rpm package

suse/mozilla-nspr&distro=SUSE Linux Enterprise Server 11 SP4-LTSS

pkg:rpm/suse/mozilla-nspr&distro=SUSE%20Linux%20Enterprise%20Server%2011%20SP4-LTSS

Vulnerabilities (134)

CVE	Sev	CVSS	Affected versions	Fixed in	Published	Description
CVE-2017-17812	Med	5.5	< 4.21-29.6.1	4.21-29.6.1	Dec 21, 2017	In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read in the function detoken() in asm/preproc.c that will cause a remote denial of service attack.
CVE-2017-17811	Med	5.5	< 4.21-29.6.1	4.21-29.6.1	Dec 21, 2017	In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer overflow that will cause a remote denial of service attack, related to a strcpy in paste_tokens in asm/preproc.c, a similar issue to CVE-2017-11111.
CVE-2017-17810	Med	5.5	< 4.21-29.6.1	4.21-29.6.1	Dec 21, 2017	In Netwide Assembler (NASM) 2.14rc0, there is a "SEGV on unknown address" that will cause a remote denial of service attack, because asm/preproc.c mishandles macro calls that have the wrong number of arguments.
CVE-2017-15897	Low	3.1	< 4.21-29.6.1	4.21-29.6.1	Dec 11, 2017	Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such t
CVE-2017-15896	Cri	9.1	< 4.21-29.6.1	4.21-29.6.1	Dec 11, 2017	Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica
CVE-2017-3738	Med	5.9	< 4.21-29.6.1	4.21-29.6.1	Dec 7, 2017	There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ
CVE-2017-3736	Med	6.5	< 4.21-29.6.1	4.21-29.6.1	Nov 2, 2017	There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n
CVE-2017-14919	Hig	7.5	< 4.21-29.6.1	4.21-29.6.1	Oct 30, 2017	Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
CVE-2015-7384	Hig	7.5	< 4.21-29.6.1	4.21-29.6.1	Oct 10, 2017	Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
CVE-2017-14849	Hig	7.5	< 4.21-29.6.1	4.21-29.6.1	Sep 28, 2017	Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
CVE-2017-14228	Med	5.5	< 4.21-29.6.1	4.21-29.6.1	Sep 9, 2017	In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service.
CVE-2017-3735	Med	5.3	< 4.21-29.6.1	4.21-29.6.1	Aug 28, 2017	While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g
CVE-2017-11499	Hig	7.5	< 4.21-29.6.1	4.21-29.6.1	Jul 25, 2017	Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building
CVE-2017-11111	Hig	7.8	< 4.21-29.6.1	4.21-29.6.1	Jul 8, 2017	In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2017-1000381	Hig	7.5	< 4.21-29.6.1	4.21-29.6.1	Jul 7, 2017	The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
CVE-2017-10686	Hig	7.8	< 4.21-29.6.1	4.21-29.6.1	Jun 29, 2017	In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that cou
CVE-2016-7099	Med	5.9	< 4.21-29.6.1	4.21-29.6.1	Oct 10, 2016	The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted ce
CVE-2016-5325	Med	6.1	< 4.21-29.6.1	4.21-29.6.1	Oct 10, 2016	CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reaso
CVE-2016-7052	Hig	7.5	< 4.21-29.6.1	4.21-29.6.1	Sep 26, 2016	crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
CVE-2016-6306	Med	5.9	< 4.21-29.6.1	4.21-29.6.1	Sep 26, 2016	The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.

CVE-2017-17812MedDec 21, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer over-read in the function detoken() in asm/preproc.c that will cause a remote denial of service attack.
CVE-2017-17811MedDec 21, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
In Netwide Assembler (NASM) 2.14rc0, there is a heap-based buffer overflow that will cause a remote denial of service attack, related to a strcpy in paste_tokens in asm/preproc.c, a similar issue to CVE-2017-11111.
CVE-2017-17810MedDec 21, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
In Netwide Assembler (NASM) 2.14rc0, there is a "SEGV on unknown address" that will cause a remote denial of service attack, because asm/preproc.c mishandles macro calls that have the wrong number of arguments.
CVE-2017-15897LowDec 11, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such t
CVE-2017-15896CriDec 11, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica
CVE-2017-3738MedDec 7, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ
CVE-2017-3736MedNov 2, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n
CVE-2017-14919HigOct 30, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
CVE-2015-7384HigOct 10, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service.
CVE-2017-14849HigSep 28, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was incompatible with the pathname validation used by unspecified community modules.
CVE-2017-14228MedSep 9, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
In Netwide Assembler (NASM) 2.14rc0, there is an illegal address access in the function paste_tokens() in preproc.c, aka a NULL pointer dereference. It will lead to remote denial of service.
CVE-2017-3735MedAug 28, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g
CVE-2017-11499HigJul 25, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building
CVE-2017-11111HigJul 8, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
In Netwide Assembler (NASM) 2.14rc0, preproc.c allows remote attackers to cause a denial of service (heap-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted file.
CVE-2017-1000381HigJul 7, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
CVE-2017-10686HigJun 29, 2017
affected < 4.21-29.6.1fixed 4.21-29.6.1
In Netwide Assembler (NASM) 2.14rc0, there are multiple heap use after free vulnerabilities in the tool nasm. The related heap is allocated in the token() function and freed in the detoken() function (called by pp_getline()) - it is used again at multiple positions later that cou
CVE-2016-7099MedOct 10, 2016
affected < 4.21-29.6.1fixed 4.21-29.6.1
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted ce
CVE-2016-5325MedOct 10, 2016
affected < 4.21-29.6.1fixed 4.21-29.6.1
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reaso
CVE-2016-7052HigSep 26, 2016
affected < 4.21-29.6.1fixed 4.21-29.6.1
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
CVE-2016-6306MedSep 26, 2016
affected < 4.21-29.6.1fixed 4.21-29.6.1
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.

Page 6 of 7