[HIGH] Upgrade nodejs24 to 24.14.1 for CVE-2026-21710, CVE-2026-21637, CVE-2026-21717, CVE-2026-21713, CVE-2026-21714, CVE-2026-21712, CVE-2026-21716, CVE-2026-21715 (microsoft#16403)

Author: Ratiranjan5

SPECS/nodejs24/CVE-2025-69418.patch

@@ -3,6 +3,6 @@
   "btest402.js": "fabaf4dacc13e93d54f825b87ffde18573214b149388a5f96176236dd31d7768",
   "icu4c-77_1-data-bin-b.zip": "d8be12e03f782da350508b15354738ed97a3289008a787b6bd2a85434374bff4",
   "icu4c-77_1-data-bin-l.zip": "0913674ff673c585f8bc08370916b6a6ccc30ffb6408a5c1bc3edbf5a687fd96",
-  "node-v24.13.0.tar.xz": "320fe909cbb347dcf516201e4964ef177b8138df9a7f810d0d54950481b3158b"
+  "node-v24.14.1.tar.xz": "7822507713f202cf2a551899d250259643f477b671706db421a6fb55c4aa0991"
  }
-}
+}

SPECS/nodejs24/nodejs24.signatures.json

@@ -15,8 +15,8 @@ Summary:        A JavaScript runtime built on Chrome's V8 JavaScript engine.
 Name:           nodejs24
 # WARNINGS: MUST check and update the 'npm_version' macro for every version update of this package.
 #           The version of NPM can be found inside the sources under 'deps/npm/package.json'.
-Version:        24.13.0
-Release:        3%{?dist}
+Version:        24.14.1
+Release:        1%{?dist}
 License:        BSD AND MIT AND Public Domain AND NAIST-2003 AND Artistic-2.0
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
@@ -35,7 +35,6 @@ Patch2:         CVE-2024-22195.patch
 Patch3:         CVE-2020-28493.patch
 Patch4:         CVE-2024-34064.patch
 Patch5:         CVE-2025-27516.patch
-Patch6:         CVE-2025-69418.patch
 BuildRequires:  brotli-devel
 BuildRequires:  c-ares-devel
 BuildRequires:  coreutils >= 8.22
@@ -46,6 +45,7 @@ BuildRequires:  openssl-devel >= 1.1.1
 BuildRequires:  python3
 BuildRequires:  which
 BuildRequires:  zlib-devel
+BuildRequires:  perl-WWW-Curl
 Requires:       brotli
 Requires:       c-ares
 Requires:       coreutils >= 8.22
@@ -180,6 +180,18 @@ make cctest
 %{_prefix}/lib/node_modules/*
 
 %changelog
+* Wed Apr 01 2026 Ratiranjan Behera <v-ratbehera@microsoft.com> - 24.14.1-1
+- Upgrade to 24.14.1
+- Security fixes included:
+  CVE-2026-21710: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
+  CVE-2026-21637: wrap SNICallback invocation in try/catch (Matteo Collina) - High
+  CVE-2026-21717: test array index hash collision (Joyee Cheung) - Medium
+  CVE-2026-21713: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
+  CVE-2026-21714: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
+  CVE-2026-21712: handle url crash on different url formats (RafaelGSS) - Medium
+  CVE-2026-21716: include permission check on lib/fs/promises (RafaelGSS) - Low
+  CVE-2026-21715: add permission check to realpath.native (RafaelGSS) - Low
+
 * Fri Feb 13 2026 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 24.13.0-3
 - Patch for CVE-2025-69418
 

SPECS/nodejs24/nodejs24.spec

@@ -14552,8 +14552,8 @@
         "type": "other",
         "other": {
           "name": "nodejs24",
-          "version": "24.13.0",
-          "downloadUrl": "https://nodejs.org/download/release/v24.13.0/node-v24.13.0.tar.xz"
+          "version": "24.14.1",
+          "downloadUrl": "https://nodejs.org/download/release/v24.14.1/node-v24.14.1.tar.xz"
         }
       }
     },
@@ -31626,4 +31626,4 @@
     }
   ],
   "Version": 1
-}
+}