Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488624 (CVE-2013-4450) - <net-libs/nodejs-{0.8.26,0.10.21}: HTTP Pipelining DoS (CVE-2013-4450)
Summary: <net-libs/nodejs-{0.8.26,0.10.21}: HTTP Pipelining DoS (CVE-2013-4450)
Alias: CVE-2013-4450
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on:
Reported: 2013-10-19 17:42 UTC by Mikle Kolyada
Modified: 2013-12-04 07:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-19 17:42:40 UTC
from ${URL}:

Node.js is vulnerable to DoS when a client sends too many pipelined HTTP requests.


This issue affects all versions of Node released before 0.10.21 and 0.8.26.
Comment 1 Patrick Lauer gentoo-dev 2013-10-21 02:56:04 UTC
+  21 Oct 2013; Patrick Lauer <> +nodejs-0.10.21.ebuild,
+  +nodejs-0.8.26.ebuild, -nodejs-0.10.17.ebuild, -nodejs-0.10.18.ebuild,
+  -nodejs-0.10.19.ebuild, -nodejs-0.10.20.ebuild, -nodejs-0.8.21.ebuild,
+  -nodejs-0.8.23.ebuild:
+  Bump for #488624

All affected versions punted.
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2013-10-21 11:23:09 UTC
Arches, please test and mark stable:


target KEYWORDS="amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-21 19:09:42 UTC
amd64 and x86 stable, please vote.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:04:34 UTC
CVE-2013-4450 (
  The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26
  allows remote attackers to cause a denial of service (memory and CPU
  consumption) by sending a large number of pipelined requests without reading
  the response.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 19:26:53 UTC
GLSA vote: no.
Comment 6 Sergey Popov gentoo-dev 2013-12-04 07:29:39 UTC
GLSA vote: no

Closing noglsa