Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

openSUSE-SU-2019:0089-1

Опубликовано: 23 мар. 2019
Источник: suse-cvrf

Описание

Security update for nodejs8

This update for nodejs8 to version 8.15.0 fixes the following issues:

Security issues fixed:

  • CVE-2018-12121: Fixed a Denial of Service with large HTTP headers (bsc#1117626)
  • CVE-2018-12122: Fixed the 'Slowloris' HTTP Denial of Service (bsc#1117627)
  • CVE-2018-12116: Fixed HTTP request splitting (bsc#1117630)
  • CVE-2018-12123: Fixed hostname spoofing in URL parser for javascript protocol (bsc#1117629)

This update was imported from the SUSE:SLE-15:Update update project.

Список пакетов

openSUSE Leap 15.0
nodejs8-8.15.0-lp150.2.9.1
nodejs8-devel-8.15.0-lp150.2.9.1
nodejs8-docs-8.15.0-lp150.2.9.1
npm8-8.15.0-lp150.2.9.1

Ссылки

Описание

Node.js: All versions prior to Node.js 6.15.0 and 8.14.0: HTTP request splitting: If Node.js can be convinced to use unsanitized user-provided Unicode data for the `path` option of an HTTP request, then data can be provided which will trigger a second, unexpected, and user-defined HTTP request to made to the same server.

Затронутые продукты
openSUSE Leap 15.0:nodejs8-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:nodejs8-devel-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:nodejs8-docs-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:npm8-8.15.0-lp150.2.9.1
Ссылки

Описание

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers (almost 80 KB per connection), and carefully timed completion of the headers, it is possible to cause the HTTP server to abort from heap allocation failure. Attack potential is mitigated by the use of a load balancer or other proxy layer.

Затронутые продукты
openSUSE Leap 15.0:nodejs8-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:nodejs8-devel-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:nodejs8-docs-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:npm8-8.15.0-lp150.2.9.1
Ссылки

Описание

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Slowloris HTTP Denial of Service: An attacker can cause a Denial of Service (DoS) by sending headers very slowly keeping HTTP or HTTPS connections and associated resources alive for a long period of time.

Затронутые продукты
openSUSE Leap 15.0:nodejs8-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:nodejs8-devel-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:nodejs8-docs-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:npm8-8.15.0-lp150.2.9.1
Ссылки

Описание

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse() to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" (e.g. "javAscript:") protocol (other protocols are not affected). If security decisions are made about the URL based on the hostname, they may be incorrect.

Затронутые продукты
openSUSE Leap 15.0:nodejs8-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:nodejs8-devel-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:nodejs8-docs-8.15.0-lp150.2.9.1
openSUSE Leap 15.0:npm8-8.15.0-lp150.2.9.1
Ссылки