Upstream information

CVE-2019-5739 at MITRE

Description

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

SUSE information

SUSE Bugzilla entry: 1127533 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Enterprise Storage 4
  • nodejs4 >= 4.9.1-15.20.1
  • nodejs6 >= 6.17.0-11.24.1
Patchnames:
SUSE-Storage-4-2019-658
SUSE-Storage-4-2019-818
SUSE Linux Enterprise Module for Web Scripting 12
  • nodejs4 >= 4.9.1-15.20.1
  • nodejs4-devel >= 4.9.1-15.20.1
  • nodejs4-docs >= 4.9.1-15.20.1
  • nodejs6 >= 6.17.0-11.24.1
  • nodejs6-devel >= 6.17.0-11.24.1
  • nodejs6-docs >= 6.17.0-11.24.1
  • npm4 >= 4.9.1-15.20.1
  • npm6 >= 6.17.0-11.24.1
Patchnames:
SUSE-SLE-Module-Web-Scripting-12-2019-658
SUSE-SLE-Module-Web-Scripting-12-2019-818
SUSE OpenStack Cloud 7
  • nodejs6 >= 6.17.0-11.24.1
Patchnames:
SUSE-OpenStack-Cloud-7-2019-818
SUSE OpenStack Cloud Crowbar 8
  • nodejs6 >= 6.17.0-11.24.1
Patchnames:
SUSE-OpenStack-Cloud-Crowbar-8-2019-818
openSUSE Leap 42.3
  • nodejs4 >= 4.9.1-23.1
  • nodejs4-debuginfo >= 4.9.1-23.1
  • nodejs4-debugsource >= 4.9.1-23.1
  • nodejs4-devel >= 4.9.1-23.1
  • nodejs4-docs >= 4.9.1-23.1
  • nodejs6 >= 6.17.0-21.1
  • nodejs6-debuginfo >= 6.17.0-21.1
  • nodejs6-debugsource >= 6.17.0-21.1
  • nodejs6-devel >= 6.17.0-21.1
  • nodejs6-docs >= 6.17.0-21.1
  • npm4 >= 4.9.1-23.1
  • npm6 >= 6.17.0-21.1
Patchnames:
openSUSE-2019-1076
openSUSE-2019-1173