OESA-2021-1161 netty security update

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. %package help Summary: Documents for %name Buildarch: noarch Requires: man info Provides: %name-javadoc = %version-%release Obsoletes: %name-javad...

openSUSE: Security Advisory for nodejs12 (openSUSE-SU-2021:0357-1)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

openSUSE: Security Advisory for nodejs14 (openSUSE-SU-2021:0356-1)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

openSUSE: Security Advisory for nodejs14 (openSUSE-SU-2021:0066-1)

The remote host is missing an update for the Copyright C 2021 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

CVE-2021-29258

A flaw was found in envoyproxy. An attacker, able to craft an HTTP2 request that specifies an empty metadata map, can crash envoy resulting in a denial of service due to the null reference. The highest threat from this vulnerability is to system availability...

http2smugl: HTTP2 request smuggling security testing tool

HTTP/2 become the standard defacto for the modern web and causes new application security risks. The HTTP2 request smuggling is one of a few HTTP/2 vulnerabilities with the high severity that raised last year. In this post, we will describe it in detail and suggest an open-source tool http2smugl...

netty: possible request smuggling in HTTP/2 due missing validation

In Netty io.netty:netty-codec-http2 before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the...

HTTP Request Smuggling

netty-codec-http2 is vulnerable to HTTP request smuggling. The vulnerability exists through an incomplete fix in CVE-2021-21295 where the content-length header is not properly validated if the request uses a single Http2HeaderFrame, and with endStream set to true...

Design/Logic Flaw

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty io.netty:netty-codec-http2 before version 4.1.61.Final there is a vulnerability that enables request smuggling. The...

CVE-2021-21409

The CVE concerns Netty’s HTTP/2 codec (io.netty:netty-codec-http2) where, before version 4.1.61.Final, a Content-Length check can be bypassed when a single Http2HeaderFrame with endStream set to true is used. This enables HTTP request smuggling if the request is proxied and translated to HTTP/1.1...

Citrix Endpoint Management (aka XenMobile Server) 10.12.0 Rolling Patch 7

Package name:xms10.12.0.10714.bin For: XenMobile Server 10.12.0 Deployment type: On-premises only Replaces:xms10.12.0.10102.bin, xms10.12.0.10204.bin, xms10.12.0.10324.bin, xms10.12.0.10417.bin, xms10.12.0.10539.bin, and xms10.12.0.10613.bin Date:March, 2021 Languages supported:English US Readme...

[ASA-202103-17] dotnet-sdk: multiple issues

Arch Linux Security Advisory ASA-202103-17 ========================================== Severity: High Date : 2021-03-25 CVE-ID : CVE-2021-1721 CVE-2021-1723 CVE-2021-24112 Package : dotnet-sdk Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1449 Summary ======= The...

[ASA-202103-16] dotnet-runtime: multiple issues

Arch Linux Security Advisory ASA-202103-16 ========================================== Severity: High Date : 2021-03-25 CVE-ID : CVE-2021-1721 CVE-2021-1723 CVE-2021-24112 Package : dotnet-runtime Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-1449 Summary ======= Th...

Security fix for the ALT Linux 9 package node version 14.16.0-alt1

14.16.0-alt1 built March 16, 2021 Vitaly Lipatov in task 267572 Feb. 23, 2021 Vitaly Lipatov - new version 14.16.0 with rpmrb script - CVE-2021-22883: HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion - CVE-2021-22884: DNS rebinding in --inspect...

Important: Red Hat Security Advisory: rh-nodejs12-nodejs security update

An update for rh-nodejs12-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

Important: Red Hat Security Advisory: rh-nodejs14-nodejs security update

An update for rh-nodejs14-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion

A flaw was found in nodejs. When too many connection attempts with an 'unknownProtocol' are established a leak of file descriptors can occur leading to a potential denial of service. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and...

Important: Red Hat Security Advisory: rh-nodejs10-nodejs security update

An update for rh-nodejs10-nodejs is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each...

CentOS 8 : nodejs:10 (CESA-2021:0735)

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:0735 advisory. - nodejs: HTTP2 'unknownProtocol' cause DoS by resource exhaustion CVE-2021-22883 - nodejs: DNS rebinding in --inspect CVE-2021-22884 Note that Nessus...

FreeBSD : Node.js -- February 2021 Security Releases (2f3cd69e-7dee-11eb-b92e-0022489ad614)

Node.js reports : HTTP2 'unknownProtocol' cause Denial of Service by resource exhaustion Critical CVE-2021-22883 Affected Node.js versions are vulnerable to denial of service attacks when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file...