CVE-2019-5739

Priority
Description
Keep-alive HTTP and HTTPS connections can remain open and inactive for up
to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a
dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior
in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack
vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second
default.
Notes
Package
Upstream:released (8.9.3~dfsg-5)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 ESM (Trusty Tahr):not-affected (code not present)
Ubuntu 16.04 LTS (Xenial Xerus):needed
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.10.0~dfsg-2ubuntu0.4)
Ubuntu 19.04 (Disco Dingo):not-affected
Ubuntu 19.10 (Eoan Ermine):not-affected
Ubuntu 20.04 (Focal Fossa):not-affected
Patches:
Upstream:https://github.com/nodejs/node/commit/e9ae4aaaad
More Information

Updated: 2019-12-05 20:08:17 UTC (commit 0aa5e7c87c8b55d2ec5c7f4ca1179cf75de91961)