-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[v6.x] http: fix backport of Slowris headers #24796
Conversation
cc @nodejs/release @nodejs/tsc this would need to be released ASAP, Node v6.x is currently broken. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this target v6.x-staging
?
@mcollina commit summary needs to be changed: "Slowris" -> "Slowloris" |
v6.x-staging is not up-to-date, and it's prerogative to the @nodejs/release time to get it up to date. As such, I've targeted v6.x. |
@addaleax 6.x is appropriate, we can ship a release with only this commit. There's some things waiting on staging that probably should pollute a release to minimise safety concerns for users. |
The backport of nodejs@618eebdd17 was not complete, and the starting time to parse the headers was not reset. Fixes: nodejs#24760
@rvagg done, PTAL |
b8d857a
to
4341817
Compare
The backport of 618eebdd17 was not complete, and the starting time to parse the headers was not reset. PR-URL: #24796 Fixes: #24760 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Landed, expedited, 5d9005c. There's no reason to delay on this is there? |
There is not. |
Notable Changes: This is a patch release to address a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to an entire keep-alive HTTP session, resulting in prematurely disconnected sockets. PR-URL: #24803 Refs: #24796 Refs: #24760 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Notable Changes: This is a patch release to address a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to an entire keep-alive HTTP session, resulting in prematurely disconnected sockets. PR-URL: #24803 Refs: #24796 Refs: #24760 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Notable Changes: This is a patch release to address a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to an entire keep-alive HTTP session, resulting in prematurely disconnected sockets. PR-URL: nodejs#24803 Refs: nodejs#24796 Refs: nodejs#24760 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
The backport of 618eebdd17 was
not complete, and the starting time to parse the headers was not reset.
Fixes: #24760
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes