[High] Upgrade reaper for CVE-2025-9288

Author: durgajagadeesh

SPECS/reaper/reaper.signatures.json

@@ -2,9 +2,9 @@
  "Signatures": {
   "cassandra-reaper-3.1.1.tar.gz": "6efe52195ad4a3c3b7a6f928bafa60d3df011709d9bc918e717033bf86d724d8",
   "reaper-bower-components-3.1.1-1.tar.gz": "51f5b03b3f56966f5fbfe28a13e0a74003cf33372ff4ba13fd82c6fe79092033",
-  "reaper-local-lib-node-modules-3.1.1.tar.gz": "8daf9a8726a85ca31b024a5bab60a357fe927f670908955cdd9b106bf9c6bd60",
+  "reaper-local-lib-node-modules-3.1.1.tar.gz": "043dec92e8d1d07bbcb920f0f10a148d63c600f2101935f3c39f4654d470135d",
   "reaper-local-n-3.1.1-1.tar.gz": "e60ecf1c982c8cd44b35da02aec6de5b1f8f0df562f290f9bb905d03f9eefa68",
-  "reaper-m2-cache-3.1.1.tar.gz": "14103df496c6bfd1bf2690b45e6082e3411872f7332f03a68cf5d8e28fc6b27f",
+  "reaper-m2-cache-3.1.1.tar.gz": "f40a24a31488b35f0c5815d815a9ded70108f53e0140f3c4bddef181a7450f08",
   "reaper-srcui-node-modules-3.1.1-1.tar.gz": "edd67243e97838657e09513f639a8e7c81fbb813353a19eba3949f79fb9e3e9e"
  }
 }

SPECS/reaper/reaper.spec

@@ -6,7 +6,7 @@
 Summary:        Reaper for cassandra is a tool for running Apache Cassandra repairs against single or multi-site clusters.
 Name:           reaper
 Version:        3.1.1
-Release:        19%{?dist}
+Release:        20%{?dist}
 License:        ASL 2.0
 Vendor:         Microsoft Corporation
 Distribution:   Mariner
@@ -32,25 +32,14 @@ Source7:        reaper-local-n-%{version}-%{local_n_release}.tar.gz
 # The src/ui/node_modules/ws/package.json file suggest we're on the
 # 6.x version of "ws". Patch for this version taken from here:
 # https://github.com/websockets/ws/commit/eeb76d313e2a00dd5247ca3597bba7877d064a63
-Patch0:         CVE-2024-37890.patch
-Patch1:         CVE-2023-42282.patch
-Patch2:         CVE-2017-18214.patch
-Patch3:         CVE-2024-42459.patch
-Patch4:         CVE-2024-43796.patch
-Patch5:         CVE-2024-45296.patch
-Patch6:         CVE-2024-43799.patch
-Patch7:         CVE-2024-43800.patch
-Patch8:         CVE-2024-47764.patch
-Patch9:         CVE-2024-48949.patch
-Patch10:        CVE-2024-45590.patch
-Patch11:        CVE-2024-21538.patch
-Patch12:        CVE-2020-28458.patch
-Patch13:        CVE-2024-52798.patch
-Patch14:        CVE-2020-24025.patch
-Patch15:        CVE-2024-28863.patch
-Patch16:        CVE-2024-12905.patch
-Patch17:        CVE-2024-6484.patch
-Patch18:        CVE-2025-48387.patch
+Patch0:        CVE-2023-42282.patch
+Patch1:        CVE-2017-18214.patch
+Patch2:        CVE-2020-28458.patch
+Patch3:        CVE-2020-24025.patch
+Patch4:        CVE-2024-28863.patch
+Patch5:        CVE-2024-12905.patch
+Patch6:        CVE-2024-6484.patch
+Patch7:        CVE-2025-48387.patch
 
