Overview
Request 681321 superseded
- New upstream LTS release 6.17.0:
* deps: OpenSSL has been upgraded to 1.0.2r. Under certain
circumstances, a TLS server can be forced to respond differently
to a client if a zero-byte record is received with an
invalid padding compared to a zero-byte record with an
invalid MAC. This can be used as the basis of a padding
oracle attack to decrypt data.
(CVE-2019-1559, bsc#1127080)
* http:
+ Backport server.keepAliveTimeout to prevent keep-alive
HTTP and HTTPS connections remaining open and inactive for
an extended period of time, leading to a potential
Denial of Service (DoS). (CVE-2019-5739, bsc#1127533)
+ Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set
by server.headersTimeout to connections in keep-alive mode.
(CVE-2019-5737, bsc#1127532)
- nodejs.keyring: update keyring to today's list as per
https://github.com/nodejs/node
- Created by adamm
- In state superseded
- Superseded by 681821
- Open review for factory-staging
Request History
adamm created request
- New upstream LTS release 6.17.0:
* deps: OpenSSL has been upgraded to 1.0.2r. Under certain
circumstances, a TLS server can be forced to respond differently
to a client if a zero-byte record is received with an
invalid padding compared to a zero-byte record with an
invalid MAC. This can be used as the basis of a padding
oracle attack to decrypt data.
(CVE-2019-1559, bsc#1127080)
* http:
+ Backport server.keepAliveTimeout to prevent keep-alive
HTTP and HTTPS connections remaining open and inactive for
an extended period of time, leading to a potential
Denial of Service (DoS). (CVE-2019-5739, bsc#1127533)
+ Further prevention of "Slowloris" attacks on HTTP and HTTPS
connections by consistently applying the receive timeout set
by server.headersTimeout to connections in keep-alive mode.
(CVE-2019-5737, bsc#1127532)
- nodejs.keyring: update keyring to today's list as per
https://github.com/nodejs/node
licensedigger accepted review
ok
factory-auto declined review
Output of check script:
SHASUMS256.txt /home/go/co/681321/nodejs6/SHASUMS256.txt differ: char 675, line 8
ERROR: download_files is configured to fail when the upstream file is different than the committed file... this is the case!
Source URLs are not valid. Try "osc service localrun download_files"
factory-auto declined request
Output of check script:
SHASUMS256.txt /home/go/co/681321/nodejs6/SHASUMS256.txt differ: char 675, line 8
ERROR: download_files is configured to fail when the upstream file is different than the committed file... this is the case!
Source URLs are not valid. Try "osc service localrun download_files"
superseded by 681821