Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Release proposal: v6.15.1 (expedited, single commit fix) #24803

Merged
merged 2 commits into from
Dec 3, 2018
Merged

Conversation

rvagg
Copy link
Member

@rvagg rvagg commented Dec 3, 2018

Ref: #24796
Ref: #24760

The single commit needs to be fixed up once properly landed with metadata (and changelog altered with new commit hash). I think we can expedite that though.

Keeping this to just the one commit because it fixes the security release so we should apply the same stability via this as well rather than increasing risk with the additional items on staging.

@nodejs/tsc @nodejs/release


2018-12-03, Version 6.15.1 'Boron' (LTS), @rvagg

Notable Changes

This is a patch release to fix a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to the entire keep-alive HTTP session, resulting in prematurely disconnected sockets.

Commits

  • [0b9ee5fd6f] - http: fix backport of Slowloris headers (Matteo Collina)

@nodejs-github-bot nodejs-github-bot added http Issues or PRs related to the http subsystem. meta Issues and PRs related to the general management of the project. v6.x labels Dec 3, 2018
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: #24803
Refs: #24796
Refs: #24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2018

@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2018

CITGM is lots of red but it's roughly the same failures as 6.15.0, many of which are feature-related (e.g. async function). Release builds are done and sitting in staging. I'm running a second full test, the first one was a bit wonky because I force pushed and the commit got lost when some delayed nodes came online. https://ci.nodejs.org/job/node-test-commit/23895/

@nodejs/tsc I'm going to promote this very soon, speak now if you object.

@rvagg rvagg merged commit 92968b6 into v6.x Dec 3, 2018
@rvagg rvagg deleted the v6.15.1-proposal branch December 3, 2018 14:12
rvagg added a commit that referenced this pull request Dec 3, 2018
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: #24803
Refs: #24796
Refs: #24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
@rvagg
Copy link
Member Author

rvagg commented Dec 3, 2018

All done https://nodejs.org/en/blog/release/v6.15.1/

Thanks @mcollina and others who reviewed and approved.

@tylersmalley
Copy link

Considering the severity of this issue, I feel it would be helpful to post an update to nodejs-sec notifying users of this fix.

refack pushed a commit to refack/node that referenced this pull request Jan 14, 2019
Notable Changes:

This is a patch release to address a bad backport of the fix for "Slowloris
HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers
timeout to an entire keep-alive HTTP session, resulting in prematurely
disconnected sockets.

PR-URL: nodejs#24803
Refs: nodejs#24796
Refs: nodejs#24760
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Richard Lau <riclau@uk.ibm.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
http Issues or PRs related to the http subsystem. meta Issues and PRs related to the general management of the project.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants