[3.9] nodejs: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)
An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
Attack potential is mitigated by the use of a load balancer or other
proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in
November, 2018. The 40 second timeout and its adjustment
by server.headersTimeout apply to this fix as in CVE-2018-12121.
Severity is LOW.
References:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
https://cwe.mitre.org/data/definitions/400.html
(from redmine: issue id 10049, created on 2019-03-05)
- Relations:
- parent #10047 (closed)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information