[LOW] Patch nodejs for CVE-2025-47279 (#13843)

aninda-al · web-flow · commit 88f328fc5e81 · 2025-05-30T13:38:07.000+05:30
diff --git a/SPECS/nodejs/CVE-2025-47279.patch b/SPECS/nodejs/CVE-2025-47279.patch
@@ -0,0 +1,39 @@
+From 65cefbb3615e056330686cf5ffd1f7201fd8db58 Mon Sep 17 00:00:00 2001
+From: Aninda <v-anipradhan@microsoft.com>
+Date: Mon, 19 May 2025 20:44:26 -0400
+Subject: [PATCH] Address CVE-2025-47279
+Upstream Patch Reference: https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25
+
+---
+ deps/undici/src/lib/dispatcher/pool.js | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git a/deps/undici/src/lib/dispatcher/pool.js b/deps/undici/src/lib/dispatcher/pool.js
+index 0ba3a2b5..8cea1476 100644
+--- a/deps/undici/src/lib/dispatcher/pool.js
++++ b/deps/undici/src/lib/dispatcher/pool.js
+@@ -73,6 +73,21 @@ class Pool extends PoolBase {
+       ? { ...options.interceptors }
+       : undefined
+     this[kFactory] = factory
++
++    this.on('connectionError', (origin, targets, error) => {
++      // If a connection error occurs, we remove the client from the pool,
++      // and emit a connectionError event. They will not be re-used.
++      // Fixes https://github.com/nodejs/undici/issues/3895
++      for (const target of targets) {
++        // Do not use kRemoveClient here, as it will close the client,
++        // but the client cannot be closed in this state.
++        const idx = this[kClients].indexOf(target)
++        if (idx !== -1) {
++          this[kClients].splice(idx, 1)
++        }
++      }
++    })
++    
+   }
+ 
+   [kGetDispatcher] () {
+-- 
+2.34.1
+
diff --git a/SPECS/nodejs/nodejs.spec b/SPECS/nodejs/nodejs.spec
@@ -5,7 +5,7 @@ Name:           nodejs
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
 Version:        20.14.0
-Release:        7%{?dist}
+Release:        8%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -26,6 +26,7 @@ Patch7:         CVE-2024-22195.patch
 Patch8:         CVE-2020-28493.patch
 Patch9:         CVE-2024-34064.patch
 Patch10:        CVE-2025-27516.patch
+Patch11:        CVE-2025-47279.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -137,6 +138,9 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Wed May 21 2025 Aninda Pradhan <v-anipradhan@microsoft.com> - 20.14.0-8
+- Patch CVE-2025-47279
+
 * Mon Mar 10 2025 Sandeep Karambelkar <skarambelkar@microsoft.com> - 20.14.0-7
 - Patch CVE-2025-27516
 
