Hello community, here is the log from the commit of package nodejs.2494 for openSUSE:12.3:Update checked in at 2014-01-27 12:41:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:12.3:Update/nodejs.2494 (Old) and /work/SRC/openSUSE:12.3:Update/.nodejs.2494.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nodejs.2494" Changes: -------- New Changes file: --- /dev/null 2013-11-25 01:44:08.036031256 +0100 +++ /work/SRC/openSUSE:12.3:Update/.nodejs.2494.new/nodejs.changes 2014-01-27 12:41:20.000000000 +0100 @@ -0,0 +1,224 @@ +------------------------------------------------------------------- +Tue Jan 21 16:50:55 UTC 2014 - [email protected] + +- make nodejs use the v8 shipped with it by upstream. + The API of the new v8 deviates too much and we're not involved + enough upstream to justify a deviation here. (bnc#858747) +- disabled nodejs-v8-3.18.0.patch + +------------------------------------------------------------------- +Tue Dec 3 12:09:25 UTC 2013 - [email protected] + +- fix CVE-2013-4450: nodejs: HTTP Pipelining DoS (bnc#846808) + CVE-2013-4450-v0.10.x.patch: contains the fix + +------------------------------------------------------------------- +Fri Nov 2 16:18:09 UTC 2012 - [email protected] + +- added node-v0.8.12_missing_include.patch: + fixes a compiler warning about implicite declaration due to + missing include. +- enabled usage of system zlib and openssl +- enabled gdb support +- set CFLAGS/CXXFLAGS so the binary gets compiled with the optflags + +------------------------------------------------------------------- +Thu Oct 25 01:38:35 UTC 2012 - [email protected] + +- update to version 0.8.12 + * npm: Upgrade to 1.1.63 + + * crypto: Reduce stability index to 2-Unstable (isaacs) + + * windows: fix handle leak in uv_fs_utime (Bert Belder) + + * windows: fix application crashed popup in debug version (Bert Belder) + + * buffer: report proper retained size in profiler (Ben Noordhuis) + + * buffer: fix byteLength with UTF-16LE (koichik) + + * repl: make "end of input" JSON.parse() errors throw in the REPL (Nathan Rajlich) + + * repl: make invalid RegExp modifiers throw in the REPL (Nathan Rajlich) + + * http: handle multiple Proxy-Authenticate values (Willi Eggeling) + +------------------------------------------------------------------- +Mon Sep 17 19:12:44 UTC 2012 - [email protected] + +- update to version 0.8.9 + * v8: upgrade to 3.11.10.22 + * GYP: upgrade to r1477 + * npm: Upgrade to 1.1.61 + * npm: Don't create world-writable files (isaacs) + * unix: fix memory leak in udp (Ben Noordhuis) + * unix: map errno ESPIPE (Ben Noordhuis) + * unix, windows: fix memory corruption in fs-poll.c (Ben Noordhuis) + * child process: fix processes with IPC channel don't emit 'close' (Bert Belder) + * build: fix openssl configuration for "arm" builds (Nathan Rajlich) + * tls: support unix domain socket/named pipe in tls.connect (Shigeki Ohtsu) + * https: make https.get() accept a URL (koichik) + * http: respect HTTP/1.0 TE header (Ben Noordhuis) + * crypto, tls: Domainify setSNICallback, pbkdf2, randomBytes (Ben Noordhuis) + * stream.pipe: Don't call destroy() unless it's a function (isaacs) + + * unix, windows: fix memory corruption in fs-poll.c (Ben Noordhuis) + * unix: fix integer overflow in uv_hrtime (Tim Holy) + * tls: update default cipher list (Ben Noordhuis) + * unix: Fix llvm and older gcc duplicate symbol warnings (Bert Belder) + * fs: fix use after free in stat watcher (Ben Noordhuis) + + * crypto: fix uninitialized memory access in openssl (Ben Noordhuis) + * buffer, crypto: fix buffer decoding (Ben Noordhuis) + * tls: handle multiple CN fields when verifying cert (Ben Noordhuis) + * doc: remove unused util from child_process (Kyle Robinson Young) + +------------------------------------------------------------------- +Thu Jul 19 06:56:57 UTC 2012 - [email protected] + +- update to version 0.8.2: + API changes between v0.6 and v0.8: + https://github.com/joyent/node/wiki/API-changes-between-v0.6-and-v0.8 +- update npm to 1.1.36 +- remove node-segfault.patch, as 0.8.2 already has this fix +- remove nodejs-npm-lib64path.patch as no wscript any more +- remove libdir from configure as no such option in 0.8 +- update nodejs-lib64path.patch to fix lib64 issue in x86_64 + +------------------------------------------------------------------- +Fri Jun 15 11:05:56 UTC 2012 - [email protected] + +- fix segfault + +------------------------------------------------------------------- +Fri Jun 15 10:30:28 UTC 2012 - [email protected] + +- update to version 0.6.19 + npm: upgrade to 1.1.24 + fs: no end emit after createReadStream.pause() (Andreas Madsen) + vm: cleanup module memory leakage (Marcel Laverdet) + unix: fix loop starvation under high network load (Ben Noordhuis) + unix: remove abort() in ev_unref() (Ben Noordhuis) + windows/tty: never report error after forcibly aborting line-buffered read (Bert Belder) + windows: skip GetFileAttributes call when opening a file (Bert Belder) + +------------------------------------------------------------------- +Tue May 8 15:52:08 UTC 2012 - [email protected] + +- update to version 0.6.17 + * Upgrade npm to 1.1.21 + * uv: Add support for EROFS errors + * uv: Add support for EIO and ENOSPC errors + * windows: Add support for EXDEV errors + * http: Fix client memory leaks + * fs: fix file descriptor leak in sync functions + * fs: fix ReadStream / WriteStream double close bug +- changes in version 0.6.16 + * Upgrade V8 to 3.6.6.25 + * Upgrade npm to 1.1.19 + * Windows: add mappings for UV_ENOENT + * linux: add IN_MOVE_SELF to inotify event mask + * unix: call pipe handle connection cb on accept() error + * unix: handle EWOULDBLOCK + * map EWOULDBLOCK to UV_EAGAIN + * Map ENOMEM to UV_ENOMEM + * Child process: support the `gid` and `uid` options + * test: cluster: add worker death event test + * typo in node_http_parser + * http_parser: Eat CRLF between requests, even on connection:close. + * don't check return value of unsetenv + +------------------------------------------------------------------- +Wed Apr 18 14:11:59 UTC 2012 - [email protected] + +- Update to version 0.6.15: + * Update npm to 1.1.16 + * Show licenses in binary installers. + * unix: add uv_fs_read64, uv_fs_write64 and uv_fs_ftruncate64 + * add 64bit offset fs functions + * fs.readFile: don't make the callback before the fd is closed + * Fix #2061: segmentation fault on OS X due to stat size mismatch +- Remove empty %clean section not cleaning up anything (and there's good default) +- Add spec file license header +- Ran spec-cleaner + +------------------------------------------------------------------- +Thu Apr 5 11:22:33 UTC 2012 - [email protected] + +- update to 0.6.14 + see https://github.com/joyent/node/blob/v0.6.14-release/ChangeLog for details + +------------------------------------------------------------------- +Wed Feb 15 16:17:00 UTC 2012 - [email protected] + +- Removed doc patch because it's included in neew 0.6.10 nodejs +- Upgraded to newest 0.6.10 +- Testing on openSUSE 12.1 + +------------------------------------------------------------------- +Fri Jan 27 19:04:03 UTC 2012 - [email protected] + +- Update to 0.6.8 + +------------------------------------------------------------------- +Thu Dec 1 19:39:23 UTC 2011 - [email protected] + +- Added patch for npm docs + +------------------------------------------------------------------- +Wed Nov 30 12:24:22 UTC 2011 - [email protected] + +- Fix files section: + use %{_libdir} instead of lib64 + +------------------------------------------------------------------- +Tue Nov 29 15:51:50 UTC 2011 - [email protected] + +- Removed 0.6.2 source + +------------------------------------------------------------------- +Fri Nov 25 16:13:45 UTC 2011 - [email protected] + +- Updated