Skip to content

Commit

Permalink
2019-02-28, Version 11.10.1 (Current)
Browse files Browse the repository at this point in the history 
This is a security release. All Node.js users should consult the security
release summary at:

  https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

A fix for the following CVE is included in this release:

  * Node.js: Slowloris HTTP Denial of Service with keep-alive
    (CVE-2019-5737)

Notable Changes:

* http: Further prevention of "Slowloris" attacks on HTTP and HTTPS
  connections by consistently applying the receive timeout set by
  `server.headersTimeout` to connections in keep-alive mode. Reported by
  Marco Pracucci (https://voxnest.com). (CVE-2019-5737 / Matteo Collina)

PR-URL: nodejs-private/node-private#163
  • Loading branch information
@rvagg
rvagg committed Feb 28, 2019
1 parent 667b31b commit f1cefdc
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 1 deletion.
3 changes: 2 additions & 1 deletion CHANGELOG.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ release.
</tr>
<tr>
<td valign="top">
<b><a href="doc/changelogs/CHANGELOG_V11.md#11.10.0">11.10.0</a></b><br/>
<b><a href="doc/changelogs/CHANGELOG_V11.md#11.10.1">11.10.1</a></b><br/>
<a href="doc/changelogs/CHANGELOG_V11.md#11.10.0">11.10.0</a><br/>
<a href="doc/changelogs/CHANGELOG_V11.md#11.9.0">11.9.0</a><br/>
<a href="doc/changelogs/CHANGELOG_V11.md#11.8.0">11.8.0</a><br/>
<a href="doc/changelogs/CHANGELOG_V11.md#11.7.0">11.7.0</a><br/>
Expand Down
22 changes: 22 additions & 0 deletions doc/changelogs/CHANGELOG_V11.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
</tr>
<tr>
<td>
<a href="#11.10.1">11.10.1</a><br/>
<a href="#11.10.0">11.10.0</a><br/>
<a href="#11.9.0">11.9.0</a><br/>
<a href="#11.8.0">11.8.0</a><br/>
Expand Down Expand Up @@ -37,6 +38,27 @@
* [io.js](CHANGELOG_IOJS.md)
* [Archive](CHANGELOG_ARCHIVE.md)

<a id="11.10.1"></a>
## 2019-02-28, Version 11.10.1 (Current), @rvagg

This is a security release. All Node.js users should consult the security release summary at:

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

for details on patched vulnerabilities.

A fix for the following CVE is included in this release:

* Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)

### Notable Changes

* **http**: Further prevention of "Slowloris" attacks on HTTP and HTTPS connections by consistently applying the receive timeout set by `server.headersTimeout` to connections in keep-alive mode. Reported by Marco Pracucci ([Voxnest](https://voxnest.com)). (CVE-2019-5737 / Matteo Collina)

### Commits

* [[`05534a24ca`](https://github.com/nodejs/node/commit/05534a24ca)] - **http**: prevent slowloris with keepalive connections (Matteo Collina) [nodejs-private/node-private#158](https://github.com/nodejs-private/node-private/pull/158)

<a id="11.10.0"></a>
## 2019-02-14, Version 11.10.0 (Current), @targos

Expand Down

0 comments on commit f1cefdc

Please sign in to comment.