:00:00 2001 From: xiaoji <345865759@163.com> Date: Thu, 7 May 2026 19:25:16 +0800 Subject: [PATCH 3/5] updated to upstream version 20.20.2 and fixed CVEs --- sources | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sources b/sources index 56ce7cb..51aaf98 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e -SHA512 (node-v20.20.0.tar.gz) = 3c6238cfb46f2ca1b77dd6150b692a6715befd2dcdbdb8b59b076d3ead05e06344ed762321995105eab34837d527d0b69119d7686038bfcc86e7ab9d0d81072d +SHA512 (node-v20.20.2.tar.gz) = 995bb5b403b22edc687566533593e03bd2a666e61ccdd201483ef3780bfde55b5967bbe184f17bc20c4c7cf40fac706d7d31f406fcb3db8ee9d4bd4284d60c57 -- Gitee From 3c4d775f3011a3888faace65ff065c0b66711fa2 Mon Sep 17 00:00:00 2001 From: xiaoji <345865759@163.com> Date: Thu, 7 May 2026 19:26:07 +0800 Subject: [PATCH 4/5] updated to upstream version 20.20.2 and fixed CVEs --- nodejs20.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nodejs20.spec b/nodejs20.spec index 081ecba..609a392 100644 --- a/nodejs20.spec +++ b/nodejs20.spec @@ -553,7 +553,7 @@ end %changelog -* Thu May 07 2026 Zhao Zhen - 20.20.2-4 +* Thu May 07 2026 Zhao Zhen - 20.20.2-1 - fixed CVE-2026-27904 CVE-2026-27903 CVE-2026-26996 * Mon Mar 30 2026 Zhao Zhen - 20.20.0-4 -- Gitee From 22211b352883d94d030cc14ea6eeea761eef8af4 Mon Sep 17 00:00:00 2001 From: xiaoji <345865759@163.com> Date: Fri, 8 May 2026 10:42:47 +0800 Subject: [PATCH 5/5] small fix --- nodejs20.spec | 4 ++-- sources | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/nodejs20.spec b/nodejs20.spec index 609a392..0e3b9aa 100644 --- a/nodejs20.spec +++ b/nodejs20.spec @@ -114,8 +114,8 @@ Source0: https://nodejs.org/dist/v%{version}/node-v%{version}.tar.gz Source1: npmrc Source2: btest402.js # The binary data that icu-small can use to get icu-full capability -Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-b.zip -Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_major}-%{icu_minor}/icu4c-%{icu_major}_%{icu_minor}-data-bin-l.zip +Source3: https://github.com/unicode-org/icu/releases/download/release-%{icu_version}/icu4c-%{icu_version}-data-bin-b.zip +Source4: https://github.com/unicode-org/icu/releases/download/release-%{icu_version}/icu4c-%{icu_version}-data-bin-l.zip Source200: nodejs-sources.sh Source201: npmrc.builtin.in Source202: nodejs.pc.in diff --git a/sources b/sources index 51aaf98..22ef023 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (icu4c-77_1-data-bin-b.zip) = 93b4c8228a059546e7c3e337f1f837db255c0046c15f50a31a7bd20daf361174edab05b01faaac1dd4f515ca3c1f1d7fb0f61e4177eb5631833ad1450e252c4e -SHA512 (icu4c-77_1-data-bin-l.zip) = 3de15bb5925956b8e51dc6724c2114a1009ec471a2241b09ae09127f1760f44d02cc29cfbeed6cbaac6ee880553ac8395c61c6043c00ddba3277233e19e6490e +SHA512 (icu4c-78.2-data-bin-b.zip) = 032a1e519bf92dfa7936ef85ebed697550dbcb4e32c6ecd28ffecb158a403eeff6c0a3545b2551eba73f288e31693be6880e202a38cd86c129dffa395e8ab625 +SHA512 (icu4c-78.2-data-bin-l.zip) = c0b46de115332940d3276763904caa6257eb516edce4382632f4b96a5b010fee4cb06a5e10ef5eee2f881515c1ee8277d9ae59015f6de6fe1d175b9d00dbb1ca SHA512 (node-v20.20.2.tar.gz) = 995bb5b403b22edc687566533593e03bd2a666e61ccdd201483ef3780bfde55b5967bbe184f17bc20c4c7cf40fac706d7d31f406fcb3db8ee9d4bd4284d60c57 -- Gitee