[3.9] nodejs-current: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)

An attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly thereby keeping
the connection and associated resources alive for a long period of time. Attack potential is mitigated by the use of a load balancer or other proxy layer.

This vulnerability is an extension of CVE-2018-12121, addressed in November, 2018. The 40 second timeout and its adjustment
by server.headersTimeout apply to this fix as in CVE-2018-12121.

Severity is LOW.

References:

https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
https://cwe.mitre.org/data/definitions/400.html

(from redmine: issue id 10055, created on 2019-03-05)

Relations:
- parent #10053 (closed)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information