Affected Node.js versions can be exploited to perform HTTP desync attacks and deliver malicious payloads to unsuspecting users. The payloads can be crafted by an attacker to hijack user sessions, poison cookies, perform clickjacking, and a multitude of other attacks depending on the architecture of the underlying system. Downloads & release details * Node.js v10.19.0 (LTS) - https://nodejs.org/en/blog/release/v10.19.0/ * Node.js v12.15.0 (LTS) - https://nodejs.org/en/blog/release/v12.15.0/ * Node.js v13.8.0 (LTS) - https://nodejs.org/en/blog/release/v13.8.0/
Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 1800376]
Also fixed in http-parser-js 2.9.3 see: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b
Actually the commit in the previous comment refers to the 'http-parser' c library that ships in Fedora and RHEL. Not the http-parser-js javascript library as previously mentioned.
Created http-parser tracking bugs for this issue: Affects: fedora-all [bug 1802501]
External References: https://nodejs.org/en/blog/vulnerability/february-2020-security-releases/
HackerOne report (currently not public): https://hackerone.com/reports/735748 Upstream commits : * http-parser: https://github.com/nodejs/http-parser/commit/7d5c99d09f6743b055d53fc3f642746d9801479b * llhttp : https://github.com/nodejs/llhttp/commit/e19af786a172a8ba71a3d13fccc0fd4dfe4b1b94
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0573 https://access.redhat.com/errata/RHSA-2020:0573
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-15605
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0579 https://access.redhat.com/errata/RHSA-2020:0579
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0597 https://access.redhat.com/errata/RHSA-2020:0597
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0598 https://access.redhat.com/errata/RHSA-2020:0598
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.5 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:0602 https://access.redhat.com/errata/RHSA-2020:0602
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0703 https://access.redhat.com/errata/RHSA-2020:0703
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:0707 https://access.redhat.com/errata/RHSA-2020:0707
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:0708 https://access.redhat.com/errata/RHSA-2020:0708
This issue has been addressed in the following products: Red Hat Enterprise Linux 7.6 Extended Update Support Via RHSA-2020:1510 https://access.redhat.com/errata/RHSA-2020:1510