* deps: upgrade OpenSSL source to 1.0.2r. Under certain circumstances, a TLS server can be forced to respond differently to a client if a zero-byte record is received with an invalid padding compared to a zero-byte record with an invalid MAC. This can be used as the basis of a padding oracle attack to decrypt data. (openssl_1_0_2q.patch - CVE-2019-1559, bsc#1127080) * http: (http-keep-alive.patch) + Backport server.keepAliveTimeout to prevent keep-alive HTTP and HTTPS connections remaining open and inactive for an extended period of time, leading to a potential Denial of Service (DoS). (CVE-2019-5739, bsc#1127533) + Further prevention of "Slowloris" attacks on HTTP and HTTPS connections by consistently applying the receive timeout set by server.headersTimeout to connections in keep-alive mode. (CVE-2019-5737, bsc#1127532) - nodejs.keyring: update keyring to today's list as per https://github.com/nodejs/node OBS-URL: https://build.opensuse.org/package/show/devel:languages:nodejs/nodejs4?expand=0&rev=105
33 KiB
33 KiB