rpm package
suse/firefox-libffi&distro=SUSE Linux Enterprise Server 11 SP4-LTSS
pkg:rpm/suse/firefox-libffi&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS
Vulnerabilities (118)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2016-7099 | Med | 5.9 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Oct 10, 2016 | The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted ce | |
| CVE-2016-5325 | Med | 6.1 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Oct 10, 2016 | CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reaso | |
| CVE-2016-7052 | Hig | 7.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Sep 26, 2016 | crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. | |
| CVE-2016-6306 | Med | 5.9 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Sep 26, 2016 | The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. | |
| CVE-2016-6304 | Hig | 7.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Sep 26, 2016 | Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. | |
| CVE-2016-5172 | Med | 6.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Sep 25, 2016 | The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. | |
| CVE-2016-2183 | Hig | 7.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Sep 1, 2016 | The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-dura | |
| CVE-2016-2178 | Med | 5.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Jun 20, 2016 | The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. | |
| CVE-2016-2216 | Hig | 7.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Apr 7, 2016 | The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP | |
| CVE-2016-2086 | Hig | 7.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Apr 7, 2016 | Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. | |
| CVE-2015-3194 | Hig | 7.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Dec 6, 2015 | crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter. | |
| CVE-2015-3193 | Hig | 7.5 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Dec 6, 2015 | The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sens | |
| CVE-2015-5380 | — | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Jul 9, 2015 | The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attacker | ||
| CVE-2014-0224 | Hig | 7.4 | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Jun 5, 2014 | OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequen | |
| CVE-2013-6668 | — | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Mar 5, 2014 | Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors. | ||
| CVE-2013-6640 | — | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Dec 7, 2013 | The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of | ||
| CVE-2013-6639 | — | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Dec 7, 2013 | The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via JavaScript | ||
| CVE-2013-2882 | — | < 3.2.1.git259-2.3.3 | 3.2.1.git259-2.3.3 | Jul 31, 2013 | Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion." |
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted ce
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reaso
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code.
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-dura
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header.
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
crypto/rsa/rsa_ameth.c in OpenSSL 1.0.1 before 1.0.1q and 1.0.2 before 1.0.2e allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an RSA PSS ASN.1 signature that lacks a mask generation function parameter.
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The Montgomery squaring implementation in crypto/bn/asm/x86_64-mont5.pl in OpenSSL 1.0.2 before 1.0.2e on the x86_64 platform, as used by the BN_mod_exp function, mishandles carry propagation and produces incorrect output, which makes it easier for remote attackers to obtain sens
- CVE-2015-5380Jul 9, 2015affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attacker
- affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and consequen
- CVE-2013-6668Mar 5, 2014affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
Multiple unspecified vulnerabilities in Google V8 before 3.24.35.10, as used in Google Chrome before 33.0.1750.146, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.
- CVE-2013-6640Dec 7, 2013affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds read) via JavaScript code that sets a variable to the value of
- CVE-2013-6639Dec 7, 2013affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
The DehoistArrayIndex function in hydrogen-dehoist.cc (aka hydrogen.cc) in Google V8 before 3.22.24.7, as used in Google Chrome before 31.0.1650.63, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via JavaScript
- CVE-2013-2882Jul 31, 2013affected < 3.2.1.git259-2.3.3fixed 3.2.1.git259-2.3.3
Google V8, as used in Google Chrome before 28.0.1500.95, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."
Page 6 of 6