VYPR

rpm package

suse/nodejs6&distro=SUSE OpenStack Cloud 7

pkg:rpm/suse/nodejs6&distro=SUSE%20OpenStack%20Cloud%207

Vulnerabilities (32)

  • CVE-2018-7167HigJun 13, 2018
    affected < 6.14.3-11.15.1fixed 6.14.3-11.15.1

    Calling Buffer.fill() or Buffer.alloc() with some parameters can lead to a hang which could result in a Denial of Service. In order to address this vulnerability, the implementations of Buffer.alloc() and Buffer.fill() were updated so that they zero fill instead of hanging in the

  • CVE-2018-0732HigJun 12, 2018
    affected < 6.14.4-11.18.1fixed 6.14.4-11.18.1

    During key agreement in a TLS handshake using a DH(E) based ciphersuite a malicious server can send a very large prime value to the client. This will cause the client to spend an unreasonably long period of time generating a key for this prime resulting in a hang until the client

  • CVE-2018-7160HigMay 17, 2018
    affected < 6.14.1-11.12.1fixed 6.14.1-11.12.1

    The Node.js inspector, in 6.x and later is vulnerable to a DNS rebinding attack which could be exploited to perform remote code execution. An attack is possible from malicious websites open in a web browser on the same computer, or another computer with network access to the comp

  • CVE-2018-7159MedMay 17, 2018
    affected < 6.14.1-11.12.1fixed 6.14.1-11.12.1

    The HTTP parser in all current versions of Node.js ignores spaces in the `Content-Length` header, allowing input such as `Content-Length: 1 2` to be interpreted as having a value of `12`. The HTTP specification does not allow for spaces in the `Content-Length` value and the Node.

  • CVE-2018-7158HigMay 17, 2018
    affected < 6.14.1-11.12.1fixed 6.14.1-11.12.1

    The `'path'` module in the Node.js 4.x release line contains a potential regular expression denial of service (ReDoS) vector. The code in question was replaced in Node.js 6.x and later so this vulnerability only impacts all versions of Node.js 4.x. The regular expression, `splitP

  • CVE-2017-15896CriDec 11, 2017
    affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1

    Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentica

  • CVE-2017-3738MedDec 7, 2017
    affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1

    There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believ

  • CVE-2017-3736MedNov 2, 2017
    affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1

    There is a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are n

  • CVE-2017-14919HigOct 30, 2017
    affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1

    Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter.

  • CVE-2017-3735MedAug 28, 2017
    affected < 6.12.2-11.8.1fixed 6.12.2-11.8.1

    While parsing an IPAddressFamily extension in an X.509 certificate, it is possible to do a one-byte overread. This would result in an incorrect text display of the certificate. This bug has been present since 2006 and is present in all versions of OpenSSL before 1.0.2m and 1.1.0g

  • CVE-2017-11499HigJul 25, 2017
    affected < 6.11.1-11.5.1fixed 6.11.1-11.5.1

    Node.js v4.0 through v4.8.3, all versions of v5.x, v6.0 through v6.11.0, v7.0 through v7.10.0, and v8.0 through v8.1.3 was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building

  • CVE-2017-1000381HigJul 7, 2017
    affected < 6.11.1-11.5.1fixed 6.11.1-11.5.1

    The c-ares function `ares_parse_naptr_reply()`, which is used for parsing NAPTR responses, could be triggered to read memory outside of the given input buffer if the passed in DNS response packet was crafted in a particular way.

Page 2 of 2