[DoS security vulnerability. Original title redacted] #6214

Closed
majek opened this Issue Sep 12, 2013 · 4 comments

Projects

None yet

3 participants

@majek
majek commented Sep 12, 2013

Redacted. (Fixed, but github doesn't have private issues, so responsible disclosure was never really an option.)

@isaacs isaacs added a commit that closed this issue Oct 16, 2013
@isaacs isaacs http: provide backpressure for pipeline flood
If a client sends a lot more pipelined requests than we can handle, then
we need to provide backpressure so that the client knows to back off.
Do this by pausing both the stream and the parser itself when the
responses are not being read by the downstream client.

Fix GH-6214
085dd30
@isaacs isaacs closed this in 085dd30 Oct 16, 2013
@fengmk2
Member
fengmk2 commented Oct 17, 2013

@isaacs Will you fix this issue on node 0.8?

@isaacs
Collaborator
isaacs commented Oct 17, 2013

Yes, this is being back ported to 0.10 and 0.8.

@fengmk2
Member
fengmk2 commented Oct 17, 2013

Nice job!
在 2013-10-17 PM12:05,"Isaac Z. Schlueter" notifications@github.com写道:

Yes, this is being back ported to 0.10 and 0.8.


Reply to this email directly or view it on GitHubhttps://github.com/joyent/node/issues/6214#issuecomment-26477924
.

@majek
majek commented Oct 29, 2013

This bug's CVE no': CVE-2013-4450.

@isaacs isaacs added a commit to isaacs/node that referenced this issue Dec 4, 2013
@isaacs isaacs http: provide backpressure for pipeline flood
If a client sends a lot more pipelined requests than we can handle, then
we need to provide backpressure so that the client knows to back off.
Do this by pausing both the stream and the parser itself when the
responses are not being read by the downstream client.

Fix GH-6214
ca8cbc0
@trentm trentm added a commit to joyent/sdcnode that referenced this issue Aug 29, 2014
@trentm trentm TOOLS-319: sdcnode builds with nodejs/node-v0.x-archive#6214 fix c0b7779
@trentm trentm added a commit to joyent/sdcnode that referenced this issue Aug 29, 2014
@trentm trentm TOOLS-319, TOOLS-317: sdcnode builds for nodejs/node-v0.x-archive#6214
++v0.10.21-zone (multiarch)
++v0.10.21-zone
++v0.8.26-zone
--v0.8.25-zone

Also drop the pre-patches for nodejs/node-v0.x-archive#6214 in earlier 0.10 and 0.8
versions.  If you need that fix, then upgrade to 0.10.21 or 0.8.26.
02e53ef
@trentm trentm added a commit to joyent/sdcnode that referenced this issue Aug 29, 2014
@trentm trentm TOOLS-319, TOOLS-317: sdcnode builds for nodejs/node-v0.x-archive#6214
Actually add v0.8.26-zone here (and v0.8.25-zone stays too, it is
needed).

++v0.8.26-zone
0a7ec21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment