Overview
Request 664392 accepted
- New upstream LTS version 10.15.0 (still bsc#1112438, FATE#326776):
* cli: add --max-http-header-size flag
* http: add maxHeaderSize property
- Changes in version 10.14.2
* deps: upgrade to c-ares v1.15.0
* child_process: handle undefined/null for fork() args
* http2: make Http2Settings constructors delegate
* os: fix memory leak in userInfo()
- fix_ci_tests.patch: refreshed
- New upstream LTS version 10.14.1 (still bsc#1112438, FATE#326776):
* deps: Upgrade to OpenSSL 1.1.0j, fixing
+ Timing vulnerability in DSA signature generation
(bsc#1113652, CVE-2018-0734)
+ Timing vulnerability in ECDSA signature generation
(bsc#1113651, CVE-2018-0735)
* http:
+ Headers received by HTTP servers must not exceed 8192 bytes
in total to prevent possible Denial of Service attacks.
(bsc#1117626, CVE-2018-12121)
+ A timeout of 40 seconds now applies to servers receiving
HTTP headers. This value can be adjusted with
server.headersTimeout. Where headers are not completely
received within this period, the socket is destroyed on
the next received chunk. In conjunction
with server.setTimeout(), this aids in protecting against
excessive resource retention and possible Denial of Service.
(bsc#1117627, CVE-2018-12122)
* url: Fix a bug that would allow a hostname being spoofed when
parsing URLs with url.parse() with the 'javascript:' protocol.
(bsc#1117629, CVE-2018-12123)
Request History
adamm created request
- New upstream LTS version 10.15.0 (still bsc#1112438, FATE#326776):
* cli: add --max-http-header-size flag
* http: add maxHeaderSize property
- Changes in version 10.14.2
* deps: upgrade to c-ares v1.15.0
* child_process: handle undefined/null for fork() args
* http2: make Http2Settings constructors delegate
* os: fix memory leak in userInfo()
- fix_ci_tests.patch: refreshed
- New upstream LTS version 10.14.1 (still bsc#1112438, FATE#326776):
* deps: Upgrade to OpenSSL 1.1.0j, fixing
+ Timing vulnerability in DSA signature generation
(bsc#1113652, CVE-2018-0734)
+ Timing vulnerability in ECDSA signature generation
(bsc#1113651, CVE-2018-0735)
* http:
+ Headers received by HTTP servers must not exceed 8192 bytes
in total to prevent possible Denial of Service attacks.
(bsc#1117626, CVE-2018-12121)
+ A timeout of 40 seconds now applies to servers receiving
HTTP headers. This value can be adjusted with
server.headersTimeout. Where headers are not completely
received within this period, the socket is destroyed on
the next received chunk. In conjunction
with server.setTimeout(), this aids in protecting against
excessive resource retention and possible Denial of Service.
(bsc#1117627, CVE-2018-12122)
* url: Fix a bug that would allow a hostname being spoofed when
parsing URLs with url.parse() with the 'javascript:' protocol.
(bsc#1117629, CVE-2018-12123)
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto added repo-checker as a reviewer
Please review build success
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
staging-bot added openSUSE:Factory:Staging:adi:15 as a reviewer
Being evaluated by staging project "openSUSE:Factory:Staging:adi:15"
staging-bot accepted review
Picked openSUSE:Factory:Staging:adi:15
repo-checker accepted review
cycle and install check passed
dimstar accepted review
staging-bot accepted review
ready to accept
staging-bot approved review
ready to accept
dimstar_suse accepted request
Accept to openSUSE:Factory