You've a point. But If some really need to exploit this, you will do the attack anyhow.
But I hope this is to prevent specially script kiddies exploiting node using this issue. I think this is a good idea. On Mon, Oct 21, 2013 at 1:41 AM, <[email protected]> wrote: > I went ahead and requested a CVE: > > -------- Original Message -------- >> Subject: Re: CVE Request: Node.js HTTP Pipelining DoS >> Date: Sat, 19 Oct 2013 22:25:52 -0600 >> From: Kurt Seifried <kseifried@redhat com> >> Reply-To: [email protected] >> Organization: Red Hat Inc. >> To: [email protected] >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> On 10/19/2013 09:43 AM, Jonathan Rudenberg wrote: >> > Node.js is vulnerable to DoS when a client sends too many pipelined >> > HTTP requests. >> > >> > Links: >> > >> > https://groups.google.com/forum/#!topic/nodejs/NEbweYB0ei0 >> > http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ >> > http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/ >> > https://github.com/joyent/node/issues/6214 >> > >> https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692 >> > >> > This issue affects all versions of Node released before 0.10.21 >> > and 0.8.26. >> > >> >> So my first reply bounced off the list (hopefully this one does not). >> >> Please use CVE-2013-4450 for this issue. >> >> As for shipping a security update with "no details" in order to >> protect people this doesn't work very well when you're open source and >> leave the keyword in the source code where the fix is and add comments >> that give all the details. >> >> You might as well release details in the advisory so that the god guys >> can quickly assess the issue and deal with it properly, rather then >> pretending that the bad guys can't read the source code and figure out >> how to exploit this. It took me literally all of five minutes to >> download the current version, the previous version minus one, diff >> them, and look for the keyword "piplined" (what can I say, I was >> eating a sandwich and only had one hand free ;). >> >> - -- >> Kurt Seifried Red Hat Security Response Team (SRT) >> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 >> -----BEGIN PGP SIGNATURE----- >> Version: GnuPG v1.4.15 (GNU/Linux) >> >> iQIcBAEBAgAGBQJSY1tQAAoJEBYNRVNeJnmTenIP/R9TRmTAtPqqqLHLXZhoxuXb >> ve/IhedBLzT23xbk9ovmrJIMqqjN6A0HcIDPB9MT21/hBT5yK5GDTK9HmbmxcZvJ >> j9copc+BECvHrTC2sHUy19DUFGgp6RElrZpb1D6jM2K27siKKT78+mm6QwNlaT4z >> sectg7rq1wH74p48Eni66xYq4QjIwMdmWBPb+jrbp2LhELmfGfRnu5zJQAGgxXg9 >> /SxPvmITsOKeifFUsfetGe0ob2Mj+uf+b1DeHNTGVRZZlIpWSFnZHUe5GosMAqIX >> SdchV7KLK8WpP4dcbCuFhdmRy2pQtchUZ6Ijkm8jlG/8uJNc4JhMN0VhuTXUBZlk >> dKqB1Bja6TGZJxGWubEhd7NufmOq6CU+Sbgjg7WMt+hkQwZR/EmTfSl95czR3MGh >> b0ZEbByqTaxvM0jVUS154H+8rT3Qn7apWZrzxstMcIKEDMIyukQJr1cpIX5YFksJ >> W+IEP00VqBBVF2wHyOMXZiRTPg/dAt8ont6JpMUhTFcRdFaxZhzcXd1XU/dohv4i >> hL48GcC4AJh4inf0LTIK3g6Nb6aY6J2XYXigQ4ahUtl6KtZezK7yEhirBO36iQZ3 >> 4qnfaniDfimPiIwPi8nDl3XyZpWlb4ae4Moc1358kH3zYsj5NIJYvTedQD/0IJ5x >> DD+c3vJxCT0ejOtNQ/0P >> =cVts >> -----END PGP SIGNATURE----- >> > -- > -- > Job Board: http://jobs.nodejs.org/ > Posting guidelines: > https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines > You received this message because you are subscribed to the Google > Groups "nodejs" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nodejs?hl=en?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "nodejs" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/groups/opt_out. > -- Arunoda Susiripala @arunoda <http://twitter.com/arunoda> <http://gplus.to/arunoda>https://github.com/arunoda http://www.linkedin.com/in/arunoda -- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
