rpm package
suse/MozillaFirefox&distro=SUSE Linux Enterprise Server 11 SP4-LTSS
pkg:rpm/suse/MozillaFirefox&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS
Vulnerabilities (311)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-15897 | Low | 3.1 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Dec 11, 2017 | Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such t | |
| CVE-2017-15896 | Cri | 9.1 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Dec 11, 2017 | Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica | |
| CVE-2017-3738 | Med | 5.9 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Dec 7, 2017 | There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ | |
| CVE-2017-3736 | Med | 6.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Nov 2, 2017 | There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n | |
| CVE-2017-14919 | Hig | 7.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Oct 30, 2017 | Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. | |
| CVE-2015-7384 | Hig | 7.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Oct 10, 2017 | Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. | |
| CVE-2017-14849 | Hig | 7.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Sep 28, 2017 | Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules. | |
| CVE-2017-14228 | Med | 5.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Sep 9, 2017 | In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service. | |
| CVE-2017-3735 | Med | 5.3 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Aug 28, 2017 | While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g | |
| CVE-2017-11499 | Hig | 7.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Jul 25, 2017 | Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building | |
| CVE-2017-11111 | Hig | 7.8 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Jul 8, 2017 | In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file. | |
| CVE-2017-1000381 | Hig | 7.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Jul 7, 2017 | The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. | |
| CVE-2017-10686 | Hig | 7.8 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Jun 29, 2017 | In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that cou | |
| CVE-2016-7099 | Med | 5.9 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Oct 10, 2016 | The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted ce | |
| CVE-2016-5325 | Med | 6.1 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Oct 10, 2016 | CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reaso | |
| CVE-2016-7052 | Hig | 7.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Sep 26, 2016 | crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. | |
| CVE-2016-6306 | Med | 5.9 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Sep 26, 2016 | The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. | |
| CVE-2016-6304 | Hig | 7.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Sep 26, 2016 | Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. | |
| CVE-2016-5172 | Med | 6.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Sep 25, 2016 | The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. | |
| CVE-2016-2183 | Hig | 7.5 | < 68.2.0-78.51.4 | 68.2.0-78.51.4 | Sep 1, 2016 | The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-dura |
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such t
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that cou
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted ce
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reaso
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code.
- affected < 68.2.0-78.51.4fixed 68.2.0-78.51.4
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-dura
Page 15 of 16