Skip to content

Release proposal: v6.15.1 (expedited, single commit fix)#24803

Merged
rvagg merged 2 commits intov6.xfrom
v6.15.1-proposal
Dec 3, 2018
Merged

Release proposal: v6.15.1 (expedited, single commit fix)#24803
rvagg merged 2 commits intov6.xfrom
v6.15.1-proposal

Conversation

@rvagg
Copy link
Member

@rvagg rvagg commented Dec 3, 2018

Ref: #24796
Ref: #24760

The single commit needs to be fixed up once properly landed with metadata (and changelog altered with new commit hash). I think we can expedite that though.

Keeping this to just the one commit because it fixes the security release so we should apply the same stability via this as well rather than increasing risk with the additional items on staging.

@nodejs/tsc @nodejs/release

2018-12-03, Version 6.15.1 'Boron' (LTS), @rvagg

Notable Changes

This is a patch release to fix a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to the entire keep-alive HTTP session, resulting in prematurely disconnected sockets.

Commits

  • [0b9ee5fd6f] - http: fix backport of Slowloris headers (Matteo Collina)

@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Dec 3, 2018

@rvagg build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/1800/pipeline

@nodejs-github-bot nodejs-github-bot added http Issues or PRs related to the http subsystem. meta Issues and PRs related to the general management of the project. v6.x labels Dec 3, 2018
mcollina
mcollina approved these changes Dec 3, 2018
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

rvagg added 2 commits December 3, 2018 23:33
@rvagg
2018-12-03, Version 6.15.1 'Boron' (LTS)
cde6450 
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: #24803
Refs: #24796
Refs: #24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@rvagg
Working on v6.15.2
92968b6 
PR-URL: #24803
@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2018

Test @ https://ci.nodejs.org/job/node-test-pull-request/19148/
CITGM @ https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/1659/
Pre-emptive release build @ https://ci-release.nodejs.org/job/iojs+release/4003/

@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2018

CITGM is lots of red but it's roughly the same failures as 6.15.0, many of which are feature-related (e.g. async function). Release builds are done and sitting in staging. I'm running a second full test, the first one was a bit wonky because I force pushed and the commit got lost when some delayed nodes came online. https://ci.nodejs.org/job/node-test-commit/23895/

@nodejs/tsc I'm going to promote this very soon, speak now if you object.

@rvagg rvagg merged commit 92968b6 into v6.x Dec 3, 2018
@rvagg rvagg deleted the v6.15.1-proposal branch December 3, 2018 14:12
rvagg added a commit that referenced this pull request Dec 3, 2018
@rvagg
2018-12-03, Version 6.15.1 'Boron' (LTS)
dbdc908 
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: #24803
Refs: #24796
Refs: #24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2018

All done https://nodejs.org/en/blog/release/v6.15.1/

Thanks @mcollina and others who reviewed and approved.

This was referenced Dec 5, 2018
Closed
Closed
@tylersmalley
Copy link

tylersmalley commented Dec 5, 2018

Considering the severity of this issue, I feel it would be helpful to post an update to nodejs-sec notifying users of this fix.

refack pushed a commit to refack/node that referenced this pull request Jan 14, 2019
@rvagg @refack
2018-12-03, Version 6.15.1 'Boron' (LTS)
9017716 
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: nodejs#24803
Refs: nodejs#24796
Refs: nodejs#24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

@addaleax addaleax addaleax approved these changes

@richardlau richardlau richardlau approved these changes

Assignees

No one assigned

Labels

http Issues or PRs related to the http subsystem. meta Issues and PRs related to the general management of the project.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@rvagg @nodejs-github-bot @tylersmalley @mcollina @addaleax @richardlau