[LOW] Patch nodejs for CVE-2025-47279 (#13852)

aninda-al · web-flow · commit 4188fb95f823 · 2025-05-30T13:36:51.000+05:30
diff --git a/SPECS/nodejs/CVE-2025-47279.patch b/SPECS/nodejs/CVE-2025-47279.patch
@@ -0,0 +1,38 @@
+From 0df25374147ee336e08c3e5a67f98c3a0c9c74fb Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Wed, 21 May 2025 14:52:49 -0400
+Subject: [PATCH] Address CVE-2025-47279
+Upstream Patch Reference: https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25
+
+---
+ deps/undici/src/lib/pool.js | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/deps/undici/src/lib/pool.js b/deps/undici/src/lib/pool.js
+index e3cd3399..86b29d44 100644
+--- a/deps/undici/src/lib/pool.js
++++ b/deps/undici/src/lib/pool.js
+@@ -73,6 +73,20 @@ class Pool extends PoolBase {
+       ? { ...options.interceptors }
+       : undefined
+     this[kFactory] = factory
++
++    this.on('connectionError', (origin, targets, error) => {
++      // If a connection error occurs, we remove the client from the pool,
++      // and emit a connectionError event. They will not be re-used.
++      // Fixes https://github.com/nodejs/undici/issues/3895
++      for (const target of targets) {
++        // Do not use kRemoveClient here, as it will close the client,
++        // but the client cannot be closed in this state.
++        const idx = this[kClients].indexOf(target)
++        if (idx !== -1) {
++          this[kClients].splice(idx, 1)
++        }
++      }
++    })
+   }
+ 
+   [kGetDispatcher] () {
+-- 
+2.34.1
+
diff --git a/SPECS/nodejs/nodejs18.spec b/SPECS/nodejs/nodejs18.spec
@@ -6,7 +6,7 @@ Name:           nodejs18
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        18.20.3
-Release:        5%{?dist}
+Release:        6%{?dist}
 License:        BSD and MIT and Public Domain and NAIST-2003 and Artistic-2.0
 Group:          Applications/System
 Vendor:         Microsoft Corporation
@@ -24,6 +24,7 @@ Patch4:         CVE-2024-22020.patch
 Patch5:         CVE-2024-22195.patch
 Patch6:         CVE-2024-34064.patch
 Patch7:         CVE-2025-27516.patch
+Patch8:         CVE-2025-47279.patch
 BuildRequires:  brotli-devel
 BuildRequires:  coreutils >= 8.22
 BuildRequires:  gcc
@@ -124,6 +125,9 @@ make cctest
 %{_datadir}/systemtap/tapset/node.stp
 
 %changelog
+* Wed May 21 2025 Aninda Pradhan <v-anipradhan@microsoft.com> - 18.20.3-6
+- Patch CVE-2025-47279
+
 * Mon Mar 10 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 18.20.3-5
 - Patch CVE-2025-27516
 
