Source: http-parser Severity: important Tags: security Hi,
I believe this commit should partly be applied to http-parser: https://github.com/nodejs/node/commit/a8532d4d2 Specifically setting HTTP_MAX_HEADER_SIZE to a more reasonnable default (8192 instead of 81920 bytes) should be good for all other software depending on http-parser... Jérémy -- System Information: Debian Release: buster/sid APT prefers unstable APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.18.0-2-amd64 (SMP w/4 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8), LANGUAGE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled