Merge branch 'sec/node' into 'master'

user/node: [CVE] bump to 10.21.0 (#300), unvendor openssl See merge request adelie/packages!462
author: A. Wilcox <awilcox@wilcox-tech.com> 2020-06-16 20:17:20 +0000
committer: A. Wilcox <awilcox@wilcox-tech.com> 2020-06-16 20:17:20 +0000
commit: 3cf07e57710a4a7921e7e8881a48401ce1d340a0 (patch)
tree: 508d5d6a0a3e663c1bc3d18786873e21826dfc4e /user
parent: cc13890218a41c7a13b80872301206e0503e64b2 (diff)
parent: 4a0c1dc02f485ab73d15539cefd0cf5daeff6446 (diff)
download: packages-3cf07e57710a4a7921e7e8881a48401ce1d340a0.tar.gz
packages-3cf07e57710a4a7921e7e8881a48401ce1d340a0.tar.bz2
packages-3cf07e57710a4a7921e7e8881a48401ce1d340a0.tar.xz
packages-3cf07e57710a4a7921e7e8881a48401ce1d340a0.zip
4 files changed, 44 insertions, 13 deletions
diff --git a/user/http-parser/APKBUILD b/user/http-parser/APKBUILD
index af90a5f0e..cc6281b98 100644
--- a/user/http-parser/APKBUILD
+++ b/user/http-parser/APKBUILD
@@ -1,7 +1,7 @@
 # Contributor: A. Wilcox <awilfox@adelielinux.org>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=http-parser
-pkgver=2.9.3
+pkgver=2.9.4
 pkgrel=0
 pkgdesc="Library for parsing HTTP messages in C"
 url=" "
@@ -11,7 +11,9 @@ depends=""
 depends_dev=""
 makedepends="$depends_dev"
 subpackages="$pkgname-dev"
-source="http-parser-$pkgver.tar.gz::https://github.com/nodejs/http-parser/archive/v$pkgver.tar.gz"
+source="http-parser-$pkgver.tar.gz::https://github.com/nodejs/http-parser/archive/v$pkgver.tar.gz
+	remove-bogus-sizeof-test.patch
+	"
 
 build() {
 	make
@@ -25,4 +27,5 @@ package() {
 	make PREFIX=/usr DESTDIR="$pkgdir" install
 }
 
-sha512sums="d200c52f594192ba80a8d5b59d414404843f8601dac647f29c27845db75ac1f015789031e30e91aaab5b553af1ee6af50b90f9342a444c10c1027e10fdb9a31b  http-parser-2.9.3.tar.gz"
+sha512sums="b45df7b94d1c51079d44687d0a7f901f44faae51df4e84c7e3fe38f130c2d809d0e7c2a146c57b3723e60732aededc246bf44eadb10a95b710963d641f9fe7cd  http-parser-2.9.4.tar.gz
+aaf666728ab860a19398a631276d7caaf696d29bfbce39408bbcd65775f23d452e477af481333631b8dd07eacb8ba44fb4c58d1216dc5fb0dfac88062c7f478b  remove-bogus-sizeof-test.patch"
diff --git a/user/http-parser/remove-bogus-sizeof-test.patch b/user/http-parser/remove-bogus-sizeof-test.patch
new file mode 100644
index 000000000..5f912fb5b
--- /dev/null
+++ b/user/http-parser/remove-bogus-sizeof-test.patch
@@ -0,0 +1,14 @@
+Upstream issues:
+https://github.com/nodejs/http-parser/issues/507
+https://github.com/nodejs/http-parser/pull/510
+
+--- http-parser-2.9.4/test.c	2020-03-24 05:54:06.000000000 -0500
++++ http-parser-2.9.4/test.c	2020-06-15 22:54:06.020315073 -0500
+@@ -4221,7 +4221,6 @@ main (void)
+   printf("http_parser v%u.%u.%u (0x%06lx)\n", major, minor, patch, version);
+ 
+   printf("sizeof(http_parser) = %u\n", (unsigned int)sizeof(http_parser));
+-  assert(sizeof(http_parser) == 4 + 4 + 8 + 2 + 2 + 4 + sizeof(void *));
+ 
+   //// API
+   test_preserve_data();
diff --git a/user/libgit2/APKBUILD b/user/libgit2/APKBUILD
index bfa1a39b3..246642192 100644
--- a/user/libgit2/APKBUILD
+++ b/user/libgit2/APKBUILD
@@ -3,7 +3,7 @@
 # Contributor: Pierre-Gilas MILLON <pgmillon@gmail.com>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=libgit2
-pkgver=0.28.4
+pkgver=0.28.5
 pkgrel=0
 pkgdesc="Pure C re-entrant library for custom Git applications"
 url="https://libgit2.org/"
@@ -37,11 +37,12 @@ build() {
 }
 
 check() {
-	CTEST_OUTPUT_ON_FAILURE=TRUE ctest
+	# Don't run online tests by default.
+	CTEST_OUTPUT_ON_FAILURE=TRUE ctest -E online
 }
 
 package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="b81160608003b25d9b922d259ebbbbf941b6bd5100fa1875497c8cd29de320e292fff568c757a7a85b2b3044ddc1cb92c74dbcb13d630d62ecf9a8559b619d15  libgit2-0.28.4.tar.gz"
+sha512sums="abfea885f46444b0304ae57c32c06f4252afb0093c924da5e1ba10aaed952824d1b84036adb79b5b8ad8bea56a6331a51c62f3b9839aead16c7b26cb4554b53a  libgit2-0.28.5.tar.gz"
diff --git a/user/node/APKBUILD b/user/node/APKBUILD
index d60a359af..c74516b71 100644
--- a/user/node/APKBUILD
+++ b/user/node/APKBUILD
@@ -1,15 +1,16 @@
 # Contributor: A. Wilcox <awilfox@adelielinux.org>
 # Maintainer: A. Wilcox <awilfox@adelielinux.org>
 pkgname=node
-pkgver=10.19.0
+pkgver=10.21.0
 pkgrel=0
 pkgdesc="JavaScript runtime"
 url="https://nodejs.org/"
 arch="all"
-license="MIT AND ICU AND BSD-3-Clause AND BSD-2-Clause AND ISC AND OpenSSL AND Public-Domain AND Zlib AND Artistic-2.0 AND Apache-2.0 AND CC0-1.0"
+options="net"  # Required in check()
+license="MIT AND ICU AND BSD-3-Clause AND BSD-2-Clause AND ISC AND Public-Domain AND Zlib AND Artistic-2.0 AND Apache-2.0 AND CC0-1.0"
 depends=""
 makedepends="c-ares-dev http-parser-dev icu-dev libexecinfo-dev libuv-dev
-	nghttp2-dev python3 zlib-dev"
+	nghttp2-dev>=1.41 openssl-dev python3 zlib-dev"
 subpackages="$pkgname-dev $pkgname-doc"
 source="https://nodejs.org/download/release/v$pkgver/node-v$pkgver.tar.xz
 	https://www.python.org/ftp/python/2.7.15/Python-2.7.15.tar.xz
@@ -30,11 +31,15 @@ builddir="$srcdir/$pkgname-v$pkgver"
 #     - CVE-2019-9516
 #     - CVE-2019-9517
 #     - CVE-2019-9518
+#   10.21.0-r0:
+#     - CVE-2020-7598
+#     - CVE-2020-8174
 
 unpack() {
 	default_unpack
 	[ -z $SKIP_PYTHON ] || return 0
 
+	# TODO: when bumping to 12.x, python3 should be usable
 	msg "Killing all remaining hope for humanity and building Python 2..."
 	cd "$srcdir/Python-2.7.15"
 	[ -d ../python ] && rm -r ../python
@@ -47,7 +52,6 @@ unpack() {
 
 build() {
 	export PATH="$srcdir/python/bin:$PATH"
-	# We can't use --shared-openssl until 1.1 is available.
 	python ./configure.py \
 		--prefix=/usr \
 		--with-intl=system-icu \
@@ -55,15 +59,24 @@ build() {
 		--shared-http-parser \
 		--shared-libuv \
 		--shared-nghttp2 \
-		--openssl-no-asm \
+		--shared-openssl \
+		--openssl-use-def-ca-store \
 		--shared-zlib
 	# keep DESTDIR set, to avoid a full rebuild in package()
 	make DESTDIR="$pkgdir"
 }
 
 check() {
+	case "$CARCH" in
+	pmmx)
+		# https://bts.adelielinux.org/show_bug.cgi?id=306
+		_skip="parallel/test-http-invalid-te,parallel/test-worker-stdio"
+		;;
+	esac
+
 	export PATH="$srcdir/python/bin:$PATH"
-	make DESTDIR="$pkgdir" test-only
+	make DESTDIR="$pkgdir" test-only \
+		${_skip:+CI_SKIP_TESTS="$_skip"}
 }
 
 package() {
@@ -71,7 +84,7 @@ package() {
 	make DESTDIR="$pkgdir" install
 }
 
-sha512sums="512efc58415ed789938c434af131d76bdd51772cac9f7e380afaa79d83cc9c433a979068fc7272adba6ba6551d195267978e1fc819236926b0d1fd6cf91c5eee  node-v10.19.0.tar.xz
+sha512sums="613d3c1bca79ea5f127dc6793de2b5cfdfa056c01ec092e3b7ee79205894b21ca5ec4a367265122641dd1d360c675cfb36a4f7892894194ddd18abd1b2206544  node-v10.21.0.tar.xz
 27ea43eb45fc68f3d2469d5f07636e10801dee11635a430ec8ec922ed790bb426b072da94df885e4dfa1ea8b7a24f2f56dd92f9b0f51e162330f161216bd6de6  Python-2.7.15.tar.xz
 8f64922d586bce9d82c83042a989739cc55ecc5e015778cdfbda21c257aa50527ddb18740985bcb2068e4a749b71eb8a135d9a8152b374d361589df7f33c9b60  libatomic.patch
 6d37794c7c78ef92ebb845852af780e22dc8c14653b63a8609c21ab6860877b9dffc5cf856a8516b7978ec704f312c0627075c6440ace55d039f95bdc4c85add  ppc32.patch
author	A. Wilcox <awilcox@wilcox-tech.com>	2020-06-16 20:17:20 +0000
committer	A. Wilcox <awilcox@wilcox-tech.com>	2020-06-16 20:17:20 +0000
commit	3cf07e57710a4a7921e7e8881a48401ce1d340a0 (patch)
tree	508d5d6a0a3e663c1bc3d18786873e21826dfc4e /user
parent	cc13890218a41c7a13b80872301206e0503e64b2 (diff)
parent	4a0c1dc02f485ab73d15539cefd0cf5daeff6446 (diff)
download	packages-3cf07e57710a4a7921e7e8881a48401ce1d340a0.tar.gz packages-3cf07e57710a4a7921e7e8881a48401ce1d340a0.tar.bz2 packages-3cf07e57710a4a7921e7e8881a48401ce1d340a0.tar.xz packages-3cf07e57710a4a7921e7e8881a48401ce1d340a0.zip