Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:Update
nodejs8.20717
CVE-2021-22883.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2021-22883.patch of Package nodejs8.20717
Only backport unit test. Node8 does not trigger. From 922ada77132c1b0b69c9a146822d762b2f9b912b Mon Sep 17 00:00:00 2001 From: Daniel Bevenius <daniel.bevenius@gmail.com> Date: Fri, 22 Jan 2021 12:34:21 +0100 Subject: [PATCH] http2: add unknownProtocol timeout MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This commit add a configuration options named unknownProtocolTimeout which can be specified to set a value for the timeout in milliseconds that a server should wait when an unknowProtocol is sent to it. When this happens a timer will be started and the if the socket has not been destroyed during that time the timer callback will destoy it. Refs: https://hackerone.com/reports/1043360 CVE-ID: CVE-2021-22883 PR-URL: https://github.com/nodejs-private/node-private/pull/246 Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/250 Reviewed-By: Beth Griggs <bgriggs@redhat.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> --- doc/api/http2.md | 25 +++++++++++++- lib/internal/http2/core.js | 31 ++++++++++++++--- .../test-http2-server-unknown-protocol.js | 33 +++++++++++++++++++ 3 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 test/parallel/test-http2-server-unknown-protocol.js Index: node-v8.17.0/test/parallel/test-http2-server-unknown-protocol.js =================================================================== --- /dev/null +++ node-v8.17.0/test/parallel/test-http2-server-unknown-protocol.js @@ -0,0 +1,39 @@ +'use strict'; +const common = require('../common'); +const fixtures = require('../common/fixtures'); + +// This test verifies that when a server receives an unknownProtocol it will +// not leave the socket open if the client does not close it. + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const h2 = require('http2'); +const tls = require('tls'); + +const certPem = fixtures.readSync('test_cert.pem', 'ascii'); +const keyPem = fixtures.readSync('test_key.pem', 'ascii'); + +// key: fixtures.readKey('rsa_private_2048.pem'), +// cert: fixtures.readKey('rsa_public_2048.pem'), + +const server = h2.createSecureServer({ + cert: certPem, + key: keyPem, + unknownProtocolTimeout: 500, + allowHalfOpen: true +}); + +server.on('connection', (socket) => { + socket.on('close', common.mustCall(() => { + server.close(); + })); +}); + +server.listen(0, function() { + tls.connect({ + port: server.address().port, + rejectUnauthorized: false, + ALPNProtocols: ['bogus'] + }); +});
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor