[Buildroot] [PATCH 2/2] package/nodejs: security bump to version v10.16.3

Peter Korsgaard peter at korsgaard.com
Wed Sep 25 17:58:46 UTC 2019


>>>>> "Peter" == Peter Korsgaard <peter at korsgaard.com> writes:

 > Fixes the following security vulnerabilities:
 > - CVE-2019-9511 "Data Dribble": The attacker requests a large amount of data
 >   from a specified resource over multiple streams.  They manipulate window
 >   size and stream priority to force the server to queue the data in 1-byte
 >   chunks.  Depending on how efficiently this data is queued, this can
 >   consume excess CPU, memory, or both, potentially leading to a denial of
 >   service.

 > - CVE-2019-9512 "Ping Flood": The attacker sends continual pings to an
 >   HTTP/2 peer, causing the peer to build an internal queue of responses.
 >   Depending on how efficiently this data is queued, this can consume excess
 >   CPU, memory, or both, potentially leading to a denial of service.

 > - CVE-2019-9513 "Resource Loop": The attacker creates multiple request
 >   streams and continually shuffles the priority of the streams in a way that
 >   causes substantial churn to the priority tree.  This can consume excess
 >   CPU, potentially leading to a denial of service.

 > - CVE-2019-9514 "Reset Flood": The attacker opens a number of streams and
 >   sends an invalid request over each stream that should solicit a stream of
 >   RST_STREAM frames from the peer.  Depending on how the peer queues the
 >   RST_STREAM frames, this can consume excess memory, CPU, or both,
 >   potentially leading to a denial of service.

 > - CVE-2019-9515 "Settings Flood": The attacker sends a stream of SETTINGS
 >   frames to the peer.  Since the RFC requires that the peer reply with one
 >   acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost
 >   equivalent in behavior to a ping.  Depending on how efficiently this data
 >   is queued, this can consume excess CPU, memory, or both, potentially
 >   leading to a denial of service.

 > - CVE-2019-9516 "0-Length Headers Leak": The attacker sends a stream of
 >   headers with a 0-length header name and 0-length header value, optionally
 >   Huffman encoded into 1-byte or greater headers.  Some implementations
 >   allocate memory for these headers and keep the allocation alive until the
 >   session dies.  This can consume excess memory, potentially leading to a
 >   denial of service.

 > - CVE-2019-9517 "Internal Data Buffering": The attacker opens the HTTP/2
 >   window so the peer can send without constraint; however, they leave the
 >   TCP window closed so the peer cannot actually write (many of) the bytes on
 >   the wire.  The attacker then sends a stream of requests for a large
 >   response object.  Depending on how the servers queue the responses, this
 >   can consume excess memory, CPU, or both, potentially leading to a denial
 >   of service.

 > - CVE-2019-9518 "Empty Frames Flood": The attacker sends a stream of frames
 >   with an empty payload and without the end-of-stream flag.  These frames
 >   can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE.  The peer spends
 >   time processing each frame disproportionate to attack bandwidth.  This can
 >   consume excess CPU, potentially leading to a denial of service.
 >   (Discovered by Piotr Sikora of Google)

 > Notice that this version bump requires nghttp2 1.39.2.  It also includes an
 > (unconditional) embedded copy of brotli.

 > Update the license hash because of copyright year changes and the addition
 > of the MIT-style license text for large_pages and brotli.

 > Signed-off-by: Peter Korsgaard <peter at korsgaard.com>

Committed to 2019.05.x and 2019.08.x, thanks.

For 2019.08.x I have instead bumped to v8.16.1, which fixes the same
list of issues.

-- 
Bye, Peter Korsgaard



More information about the buildroot mailing list