rpm package
suse/firefox-pango&distro=SUSE Linux Enterprise Server 11 SP4-LTSS
pkg:rpm/suse/firefox-pango&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS
Vulnerabilities (118)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-9947 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Mar 23, 2019 | An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone | ||
| CVE-2019-9636 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Mar 8, 2019 | Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The component | ||
| CVE-2018-20406 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Dec 23, 2018 | Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundr | ||
| CVE-2018-12123 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. | ||
| CVE-2018-12122 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time. | ||
| CVE-2018-12121 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to | ||
| CVE-2018-12116 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Nov 28, 2018 | Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-define | ||
| CVE-2018-12115 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Aug 21, 2018 | In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that s | ||
| CVE-2018-7167 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Jun 13, 2018 | Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in the | ||
| CVE-2018-7161 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Jun 13, 2018 | All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers | ||
| CVE-2018-0732 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Jun 12, 2018 | During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client | ||
| CVE-2018-7160 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | May 17, 2018 | The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the comp | ||
| CVE-2018-7159 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | May 17, 2018 | The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node. | ||
| CVE-2018-7158 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | May 17, 2018 | The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitP | ||
| CVE-2018-1000168 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | May 8, 2018 | nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability ap | ||
| CVE-2017-18207 | — | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Mar 1, 2018 | The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue beca | ||
| CVE-2017-17820 | Med | 5.5 | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Dec 21, 2017 | In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_list_one_macro in asm/preproc.c that will lead to a remote denial of service attack, related to mishandling of operand-type errors. | |
| CVE-2017-17819 | Med | 5.5 | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Dec 21, 2017 | In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function find_cc() in asm/preproc.c that will cause a remote denial of service attack, because pointers associated with skip_white_ calls are not validated. | |
| CVE-2017-17818 | Hig | 7.5 | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Dec 21, 2017 | In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read that will cause a remote denial of service attack, related to a while loop in paste_tokens in asm/preproc.c. | |
| CVE-2017-17817 | Med | 5.5 | < 1.40.14-2.7.4 | 1.40.14-2.7.4 | Dec 21, 2017 | In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_verror in asm/preproc.c that will cause a remote denial of service attack. |
- CVE-2019-9947Mar 23, 2019affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the path compone
- CVE-2019-9636Mar 8, 2019affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The component
- CVE-2018-20406Dec 23, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
Modules/_pickle.c in Python before 3.7.1 has an integer overflow via a large LONG_BINPUT value that is mishandled during a "resize to twice the size" attempt. This issue might cause memory exhaustion, but is only relevant if the pickle format is used for serializing tens or hundr
- CVE-2018-12123Nov 28, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g.
- CVE-2018-12122Nov 28, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.
- CVE-2018-12121Nov 28, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to
- CVE-2018-12116Nov 28, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-define
- CVE-2018-12115Aug 21, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
In all versions of Node.js prior to 6.14.4, 8.11.4 and 10.9.0 when used with UCS-2 encoding (recognized by Node.js under the names `'ucs2'`, `'ucs-2'`, `'utf16le'` and `'utf-16le'`), `Buffer#write()` can be abused to write outside of the bounds of a single `Buffer`. Writes that s
- CVE-2018-7167Jun 13, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in the
- CVE-2018-7161Jun 13, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service (DoS) by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers
- CVE-2018-0732Jun 12, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client
- CVE-2018-7160May 17, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the comp
- CVE-2018-7159May 17, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.
- CVE-2018-7158May 17, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitP
- CVE-2018-1000168May 8, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
nghttp2 version >= 1.10.0 and nghttp2 <= v1.31.0 contains an Improper Input Validation CWE-20 vulnerability in ALTSVC frame handling that can result in segmentation fault leading to denial of service. This attack appears to be exploitable via network client. This vulnerability ap
- CVE-2017-18207Mar 1, 2018affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
The Wave_read._read_fmt_chunk function in Lib/wave.py in Python through 3.6.4 does not ensure a nonzero channel value, which allows attackers to cause a denial of service (divide-by-zero and exception) via a crafted wav format audio file. NOTE: the vendor disputes this issue beca
- affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_list_one_macro in asm/preproc.c that will lead to a remote denial of service attack, related to mishandling of operand-type errors.
- affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function find_cc() in asm/preproc.c that will cause a remote denial of service attack, because pointers associated with skip_white_ calls are not validated.
- affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read that will cause a remote denial of service attack, related to a while loop in paste_tokens in asm/preproc.c.
- affected < 1.40.14-2.7.4fixed 1.40.14-2.7.4
In Netwide Assembler (NASM) 2.14rc0, there is a use-after-free in pp_verror in asm/preproc.c that will cause a remote denial of service attack.
Page 4 of 6