Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 488624 (CVE-2013-4450) - <net-libs/nodejs-{0.8.26,0.10.21}: HTTP Pipelining DoS (CVE-2013-4450)
Summary: <net-libs/nodejs-{0.8.26,0.10.21}: HTTP Pipelining DoS (CVE-2013-4450)
Status: RESOLVED FIXED
Alias: CVE-2013-4450
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://seclists.org/oss-sec/2013/q4/133
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-10-19 17:42 UTC by Mikle Kolyada (RETIRED)
Modified: 2013-12-04 07:29 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-19 17:42:40 UTC 
from ${URL}:

Node.js is vulnerable to DoS when a client sends too many pipelined HTTP requests.

Links:

https://groups.google.com/forum/#!topic/nodejs/NEbweYB0ei0
http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/
http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/
https://github.com/joyent/node/issues/6214
https://github.com/joyent/node/commit/085dd30e93da67362f044ad1b3b6b2d997064692

This issue affects all versions of Node released before 0.10.21 and 0.8.26.
Comment 1 Patrick Lauer gentoo-dev 2013-10-21 02:56:04 UTC 
+  21 Oct 2013; Patrick Lauer <patrick@gentoo.org> +nodejs-0.10.21.ebuild,
+  +nodejs-0.8.26.ebuild, -nodejs-0.10.17.ebuild, -nodejs-0.10.18.ebuild,
+  -nodejs-0.10.19.ebuild, -nodejs-0.10.20.ebuild, -nodejs-0.8.21.ebuild,
+  -nodejs-0.8.23.ebuild:
+  Bump for #488624


All affected versions punted.
Comment 2 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2013-10-21 11:23:09 UTC 
Arches, please test and mark stable:

=net-libs/nodejs-0.10.21

target KEYWORDS="amd64 x86"
Comment 3 Agostino Sarubbo gentoo-dev 2013-10-21 19:09:42 UTC 
amd64 and x86 stable, please vote.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2013-10-24 00:04:34 UTC 
CVE-2013-4450 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-4450):
  The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26
  allows remote attackers to cause a denial of service (memory and CPU
  consumption) by sending a large number of pipelined requests without reading
  the response.
Comment 5 Chris Reffett (RETIRED) gentoo-dev Security 2013-12-03 19:26:53 UTC 
GLSA vote: no.
Comment 6 Sergey Popov gentoo-dev 2013-12-04 07:29:39 UTC 
GLSA vote: no

Closing noglsa