Security update for nodejs10 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2019:1211-1 Final 1 1 2019-04-16T08:28:39Z current 2019-04-16T08:28:39Z 2019-04-16T08:28:39Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs10 This update for nodejs10 to version 10.1.2 fixes the following issue: Security issue fixed: - CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service when HTTP connection are kept active (bsc#1127532). This update was imported from the SUSE:SLE-12:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html E-Mail link for openSUSE-SU-2019:1211-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.3 nodejs10-10.15.2-5.2 nodejs10-devel-10.15.2-5.2 nodejs10-docs-10.15.2-5.2 npm10-10.15.2-5.2 nodejs10-10.15.2-5.2 as a component of openSUSE Leap 42.3 nodejs10-devel-10.15.2-5.2 as a component of openSUSE Leap 42.3 nodejs10-docs-10.15.2-5.2 as a component of openSUSE Leap 42.3 npm10-10.15.2-5.2 as a component of openSUSE Leap 42.3 In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1. CVE-2019-5737 openSUSE Leap 42.3:nodejs10-10.15.2-5.2 openSUSE Leap 42.3:nodejs10-devel-10.15.2-5.2 openSUSE Leap 42.3:nodejs10-docs-10.15.2-5.2 openSUSE Leap 42.3:npm10-10.15.2-5.2 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2019-04/msg00059.html https://www.suse.com/security/cve/CVE-2019-5737.html CVE-2019-5737 https://bugzilla.suse.com/1127532 SUSE Bug 1127532