unbound-1.19.3-1.fc38
- unbound-1.19.3-1.fc38
- Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672.
- Bug fixes
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3
https://nlnetlabs.nl/projects/unbound/download/#unbound-1-19-3
CVE-2024-1931 - Fix trim of EDE text from large udp responses from spinning cpu.
Automatic update for unbound-1.19.3-1.fc41.
Changelog * Fri Apr 12 2024 Petr Menšík <pemensik@redhat.com> - 1.19.3-1 - Update to 1.19.3 (rhbz#2268404) - Fix CVE-2024-1931, Denial of service when trimming EDE text on positive replies. (rhbz#2268419) - Use the origin (DNAME) TTL for synthesized CNAMEs as per RFC 6672. - Bug fixes * Sat Mar 9 2024 Paul Wouters <paul.wouters@aiven.io> - 1.19.1-4 - Add spec file commentupdate to 123.0.6312.122
* High CVE-2024-3157: Out of bounds write in Compositing * High CVE-2024-3516: Heap buffer overflow in ANGLE * High CVE-2024-3515: Use after free in Dawnupdate to 123.0.6312.122
* High CVE-2024-3157: Out of bounds write in Compositing * High CVE-2024-3516: Heap buffer overflow in ANGLE * High CVE-2024-3515: Use after free in Dawnupdate to 123.0.6312.122
* High CVE-2024-3157: Out of bounds write in Compositing * High CVE-2024-3516: Heap buffer overflow in ANGLE * High CVE-2024-3515: Use after free in DawnCVE-2023-52323
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Additionally, llhttp 9.2.0 contained a number of bug fixes.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Additionally, llhttp 9.2.0 contained a number of bug fixes.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Additionally, llhttp 9.2.0 contained a number of bug fixes.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
Update llhttp to 9.2.1, fixing CVE-2024-27982.
Backport llhttp 9.2.1 support to python-aiohttp 3.9.3.
Security fixes for
This is a security release.
Notable ChangesThis is a security release.
Notable ChangesThis is a security release
Notable ChangesThis is a security release
Notable ChangesThis patch introduces a helper crypto.hash() that computes a digest from the input at one shot. This can be 1.2-2x faster than the object-based createHash() for smaller inputs (<= 5MB) that are readily available (not streamed) and incur less memory overhead since no intermediate objects will be created.
const crypto = require('node:crypto'); // Hashing a string and return the result as a hex-encoded string. const string = 'Node.js'; // 10b3493287f831e81a438811a1ffba01f8cec4b7 console.log(crypto.hash('sha1', string));Contributed by Joyee Cheung in #51044.
Loading and parsing environment variablesLoad a specific .env file by specifying its path. Example: process.loadEnvFile('./development.env').
util.parseEnv(content):
Contributed by Yagiz Nizipli in #51476.
New connection attempt eventsThree new events were added in the net.createConnection flow:
Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user. This led to a failed assertion.
Contributed by Paolo Insogna in #51045.
Permission Model changesNode.js 20.12.0 comes with several fixes for the experimental permission model and two new semver-minor commits. We're adding a new flag --allow-addons to enable addon usage when using the Permission Model.
$ node --experimental-permission --allow-addonsContributed by Rafael Gonzaga in #51183
And relative paths are now supported through the --allow-fs-* flags. Therefore, with this release one can use:
$ node --experimental-permission --allow-fs-read=./index.jsTo give only read access to the entrypoint of the application.
Contributed by Rafael Gonzaga and Carlos Espa in #50758.
sea: support embedding assetsUsers can now include assets by adding a key-path dictionary to the configuration as the assets field. At build time, Node.js would read the assets from the specified paths and bundle them into the preparation blob. In the generated executable, users can retrieve the assets using the sea.getAsset() and sea.getAssetAsBlob() API.
{ "main": "/path/to/bundled/script.js", "output": "/path/to/write/the/generated/blob.blob", "assets": { "a.jpg": "/path/to/a.jpg", "b.txt": "/path/to/b.txt" } }The single-executable application can access the assets as follows:
const { getAsset } = require('node:sea'); // Returns a copy of the data in an ArrayBuffer const image = getAsset('a.jpg'); // Returns a string decoded from the asset as UTF8. const text = getAsset('b.txt', 'utf8'); // Returns a Blob containing the asset without copying. const blob = getAssetAsBlob('a.jpg');Contributed by Joyee Cheung in #50960.
Support configurable snapshot through --build-snapshot-config flagWe are adding a new flag --build-snapshot-config to configure snapshots through a custom JSON configuration file.
$ node --build-snapshot-config=/path/to/myconfig.jsonWhen using this flag, additional script files provided on the command line will not be executed and instead be interpreted as regular command line arguments.
These changes were contributed by Joyee Cheung and Anna Henningsen in #50453
Text StylingA new API has been created to format text based on util.inspect.colors, enabling you to style text in different colors (such as red, blue, ...) and emphasis (italic, bold, ...).
const { styleText } = require('node:util'); const errorMessage = styleText('red', 'Error! Error!'); console.log(errorMessage);Contributed by Rafael Gonzaga in #51850.
vm: support using the default loader to handle dynamic import()This patch adds support for using vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER as the importModuleDynamically option in all vm APIs that take this option except vm.SourceTextModule. This allows users to have a shortcut to support dynamic import() in the compiled code without missing the compilation cache if they don't need customization of the loading process. We emit an experimental warning when the import() is actually handled by the default loader through this option instead of requiring --experimental-vm-modules.
const { Script, constants } = require('node:vm'); const { resolve } = require('node:path'); const { writeFileSync } = require('node:fs'); // Write test.js and test.txt to the directory where the current script // being run is located. writeFileSync(resolve(__dirname, 'test.mjs'), 'export const filename = "./test.json";'); writeFileSync(resolve(__dirname, 'test.json'), '{"hello": "world"}'); // Compile a script that loads test.mjs and then test.json // as if the script is placed in the same directory. const script = new Script( `(async function() { const { filename } = await import('./test.mjs'); return import(filename, { with: { type: 'json' } }) })();`, { filename: resolve(__dirname, 'test-with-default.js'), importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER, }); // { default: { hello: 'world' } } script.runInThisContext().then(console.log);Contributed by Joyee Cheung in #51244.
Root certificates updated to NSS 3.98Certificates added:
Certificates removed:
Include Provides: nodejs20-* for non-versioned packages.
This is a security release
Notable ChangesThis is a security release
Notable ChangesSecurity fixes for