Overview
Request 664387 accepted
- Update upstream LTS release 6.16.0:
* cli: add --max-http-header-size flag
* http: add maxHeaderSize property
- Changes in LTS release 6.15.0:
* debugger: prevent the debugger from listening on 0.0.0.0.
It now defaults to 127.0.0.1. (CVE-2018-12120, bsc#1117625)
* deps: Upgrade to OpenSSL 1.0.2q, fixing
CVE-2018-0734 (bsc#1113652) and CVE-2018-5407 (bsc#1113534)
* http:
+ Headers received by HTTP servers must not exceed 8192 bytes
in total to prevent possible Denial of Service attacks.
(CVE-2018-12121, bsc#1117626)
+ A timeout of 40 seconds now applies to servers receiving
HTTP headers. This value can be adjusted with
server.headersTimeout. Where headers are not completely
received within this period, the socket is destroyed on
the next received chunk. In conjunction with
server.setTimeout(), this aids in protecting against
excessive resource retention and possible Denial of Service.
(CVE-2018-12122, bsc#1117627)
+ Two-byte characters are now strictly disallowed for the path
option in HTTP client requests. Paths containing characters
outside of the range \u0021 - \u00ff will now be rejected
with a TypeError. This behavior can be reverted if necessary
by supplying the --security-revert=CVE-2018-12116 command
line argument (this is not recommended).
(CVE-2018-12116, bsc#1117630)
* util: Fix a bug that would allow a hostname being spoofed when
parsing URLs with url.parse() with the 'javascript:' protocol.
(CVE-2018-12123, bsc#1117629)
- skip_test_on_lowmem.patch: skip test on low-memory build machine
- flaky_test_rerun.patch: Rerun failing tests in case of flakiness
- env_shebang.patch: dropped in favour of programmatic update
Request History
adamm created request
- Update upstream LTS release 6.16.0:
* cli: add --max-http-header-size flag
* http: add maxHeaderSize property
- Changes in LTS release 6.15.0:
* debugger: prevent the debugger from listening on 0.0.0.0.
It now defaults to 127.0.0.1. (CVE-2018-12120, bsc#1117625)
* deps: Upgrade to OpenSSL 1.0.2q, fixing
CVE-2018-0734 (bsc#1113652) and CVE-2018-5407 (bsc#1113534)
* http:
+ Headers received by HTTP servers must not exceed 8192 bytes
in total to prevent possible Denial of Service attacks.
(CVE-2018-12121, bsc#1117626)
+ A timeout of 40 seconds now applies to servers receiving
HTTP headers. This value can be adjusted with
server.headersTimeout. Where headers are not completely
received within this period, the socket is destroyed on
the next received chunk. In conjunction with
server.setTimeout(), this aids in protecting against
excessive resource retention and possible Denial of Service.
(CVE-2018-12122, bsc#1117627)
+ Two-byte characters are now strictly disallowed for the path
option in HTTP client requests. Paths containing characters
outside of the range \u0021 - \u00ff will now be rejected
with a TypeError. This behavior can be reverted if necessary
by supplying the --security-revert=CVE-2018-12116 command
line argument (this is not recommended).
(CVE-2018-12116, bsc#1117630)
* util: Fix a bug that would allow a hostname being spoofed when
parsing URLs with url.parse() with the 'javascript:' protocol.
(CVE-2018-12123, bsc#1117629)
- skip_test_on_lowmem.patch: skip test on low-memory build machine
- flaky_test_rerun.patch: Rerun failing tests in case of flakiness
- env_shebang.patch: dropped in favour of programmatic update
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto added repo-checker as a reviewer
Please review build success
factory-auto accepted review
Check script succeeded
dimstar_suse added as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:35"
dimstar_suse accepted review
Picked openSUSE:Factory:Staging:adi:35
licensedigger accepted review
ok
repo-checker accepted review
cycle and install check passed
dimstar accepted review
staging-bot accepted review
ready to accept
staging-bot approved review
ready to accept
dimstar_suse accepted request
Accept to openSUSE:Factory