CVE-2019-5739

Upstream information

CVE-2019-5739 at MITRE

Description

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

SUSE information

SUSE Bugzilla entry: 1127533 [RESOLVED / FIXED]

SUSE Security Advisories:

SUSE-SU-2019:0658-1, published Wed Mar 20 10:37:52 MDT 2019
SUSE-SU-2019:0818-1, published Fri Mar 29 17:13:00 MDT 2019
openSUSE-SU-2019:1076-1, published Thu, 28 Mar 2019 21:11:37 +0100 (CET)
openSUSE-SU-2019:1173-1, published Mon, 8 Apr 2019 15:32:57 +0200 (CEST)

List of released packages

Product(s)	Fixed package version(s)	References
SUSE Enterprise Storage 4	`nodejs4 >= 4.9.1-15.20.1` `nodejs6 >= 6.17.0-11.24.1`	Patchnames: SUSE-Storage-4-2019-658 SUSE-Storage-4-2019-818
SUSE Linux Enterprise Module for Web Scripting 12	`nodejs4 >= 4.9.1-15.20.1` `nodejs4-devel >= 4.9.1-15.20.1` `nodejs4-docs >= 4.9.1-15.20.1` `nodejs6 >= 6.17.0-11.24.1` `nodejs6-devel >= 6.17.0-11.24.1` `nodejs6-docs >= 6.17.0-11.24.1` `npm4 >= 4.9.1-15.20.1` `npm6 >= 6.17.0-11.24.1`	Patchnames: SUSE-SLE-Module-Web-Scripting-12-2019-658 SUSE-SLE-Module-Web-Scripting-12-2019-818
SUSE OpenStack Cloud 7	`nodejs6 >= 6.17.0-11.24.1`	Patchnames: SUSE-OpenStack-Cloud-7-2019-818
SUSE OpenStack Cloud Crowbar 8	`nodejs6 >= 6.17.0-11.24.1`	Patchnames: SUSE-OpenStack-Cloud-Crowbar-8-2019-818

CVE-2019-5739

Common Vulnerabilities and Exposures

Upstream information

Description

SUSE information

List of released packages

SUSE Linux Enterprise

SUSE Rancher

Solutions

Industries

Support

Services

Resources

Partners

Communities

About