rpm package
suse/nodejs4&distro=SUSE Linux Enterprise Module for Web and Scripting 12
pkg:rpm/suse/nodejs4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012
Vulnerabilities (33)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2017-11499 | Hig | 7.5 | < 4.8.4-15.5.1 | 4.8.4-15.5.1 | Jul 25, 2017 | Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building | |
| CVE-2017-1000381 | Hig | 7.5 | < 4.8.4-15.5.1 | 4.8.4-15.5.1 | Jul 7, 2017 | The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. | |
| CVE-2016-7055 | Med | 5.9 | < 4.7.3-14.1 | 4.7.3-14.1 | May 4, 2017 | There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impos | |
| CVE-2017-3732 | Med | 5.9 | < 4.7.3-14.1 | 4.7.3-14.1 | May 4, 2017 | There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and | |
| CVE-2017-3731 | Hig | 7.5 | < 4.7.3-14.1 | 4.7.3-14.1 | May 4, 2017 | If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA | |
| CVE-2016-7099 | Med | 5.9 | < 4.6.0-8.1 | 4.6.0-8.1 | Oct 10, 2016 | The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted ce | |
| CVE-2016-5325 | Med | 6.1 | < 4.6.0-8.1 | 4.6.0-8.1 | Oct 10, 2016 | CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reaso | |
| CVE-2016-5180 | Cri | 9.8 | < 4.6.1-11.1 | 4.6.1-11.1 | Oct 3, 2016 | Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot. | |
| CVE-2016-7052 | Hig | 7.5 | < 4.6.0-8.1 | 4.6.0-8.1 | Sep 26, 2016 | crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation. | |
| CVE-2016-6306 | Med | 5.9 | < 4.6.0-8.1 | 4.6.0-8.1 | Sep 26, 2016 | The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c. | |
| CVE-2016-6304 | Hig | 7.5 | < 4.6.0-8.1 | 4.6.0-8.1 | Sep 26, 2016 | Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions. | |
| CVE-2016-2183 | Hig | 7.5 | < 4.6.0-8.1 | 4.6.0-8.1 | Sep 1, 2016 | The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-dura | |
| CVE-2016-2178 | Med | 5.5 | < 4.6.0-8.1 | 4.6.0-8.1 | Jun 20, 2016 | The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack. |
- affected < 4.8.4-15.5.1fixed 4.8.4-15.5.1
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building
- affected < 4.8.4-15.5.1fixed 4.8.4-15.5.1
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
- affected < 4.7.3-14.1fixed 4.7.3-14.1
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impos
- affected < 4.7.3-14.1fixed 4.7.3-14.1
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and
- affected < 4.7.3-14.1fixed 4.7.3-14.1
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA
- affected < 4.6.0-8.1fixed 4.6.0-8.1
The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted ce
- affected < 4.6.0-8.1fixed 4.6.0-8.1
CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reaso
- affected < 4.6.1-11.1fixed 4.6.1-11.1
Heap-based buffer overflow in the ares_create_query function in c-ares 1.x before 1.12.0 allows remote attackers to cause a denial of service (out-of-bounds write) or possibly execute arbitrary code via a hostname with an escaped trailing dot.
- affected < 4.6.0-8.1fixed 4.6.0-8.1
crypto/x509/x509_vfy.c in OpenSSL 1.0.2i allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) by triggering a CRL operation.
- affected < 4.6.0-8.1fixed 4.6.0-8.1
The certificate parser in OpenSSL before 1.0.1u and 1.0.2 before 1.0.2i might allow remote attackers to cause a denial of service (out-of-bounds read) via crafted certificate operations, related to s3_clnt.c and s3_srvr.c.
- affected < 4.6.0-8.1fixed 4.6.0-8.1
Multiple memory leaks in t1_lib.c in OpenSSL before 1.0.1u, 1.0.2 before 1.0.2i, and 1.1.0 before 1.1.0a allow remote attackers to cause a denial of service (memory consumption) via large OCSP Status Request extensions.
- affected < 4.6.0-8.1fixed 4.6.0-8.1
The DES and Triple DES ciphers, as used in the TLS, SSH, and IPSec protocols and other protocols and products, have a birthday bound of approximately four billion blocks, which makes it easier for remote attackers to obtain cleartext data via a birthday attack against a long-dura
- affected < 4.6.0-8.1fixed 4.6.0-8.1
The dsa_sign_setup function in crypto/dsa/dsa_ossl.c in OpenSSL through 1.0.2h does not properly ensure the use of constant-time operations, which makes it easier for local users to discover a DSA private key via a timing side-channel attack.
Page 2 of 2