-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Release proposal: v6.15.1 (expedited, single commit fix) #24803
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
5268c85
to
77f9409
Compare
Notable Changes: This is a patch release to address a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to an entire keep-alive HTTP session, resulting in prematurely disconnected sockets. PR-URL: #24803 Refs: #24796 Refs: #24760 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: #24803
77f9409
to
92968b6
Compare
Test @ https://ci.nodejs.org/job/node-test-pull-request/19148/ |
CITGM is lots of red but it's roughly the same failures as 6.15.0, many of which are feature-related (e.g. @nodejs/tsc I'm going to promote this very soon, speak now if you object. |
Notable Changes: This is a patch release to address a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to an entire keep-alive HTTP session, resulting in prematurely disconnected sockets. PR-URL: #24803 Refs: #24796 Refs: #24760 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
All done https://nodejs.org/en/blog/release/v6.15.1/ Thanks @mcollina and others who reviewed and approved. |
Considering the severity of this issue, I feel it would be helpful to post an update to nodejs-sec notifying users of this fix. |
Notable Changes: This is a patch release to address a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to an entire keep-alive HTTP session, resulting in prematurely disconnected sockets. PR-URL: nodejs#24803 Refs: nodejs#24796 Refs: nodejs#24760 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Richard Lau <riclau@uk.ibm.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Ref: #24796
Ref: #24760
The single commit needs to be fixed up once properly landed with metadata (and changelog altered with new commit hash). I think we can expedite that though.
Keeping this to just the one commit because it fixes the security release so we should apply the same stability via this as well rather than increasing risk with the additional items on staging.
@nodejs/tsc @nodejs/release
2018-12-03, Version 6.15.1 'Boron' (LTS), @rvagg
Notable Changes
This is a patch release to fix a bad backport of the fix for "Slowloris HTTP Denial of Service" (CVE-2018-12122). Node.js 6.15.0 misapplies the headers timeout to the entire keep-alive HTTP session, resulting in prematurely disconnected sockets.
Commits
0b9ee5fd6f
] - http: fix backport of Slowloris headers (Matteo Collina)