rpm package
suse/nodejs6&distro=SUSE Linux Enterprise Module for Web and Scripting 12
pkg:rpm/suse/nodejs6&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2012
Vulnerabilities (35)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2018-7167 | Hig | 7.5 | < 6.14.3-11.15.1 | 6.14.3-11.15.1 | Jun 13, 2018 | Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in the | |
| CVE-2018-0732 | Hig | 7.5 | < 6.14.4-11.18.1 | 6.14.4-11.18.1 | Jun 12, 2018 | During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client | |
| CVE-2018-7160 | Hig | 8.8 | < 6.14.1-11.12.1 | 6.14.1-11.12.1 | May 17, 2018 | The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the comp | |
| CVE-2018-7159 | Med | 5.3 | < 6.14.1-11.12.1 | 6.14.1-11.12.1 | May 17, 2018 | The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node. | |
| CVE-2018-7158 | Hig | 7.5 | < 6.14.1-11.12.1 | 6.14.1-11.12.1 | May 17, 2018 | The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitP | |
| CVE-2017-15896 | Cri | 9.1 | < 6.12.2-11.8.1 | 6.12.2-11.8.1 | Dec 11, 2017 | Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica | |
| CVE-2017-3738 | Med | 5.9 | < 6.12.2-11.8.1 | 6.12.2-11.8.1 | Dec 7, 2017 | There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ | |
| CVE-2017-3736 | Med | 6.5 | < 6.12.2-11.8.1 | 6.12.2-11.8.1 | Nov 2, 2017 | There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n | |
| CVE-2017-14919 | Hig | 7.5 | < 6.12.2-11.8.1 | 6.12.2-11.8.1 | Oct 30, 2017 | Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. | |
| CVE-2017-3735 | Med | 5.3 | < 6.12.2-11.8.1 | 6.12.2-11.8.1 | Aug 28, 2017 | While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g | |
| CVE-2017-11499 | Hig | 7.5 | < 6.11.1-11.5.1 | 6.11.1-11.5.1 | Jul 25, 2017 | Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building | |
| CVE-2017-1000381 | Hig | 7.5 | < 6.11.1-11.5.1 | 6.11.1-11.5.1 | Jul 7, 2017 | The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way. | |
| CVE-2016-7055 | Med | 5.9 | < 6.9.5-7.1 | 6.9.5-7.1 | May 4, 2017 | There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impos | |
| CVE-2017-3732 | Med | 5.9 | < 6.9.5-7.1 | 6.9.5-7.1 | May 4, 2017 | There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and | |
| CVE-2017-3731 | Hig | 7.5 | < 6.9.5-7.1 | 6.9.5-7.1 | May 4, 2017 | If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA |
- affected < 6.14.3-11.15.1fixed 6.14.3-11.15.1
Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in the
- affected < 6.14.4-11.18.1fixed 6.14.4-11.18.1
During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client
- affected < 6.14.1-11.12.1fixed 6.14.1-11.12.1
The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the comp
- affected < 6.14.1-11.12.1fixed 6.14.1-11.12.1
The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.
- affected < 6.14.1-11.12.1fixed 6.14.1-11.12.1
The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitP
- affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica
- affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1
There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ
- affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n
- affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1
Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.
- affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1
While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g
- affected < 6.11.1-11.5.1fixed 6.11.1-11.5.1
Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building
- affected < 6.11.1-11.5.1fixed 6.11.1-11.5.1
The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.
- affected < 6.9.5-7.1fixed 6.9.5-7.1
There is a carry propagating bug in the Broadwell-specific Montgomery multiplication procedure in OpenSSL 1.0.2 and 1.1.0 before 1.1.0c that handles input lengths divisible by, but longer than 256 bits. Analysis suggests that attacks against RSA, DSA and DH private keys are impos
- affected < 6.9.5-7.1fixed 6.9.5-7.1
There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL 1.0.2 before 1.0.2k and 1.1.0 before 1.1.0d. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and
- affected < 6.9.5-7.1fixed 6.9.5-7.1
If an SSL/TLS server or client is running on a 32-bit host, and a specific cipher is being used, then a truncated packet can cause that server or client to perform an out-of-bounds read, usually resulting in a crash. For OpenSSL 1.1.0, the crash can be triggered when using CHACHA
Page 2 of 2