Node.js server-side JavaScript developers Corrective releases 13.8.0, 12.15.0, and 10.19.0 fix three vulnerabilities:
- CVE-2019-15606 - Incorrect handling of optional whitespace characters (OWS) following a value in an HTTP header.
- CVE-2019-15605 - HRS attack (HTTP Request Smuggling, wedge into the content of other requests processed in the same thread between the frontend and backend) by passing a specially crafted Transfer-Encoding HTTP header;
- CVE-2019-15604 - Remotely initiated TLS server crash due to passing an invalid certificate string.
In addition, in new releases, work has been done to improve the security of the HTTP parser and more rigorous parsing of HTTP request elements. The change may introduce compatibility issues with HTTP implementations that violate the specifications. The insecureHTTPParser setting and the "--insecure-http-parser" command line option are provided to disable the strict verification mode.
Source: opennet.ru