I went ahead and requested a CVE: -------- Original Message -------- > Subject: Re: CVE Request: Node.js HTTP Pipelining DoS > Date: Sat, 19 Oct 2013 22:25:52 -0600 > From: Kurt Seifried <kseifried@redhat com> > Reply-To: [email protected] > Organization: Red Hat Inc. > To: [email protected] > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/19/2013 09:43 AM, Jonathan Rudenberg wrote: > > Node.js is vulnerable to DoS when a client sends too many pipelined > > HTTP requests. > > > > Links: > > > > https://groups.google.com/forum/#!topic/nodejs/NEbweYB0ei0 > > http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/ > > http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/ > > https://github.com/joyent/node/issues/6214 > > > https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692 > > > > This issue affects all versions of Node released before 0.10.21 > > and 0.8.26. > > > > So my first reply bounced off the list (hopefully this one does not). > > Please use CVE-2013-4450 for this issue. > > As for shipping a security update with "no details" in order to > protect people this doesn't work very well when you're open source and > leave the keyword in the source code where the fix is and add comments > that give all the details. > > You might as well release details in the advisory so that the god guys > can quickly assess the issue and deal with it properly, rather then > pretending that the bad guys can't read the source code and figure out > how to exploit this. It took me literally all of five minutes to > download the current version, the previous version minus one, diff > them, and look for the keyword "piplined" (what can I say, I was > eating a sandwich and only had one hand free ;). > > - -- > Kurt Seifried Red Hat Security Response Team (SRT) > PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.15 (GNU/Linux) > > iQIcBAEBAgAGBQJSY1tQAAoJEBYNRVNeJnmTenIP/R9TRmTAtPqqqLHLXZhoxuXb > ve/IhedBLzT23xbk9ovmrJIMqqjN6A0HcIDPB9MT21/hBT5yK5GDTK9HmbmxcZvJ > j9copc+BECvHrTC2sHUy19DUFGgp6RElrZpb1D6jM2K27siKKT78+mm6QwNlaT4z > sectg7rq1wH74p48Eni66xYq4QjIwMdmWBPb+jrbp2LhELmfGfRnu5zJQAGgxXg9 > /SxPvmITsOKeifFUsfetGe0ob2Mj+uf+b1DeHNTGVRZZlIpWSFnZHUe5GosMAqIX > SdchV7KLK8WpP4dcbCuFhdmRy2pQtchUZ6Ijkm8jlG/8uJNc4JhMN0VhuTXUBZlk > dKqB1Bja6TGZJxGWubEhd7NufmOq6CU+Sbgjg7WMt+hkQwZR/EmTfSl95czR3MGh > b0ZEbByqTaxvM0jVUS154H+8rT3Qn7apWZrzxstMcIKEDMIyukQJr1cpIX5YFksJ > W+IEP00VqBBVF2wHyOMXZiRTPg/dAt8ont6JpMUhTFcRdFaxZhzcXd1XU/dohv4i > hL48GcC4AJh4inf0LTIK3g6Nb6aY6J2XYXigQ4ahUtl6KtZezK7yEhirBO36iQZ3 > 4qnfaniDfimPiIwPi8nDl3XyZpWlb4ae4Moc1358kH3zYsj5NIJYvTedQD/0IJ5x > DD+c3vJxCT0ejOtNQ/0P > =cVts > -----END PGP SIGNATURE----- >
-- -- Job Board: http://jobs.nodejs.org/ Posting guidelines: https://github.com/joyent/node/wiki/Mailing-List-Posting-Guidelines You received this message because you are subscribed to the Google Groups "nodejs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nodejs?hl=en?hl=en --- You received this message because you are subscribed to the Google Groups "nodejs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/groups/opt_out.
