Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update http-parser for CVE. #1388

Merged
merged 1 commit into from
Feb 10, 2020
Merged

Update http-parser for CVE. #1388

merged 1 commit into from
Feb 10, 2020

Conversation

Lukasa
Copy link
Contributor

@Lukasa Lukasa commented Feb 10, 2020

Motivation:

http-parser shipped a patche for node.js CVE-2019-15605, which allowed
HTTP request smuggling. This affected SwiftNIO as well, and so we need
to immediately ship an update to help protect affected users.

A CVE for SwiftNIO will follow, but as this patch is in the wild and
SwiftNIO is known to be affected we should not delay shipping this fix.

Modifications:

  • Update http-parser.
  • Add regression tests to validate this behaviour.

Result:

Close request smugging vector.

(cherry picked from commit f94b22b)

@Lukasa
Update http-parser for CVE.
560cdfb 
Motivation:

http-parser shipped a patche for node.js CVE-2019-15605, which allowed
HTTP request smuggling. This affected SwiftNIO as well, and so we need
to immediately ship an update to help protect affected users.

A CVE for SwiftNIO will follow, but as this patch is in the wild and
SwiftNIO is known to be affected we should not delay shipping this fix.

Modifications:

- Update http-parser.
- Add regression tests to validate this behaviour.

Result:

Close request smugging vector.

(cherry picked from commit f94b22b)
@Lukasa Lukasa added the 🔨 semver/patch No public API change. label Feb 10, 2020
@Lukasa Lukasa requested a review from weissi February 10, 2020 15:07
@Lukasa
Copy link
Contributor Author

Lukasa commented Feb 10, 2020

The 1.14 CI seems to be entirely busted (cc @tomerd) but we've validated this fix locally, so we're going to ship it anyway.

weissi
weissi approved these changes Feb 10, 2020
View reviewed changes
Copy link
Member

@weissi weissi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, happy for that to go in without a CI run.

@Lukasa Lukasa merged commit 8da5c5a into apple:nio-1.14 Feb 10, 2020
@Lukasa Lukasa deleted the cb-nio-1.14-http-parser-fix branch February 10, 2020 15:31
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@normanmaurer normanmaurer normanmaurer approved these changes

@weissi weissi weissi approved these changes

Assignees
No one assigned
Labels
🔨 semver/patch No public API change.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Lukasa @normanmaurer @weissi