 BuildRequires:  git
 BuildRequires:  javapackages-tools
@@ -108,15 +97,15 @@ ln -sf ../lib/node_modules/npm/bin/npx-cli.js bin/npx
 cp n/versions/node/14.18.0/bin/node bin
 popd
 
-%autopatch -p1 -M 14
+%autopatch -p1 -M 3
 
 pushd $tmp_local_dir/lib/node_modules/
-%autopatch -p1 15
+%autopatch -p1 4
 popd
 pushd $tmp_local_dir/n/versions/node/14.18.0/lib/node_modules/
-%autopatch -p1 15
+%autopatch -p1 4
 popd
-%autopatch -p1 -m 16
+%autopatch -p1 -m 5
 
 # Removed for CVE-2024-6484.patch as they are unused and contain
 # vulnerabilities that are not easily patched out.
@@ -199,6 +188,10 @@ fi
 %{_unitdir}/cassandra-%{name}.service
 
 %changelog
+* Wed Sep 03 2025 Durga Jagadeesh Palli <[email protected]> - 3.1.1-20
+- Upgrade the sha.js from v2.4.11 to v2.4.12 to address CVE-2025-9288
+- Fix the reaper_build_script.sh error to generate the new cache tar bal
+
 * Thu Jun 05 2025 Jyoti Kanase <[email protected]> - 3.1.1-19
 - Patch CVE-2024-6484 and CVE-2025-48387
 

SPECS/reaper/reaper_build_caches.sh

@@ -62,21 +62,37 @@ function checkInternet {
 function installNodeModules {
 	echo "Installing node modules."
 	sudo tdnf install -y nodejs
-	npm config set cache "$homeCacheDir/.npm" --global
-	# Default node/npm versions in Mariner fails to build dependency node module versions due to known
-	# incompatibilities.
-	# Backward compatible with [email protected]
-	# When installing modules via npm to default prefix='/usr/local' in mariner, the permissions for 'others'
-	# is incoorectly set that causes 'which' to still point to older path, as access/newfstatat fail with -ENOPERM
-	# Setting a new global npm folder for fixing permission issues.
-	# (works well with id=0, but reaper build will fail.)
-	mkdir --mode 0777 $homeCacheDir/.npm-global
+
+	# Set up npm to use only user-writable directories
+	export NPM_CONFIG_USERCONFIG="$homeCacheDir/.npmrc"
+	mkdir -p "$homeCacheDir/.npm"
+	mkdir -p "$homeCacheDir/.npm-global"
+	npm config set cache "$homeCacheDir/.npm"
 	npm config set prefix "$homeCacheDir/.npm-global"
-	export PATH="$homeCacheDir/.npm-global/bin":$PATH
+	export PATH="$homeCacheDir/.npm-global/bin:$PATH"
+	export NPM_CONFIG_PREFIX="$homeCacheDir/.npm-global"
+	export NPM_CONFIG_CACHE="$homeCacheDir/.npm"
+	export XDG_CACHE_HOME="$homeCacheDir/.cache"
+
+	echo "npm config list:"
+	npm config list
+	echo "env | grep -i npm:"
+	env | grep -i npm
+
+	# Install and use Node.js v14.18.0 with n
 	npm install -g n
 	export N_PREFIX="$homeCacheDir/.npm-global"
 	n 14.18.0
-	export XDG_CACHE_HOME=$homeCacheDir/.cache
+
+	# Ensure the shell uses the new node and npm
+	export PATH="$homeCacheDir/.npm-global/bin:$PATH"
+	hash -r
+	echo "After n:"
+	which node
+	which npm
+	node -v
+	npm -v
+
 	npm install -g bower
 	# Clear bash hash tables for node/npm paths
 	hash -r
@@ -147,7 +163,7 @@ buildReaperSources
 
 createCacheTars
 
-mkdir "$HOME/reaper_caches"
+mkdir -p $HOME/reaper_caches
 
 cp -a ${reaperCacheDir} "$HOME/reaper_caches"