Candidate: CVE-2019-5737
PublicDate: 2019-03-28 17:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5737
 https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
Description:
 In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before
 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service
 (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by
 sending headers very slowly. This keeps the connection and associated
 resources alive for a long period of time. Potential attacks are mitigated
 by the use of a load balancer or other proxy layer. This vulnerability is
 an extension of CVE-2018-12121, addressed in November and impacts all
 active Node.js release lines including 6.x before 6.17.0, 8.x before
 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.
Ubuntu-Description:
 Marco Pracucci discovered that Node.js mishandled HTTP and HTTPS connections.
 An attacker could use this vulnerability to cause a denial of service.
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [7.5 HIGH]


Patches_nodejs:
 upstream: https://github.com/nodejs/node/commit/b13b4a9ffb
upstream_nodejs: released (10.15.2~dfsg-1)
precise/esm_nodejs: DNE
trusty_nodejs: ignored (out of standard support)
trusty/esm_nodejs: not-affected (code not present)
xenial_nodejs: ignored (end of standard support, was needed)
bionic_nodejs: needed
cosmic_nodejs: ignored (reached end-of-life)
disco_nodejs: released (10.15.2~dfsg-1)
eoan_nodejs: not-affected (10.15.2~dfsg-1)
focal_nodejs: not-affected (10.15.2~dfsg-1)
groovy_nodejs: not-affected (10.15.2~dfsg-1)
hirsute_nodejs: not-affected (10.15.2~dfsg-1)
impish_nodejs: not-affected (10.15.2~dfsg-1)
jammy_nodejs: not-affected (10.15.2~dfsg-1)
devel_nodejs: not-affected (10.15.2~dfsg-1)