Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 679132 (CVE-2019-5737, CVE-2019-5739) - <net-libs/nodejs-{6.17.0,8.15.1,10.15.2,11.10.1}: multiple vulnerabilities (CVE-2019-{5737,5739})
Summary: <net-libs/nodejs-{6.17.0,8.15.1,10.15.2,11.10.1}: multiple vulnerabilities (C...
Status: RESOLVED FIXED
Alias: CVE-2019-5737, CVE-2019-5739
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor
Assignee: Gentoo Security
URL: https://nodejs.org/en/blog/vulnerabil...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: CVE-2019-15604, CVE-2019-15605, CVE-2019-15606
Blocks:
  Show dependency tree
 
Reported: 2019-03-01 10:30 UTC by Jeroen Roovers (RETIRED)
Modified: 2020-03-20 19:24 UTC (History)
3 users (show)

See Also:
Package list:
net-libs/nodejs-8.16.2 net-libs/nodejs-12.13.0 net-libs/http-parser-2.9.2 =net-libs/nodejs-10.17.0
Runtime testing required: ---
stable-bot: sanity-check-

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Jeroen Roovers (RETIRED) gentoo-dev 2019-03-01 10:30:13 UTC 
"
Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
Categorization: Uncontrolled Resource Consumption / Denial of Service (CWE-400)

All actively supported release lines are vulnerable and the severity is LOW. An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.

This vulnerability is an extension of CVE-2018-12121, addressed in November, 2018. The 40 second timeout and its adjustment by server.headersTimeout apply to this fix as in CVE-2018-12121.

CVE-2018-12121 originally reported by Jan Maybach (liebdich.com), keep-alive variant reported by Marco Pracucci), fixed by Matteo Collina.

Impact:

All versions of Node.js 6 (LTS "Boron") are vulnerable
All versions of Node.js 8 (LTS "Carbon") are vulnerable
All versions of Node.js 10 (LTS "Dubnium") are vulnerable
All versions of Node.js 11 (Current) are vulnerable
Node.js: Denial of Service with keep-alive HTTP connections (CVE-2019-5739)
Categorization: Uncontrolled Resource Consumption / Denial of Service (CWE-400)

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

The original fix was submitted by Timur Shemsedinov) and backported by Matteo Collina.

Impact:

All versions of Node.js 6 (LTS "Boron") are vulnerable
All versions of Node.js 8 (LTS "Carbon") are NOT vulnerable
All versions of Node.js 10 (LTS "Dubnium") are NOT vulnerable
All versions of Node.js 11 (Current) are NOT vulnerable
"
Comment 1 Yury German Gentoo Infrastructure gentoo-dev 2019-03-11 03:33:19 UTC 
Maintainer(s), please advise if you are ready for stabilization or call for stabilization yourself.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 14:31:36 UTC 
@ maintainer(s): Please call for stabilization on your own or advice. Without any feedback we will stabilize latest LTS version next week.
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 14:33:23 UTC 
Adding =net-libs/nodejs-8.16.2 to list for <openssl-1.1.1 users.
Comment 4 Stabilization helper bot gentoo-dev 2019-10-31 13:02:11 UTC 
An automated check of this bug failed - repoman reported dependency errors (770 lines truncated): 

> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=net-libs/http-parser-2.9.0:=']
> dependency.bad net-libs/nodejs/nodejs-8.16.2.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=net-libs/http-parser-2.9.0:=']
Comment 5 Stabilization helper bot gentoo-dev 2019-10-31 15:02:39 UTC 
An automated check of this bug failed - repoman reported dependency errors (382 lines truncated): 

> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: RDEPEND: amd64(default/linux/amd64/17.0) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
> dependency.bad net-libs/nodejs/nodejs-12.13.0.ebuild: DEPEND: amd64(default/linux/amd64/17.0/desktop) ['>=dev-libs/libuv-1.32.0:=', '>=net-dns/c-ares-1.15.0']
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-31 15:17:21 UTC 
Moved stabilization of

  =dev-libs/libuv-1.33.1
  =net-dns/c-ares-1.15.0

to own, dedicated bugs due to different keywords.
Comment 7 Thomas Deutschmann (RETIRED) gentoo-dev 2019-11-01 21:04:12 UTC 
x86 stable
Comment 8 Thomas Deutschmann (RETIRED) gentoo-dev 2019-11-07 20:07:01 UTC 
x86 stable
Comment 9 Aaron Bauman (RETIRED) gentoo-dev 2019-11-11 16:59:44 UTC 
arm64 stable
Comment 10 Leho Kraav (:macmaN @lkraav) 2019-11-14 16:49:04 UTC 
Hi Jeroen. Is there anything still blocking amd64 stabilization? Some of my packages are starting to require Node 10 as a hard dependency, been looking for an opportunity to upgrade from Node 8. Anything I or anyone can do to help?
Comment 11 Agostino Sarubbo gentoo-dev 2019-11-19 10:36:46 UTC 
amd64 stable
Comment 12 Stabilization helper bot gentoo-dev 2020-02-06 09:58:51 UTC 
An automated check of this bug failed - the following atoms are unknown:

net-libs/nodejs-8.16.2
net-libs/nodejs-12.13.0
net-libs/nodejs-10.17.0

Please verify the atom list.
Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 01:07:34 UTC 
GLSA Vote: No

Stabilization/cleanup blocked by bug 702988.
Comment 14 Stabilization helper bot gentoo-dev 2020-03-20 02:00:03 UTC 
An automated check of this bug failed - the following atoms are unknown:

net-libs/nodejs-8.16.2
net-libs/nodejs-12.13.0
net-libs/nodejs-10.17.0

Please verify the atom list.
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 18:54:58 UTC 
Added to an existing GLSA.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-03-20 19:22:07 UTC 
This issue was resolved and addressed in
 GLSA 202003-48 at https://security.gentoo.org/glsa/202003-48
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-20 19:24:00 UTC 
Superseded by bug 708458.