isaacs/gist:2b28efaa9d0b63a9926c Secret

## gistfile.patch
From 97813ae58d19687f3c61f6355b4307c88908058a Mon Sep 17 00:00:00 2001
From: isaacs <i@izs.me>
Date: Tue, 22 Oct 2013 10:56:03 -0700
Subject: [PATCH] blog: HTTP server DoS vulnerability details

CVE-2013-4450
---
 .../http-server-pipeline-flood-dos.md              | 37 ++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 doc/blog/vulnerability/http-server-pipeline-flood-dos.md

diff --git a/doc/blog/vulnerability/http-server-pipeline-flood-dos.md b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md
new file mode 100644
index 0000000..e4a607d
--- /dev/null
+++ b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md
@@ -0,0 +1,37 @@
+title: DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21)
+date: Tue Oct 22 10:42:10 PDT 2013
+slug: cve-2013-4450-http-server-pipeline-flood-dos
+category: vulnerability
+
+Node.js is vulnerable to a denial of service attack when a client
+sends many pipelined HTTP requests on a single connection, and the
+client does not read the responses from the connection.
+
+We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP
+servers in production please update as soon as possible.
+
+* v0.10.21 <http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/>
+* v0.8.26 <http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/>
+
+This is fixed in Node.js by pausing both the socket and the HTTP
+parser whenever the downstream writable side of the socket is awaiting
+a drain event.  In the attack scenario, the socket will eventually
+time out, and be destroyed by the server.  If the "attacker" is not
+malicious, but merely sends a lot of requests and reacts to them
+slowly, then the throughput on that connection will be reduced to what
+the client can handle.
+
+There is no change to program semantics, and except in the
+pathological cases described, no changes to behavior.
+
+If upgrading is not possible, then putting an HTTP proxy in front of
+the Node.js server can mitigate the vulnerability, but only if the
+proxy parses HTTP and is not itself vulnerable to a pipeline flood
+DoS.
+
+For example, nginx will prevent the attack (since it closes
+connections after 100 pipelined requests by default), but HAProxy in
+raw TCP mode will not (since it proxies the TCP connection without
+regard for HTTP semantics).
+
+This addresses CVE-2013-4450.
--
1.8.3.2
	From 97813ae58d19687f3c61f6355b4307c88908058a Mon Sep 17 00:00:00 2001
	From: isaacs <i@izs.me>
	Date: Tue, 22 Oct 2013 10:56:03 -0700
	Subject: [PATCH] blog: HTTP server DoS vulnerability details

	CVE-2013-4450
	---
	.../http-server-pipeline-flood-dos.md \| 37 ++++++++++++++++++++++
	1 file changed, 37 insertions(+)
	create mode 100644 doc/blog/vulnerability/http-server-pipeline-flood-dos.md

	diff --git a/doc/blog/vulnerability/http-server-pipeline-flood-dos.md b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md
	new file mode 100644
	index 0000000..e4a607d
	--- /dev/null
	+++ b/doc/blog/vulnerability/http-server-pipeline-flood-dos.md
	@@ -0,0 +1,37 @@
	+title: DoS Vulnerability (fixed in Node v0.8.26 and v0.10.21)
	+date: Tue Oct 22 10:42:10 PDT 2013
	+slug: cve-2013-4450-http-server-pipeline-flood-dos
	+category: vulnerability
	+
	+Node.js is vulnerable to a denial of service attack when a client
	+sends many pipelined HTTP requests on a single connection, and the
	+client does not read the responses from the connection.
	+
	+We recommend that anyone using Node.js v0.8 or v0.10 to run HTTP
	+servers in production please update as soon as possible.
	+
	+* v0.10.21 <http://blog.nodejs.org/2013/10/18/node-v0-10-21-stable/>
	+* v0.8.26 <http://blog.nodejs.org/2013/10/18/node-v0-8-26-maintenance/>
	+
	+This is fixed in Node.js by pausing both the socket and the HTTP
	+parser whenever the downstream writable side of the socket is awaiting
	+a drain event. In the attack scenario, the socket will eventually
	+time out, and be destroyed by the server. If the "attacker" is not
	+malicious, but merely sends a lot of requests and reacts to them
	+slowly, then the throughput on that connection will be reduced to what
	+the client can handle.
	+
	+There is no change to program semantics, and except in the
	+pathological cases described, no changes to behavior.
	+
	+If upgrading is not possible, then putting an HTTP proxy in front of
	+the Node.js server can mitigate the vulnerability, but only if the
	+proxy parses HTTP and is not itself vulnerable to a pipeline flood
	+DoS.
	+
	+For example, nginx will prevent the attack (since it closes
	+connections after 100 pipelined requests by default), but HAProxy in
	+raw TCP mode will not (since it proxies the TCP connection without
	+regard for HTTP semantics).
	+
	+This addresses CVE-2013-4450.
	--
	1.8.3.2