to 0.6.3 + #2083 Land NPM in Node. It is included in packages/installers and installed on `make install`. + #2076 Add logos to windows installer. + #1711 Correctly handle http requests without headers. (Ben Noordhuis, Felix Geisendörfer) + TLS: expose more openssl SSL context options and constants. (Ben Noordhuis) + #2177 Windows: don’t kill UDP socket when a packet fails to reach its destination. (Bert Belder) + Windows: support paths longer than 260 characters. (Igor Zinkovsky) + Windows: correctly resolve drive-relative paths. (Bert Belder) + #2166 Don’t leave file descriptor open after lchmod. (Isaac Schlueter) + #2084 Add OS X .pkg build script to make file. + #2160 Documentation improvements. (Ben Noordhuis) + + +------------------------------------------------------------------- +Wed Nov 23 17:21:19 UTC 2011 - [email protected] ++++ 27 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:12.3:Update/.nodejs.2494.new/nodejs.changes New: ---- CVE-2013-4450-v0.8.x.patch node-v0.8.12.tar.gz node-v0.8.12_missing_include.patch nodejs-devel-lib64path.patch nodejs-lib64path.patch nodejs-libpath.patch nodejs.changes nodejs.spec ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nodejs.spec ++++++ # # spec file for package nodejs # # Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: nodejs Version: 0.8.12 Release: 0 Summary: Evented I/O for V8 JavaScript License: MIT Group: Development/Languages/Other Url: http://www.nodejs.org Source: http://nodejs.org/dist/v%{version}/node-v%{version}.tar.gz Patch0: nodejs-lib64path.patch Patch1: nodejs-devel-lib64path.patch Patch2: nodejs-libpath.patch ###Patch3: node-v0.8.12_missing_include.patch Patch4: CVE-2013-4450-v0.8.x.patch BuildRequires: curl BuildRequires: gcc-c++ BuildRequires: procps ###BuildRequires: v8-devel >= 3.7 ###Requires: v8 >= 3.7 BuildRoot: %{_tmppath}/%{name}-%{version}-build %if 0%{?suse_version} BuildRequires: libopenssl-devel %else BuildRequires: openssl-devel %endif BuildRequires: pkg-config BuildRequires: zlib-devel # for waf BuildRequires: python Provides: npm = %{version} Obsoletes: npm <= 1.0.999 %description Provides an easy way to build scalable network programs http://nodejs.org %package devel Summary: Files needed for development of NodeJS platforms Group: Development/Languages/Other Requires: %{name} = %{version} Requires: gcc-c++ Requires: python %description devel Provides an easy way to build scalable network programs http://nodejs.org %prep %setup -q -n node-v%{version} %if %{_lib} == "lib64" %patch0 %patch1 %else %patch2 %endif ###%patch3 %patch4 -p1 %build # percent-configure pulls in something that confuses node's configure # script, so we'll do it thus: export CFLAGS="%{optflags}" export CXXFLAGS="%{optflags}" ./configure \ --prefix=%{_prefix} \ --shared-openssl \ --shared-zlib \ --gdb ### --shared-v8 \ make %{?_smp_mflags} %install %{?make_install} %{!?make_install:make install DESTDIR=$RPM_BUILD_ROOT} %files %defattr(-, root, root) %{_bindir}/node %{_mandir}/*/* %{_libdir}/dtrace #npm %doc AUTHORS LICENSE %{_libdir}/node_modules %exclude %{_libdir}/node_modules/npm/.npmignore %attr(755,root,root) %{_bindir}/npm %attr(755,root,root) %{_libdir}/node_modules/npm/scripts/clean-old.sh %attr(755,root,root) %{_libdir}/node_modules/npm/scripts/install.sh %files devel %defattr(-, root, root) %{_bindir}/node-waf %{_includedir}/node %{_libdir}/node %changelog ++++++ CVE-2013-4450-v0.8.x.patch ++++++ diff --git a/lib/http.js b/lib/http.js index 6ed4b3f..d39356a 100644 --- a/lib/http.js +++ b/lib/http.js @@ -150,7 +150,7 @@ function parserOnMessageComplete() { } } - if (parser.socket.readable) { + if (parser.socket.readable && !parser.socket._drain_paused) { // force to read the next incoming message parser.socket.resume(); } @@ -1828,6 +1828,7 @@ function connectionListener(socket) { }); socket.ondata = function(d, start, end) { + assert(!socket._drain_paused); var ret = parser.execute(d, start, end - start); if (ret instanceof Error) { debug('parse error'); @@ -1854,6 +1855,12 @@ function connectionListener(socket) { socket.destroy(); } } + + if (socket._drain_paused) { + // onIncoming paused the socket, we should pause the parser as well + debug('pause parser'); + socket.parser.pause(); + } }; socket.onend = function() { @@ -1882,9 +1889,36 @@ function connectionListener(socket) { // The following callback is issued after the headers have been read on a // new message. In this callback we setup the response object and pass it // to the user. + + socket._drain_paused = false; + function socketOnDrain() { + // If we previously paused, then start reading again. + if (socket._drain_paused) { + socket._drain_paused = false; + socket.parser.resume(); + socket.resume(); + } + } + socket.on('drain', socketOnDrain); + parser.onIncoming = function(req, shouldKeepAlive) { incoming.push(req); + // If the writable end isn't consuming, then stop reading + // so that we don't become overwhelmed by a flood of + // pipelined requests that may never be resolved. + + if (!socket._drain_paused && socket._handle) { + var needPause = socket._handle.writeQueueSize > 0; + if (needPause) { + socket._drain_paused = true; + // We also need to pause the parser, but don't do that until after + // the call to execute, because we may still be processing the last + // chunk. + socket.pause(); + } + } + var res = new ServerResponse(req); debug('server response shouldKeepAlive: ' + shouldKeepAlive); res.shouldKeepAlive = shouldKeepAlive; diff --git a/test/simple/test-http-pipeline-flood.js b/test/simple/test-http-pipeline-flood.js new file mode 100644 index 0000000..901f79f --- /dev/null +++ b/test/simple/test-http-pipeline-flood.js @@ -0,0 +1,115 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + +var common = require('../common'); +var assert = require('assert'); + +switch (process.argv[2]) { + case undefined: + return parent(); + case 'child': + return child(); + default: + throw new Error('wtf'); +} + +function parent() { + var http = require('http'); + var bigResponse = new Buffer(10240) + bigResponse.fill('x'); + var gotTimeout = false; + var childClosed = false; + var requests = 0; + var connections = 0; + + var server = http.createServer(function(req, res) { + requests++; + res.setHeader('content-length', bigResponse.length); + res.end(bigResponse); + }); + + server.on('connection', function(conn) { + connections++; + // kill the connection after a bit, verifying that the + // flood of requests was eventually halted. + console.log('got connection'); + setTimeout(function() { + gotTimeout = true; + conn.destroy(); + }, 200); + }); + + + server.listen(common.PORT, function() { + var spawn = require('child_process').spawn; + var args = [__filename, 'child']; + var child = spawn(process.execPath, args, { stdio: 'inherit' }); + child.on('exit', function(code) { + assert(!code); + childClosed = true; + server.close(); + }); + }); + + process.on('exit', function() { + assert(gotTimeout); + assert(childClosed); + assert.equal(connections, 1); + // 1213 works out to be the number of requests we end up processing + // before the outgoing connection backs up and requires a drain. + // however, to avoid being unnecessarily tied to a specific magic number, + // and making the test brittle, just assert that it's "a lot", which we + // can safely assume is more than 500. + assert(requests >= 500); + console.log('ok'); + }); +} + +function child() { + var net = require('net'); + + var gotEpipe = false; + var conn = net.connect({ port: common.PORT }); + + var req = 'GET / HTTP/1.1\r\nHost: localhost:' + + common.PORT + '\r\nAccept: */*\r\n\r\n'; + + req = new Array(10241).join(req); + + conn.on('connect', function() { + write(); + }); + + conn.on('drain', write); + + conn.on('error', function(er) { + gotEpipe = true; + }); + + process.on('exit', function() { + assert(gotEpipe); + console.log('ok - child'); + }); + + function write() { + while (false !== conn.write(req, 'ascii')); + } +} ++++++ node-v0.8.12_missing_include.patch ++++++ Index: deps/uv/src/unix/eio/eio.c =================================================================== --- deps/uv/src/unix/eio/eio.c.orig +++ deps/uv/src/unix/eio/eio.c @@ -58,6 +58,7 @@ #include <errno.h> #include <stddef.h> #include <stdlib.h> +#include <stdio.h> #include <string.h> #include <errno.h> #include <sys/types.h> ++++++ nodejs-devel-lib64path.patch ++++++ --- ../node-v0.4.12-original/tools/node-waf 2011-09-16 01:46:39.000000000 +0200 +++ tools/node-waf 2011-09-21 19:04:25.000000000 +0200 @@ -5,7 +5,7 @@ join = os.path.join bindir = os.path.dirname(os.path.realpath(__file__)) prefix = join(bindir, "..") -wafdir = join(prefix, "lib", "node") +wafdir = join(prefix, "lib64", "node") w = join(wafdir, 'wafadmin') t = join(w, 'Tools') ++++++ nodejs-lib64path.patch ++++++ Index: lib/module.js =================================================================== --- lib/module.js.orig +++ lib/module.js @@ -493,7 +493,7 @@ Module.runMain = function() { }; Module._initPaths = function() { - var paths = [path.resolve(process.execPath, '..', '..', 'lib', 'node')]; + var paths = ["/usr/lib/node", "/usr/lib64/node"]; if (process.env['HOME']) { paths.unshift(path.resolve(process.env['HOME'], '.node_libraries')); Index: tools/install.py =================================================================== --- tools/install.py.orig +++ tools/install.py @@ -92,7 +92,7 @@ def waf_files(action): 'tools/wafadmin/TaskGen.py', 'tools/wafadmin/Task.py', 'tools/wafadmin/Utils.py'], - 'lib/node/wafadmin/') + 'lib64/node/wafadmin/') action(['tools/wafadmin/Tools/ar.py', 'tools/wafadmin/Tools/cc.py', 'tools/wafadmin/Tools/ccroot.py', @@ -126,7 +126,7 @@ def waf_files(action): 'tools/wafadmin/Tools/winres.py', 'tools/wafadmin/Tools/xlc.py', 'tools/wafadmin/Tools/xlcxx.py'], - 'lib/node/wafadmin/Tools/') + 'lib64/node/wafadmin/Tools/') def update_shebang(path, shebang): print 'updating shebang of %s to %s' % (path, shebang) @@ -135,7 +135,7 @@ def update_shebang(path, shebang): open(path, 'w').write(s) def npm_files(action): - target_path = 'lib/node_modules/npm/' + target_path = 'lib64/node_modules/npm/' # don't install npm if the target path is a symlink, it probably means # that a dev version of npm is installed there @@ -153,7 +153,7 @@ def npm_files(action): if action == uninstall: action([link_path], 'bin/npm') elif action == install: - try_symlink('../lib/node_modules/npm/bin/npm-cli.js', link_path) + try_symlink('../lib64/node_modules/npm/bin/npm-cli.js', link_path) if os.environ.get('PORTABLE'): # This crazy hack is necessary to make the shebang execute the copy # of node relative to the same directory as the npm script. The precompiled @@ -197,7 +197,7 @@ def files(action): # install unconditionally, checking if the platform supports dtrace doesn't # work when cross-compiling and besides, there's at least one linux flavor # with dtrace support now (oracle's "unbreakable" linux) - action(['src/node.d'], 'lib/dtrace/') + action(['src/node.d'], 'lib64/dtrace/') if 'true' == variables.get('node_install_waf'): waf_files(action) if 'true' == variables.get('node_install_npm'): npm_files(action) ++++++ nodejs-libpath.patch ++++++ --- ../node-v0.4.11.original/lib/module.js 2011-08-17 18:18:10.000000000 -0700 +++ lib/module.js 2011-08-22 14:36:11.662283878 -0700 @@ -422,7 +422,7 @@ }; Module._initPaths = function() { - var paths = [path.resolve(process.execPath, '..', '..', 'lib', 'node')]; + var paths = ["/usr/lib/node"]; if (process.env['HOME']) { paths.unshift(path.resolve(process.env['HOME'], '.node_libraries')); -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
