[SECURITY] Fedora 28 Update: php-zendframework-zend-diactoros-1.8.4-1.fc28

A PHP package containing implementations of the accepted PSR-7 HTTP message interfaces 1, as well as a "server" implementation similar to node's http.Server 2. Documentation: https://zendframework.github.io/zend-diactoros/ Autoloader: /usr/share/php/Zend/Diactoros/autoload.php 1...

Node.js third-party modules: [samsung-remote] Command injection

I would like to report a command injection vulnerability in the samsung-remote npm module. It allows arbitrary shell command execution through a maliciously crafted argument. Module module name: samsung-remote version: 1.2.5 npm page: https://www.npmjs.com/package/samsung-remote Module Descriptio...

August 2018 Security Releases

August 2018 Security Releases Update 16-August-2018 Security releases available Summary Updates are now available for all active Node.js release lines. These include upgrades for OpenSSL and fixes for the vulnerabilities identified in the initial announcement below. We recommend that all users...

Security Bulletin: Current Releases of IBM® SDK for Node.js™ are affected by CVE-2016-3956

Summary HTTP bearer token leak in the npm package management tool Vulnerability Details CVE-ID: CVE-2016-3956 Description: npm could allow a remote attacker to obtain sensitive information, caused by the unintentional leakage of bearer tokens from the command-line interface. By setting up an HTTP...

Security Bulletin: IBM® SDK for Node.js™ may be affected by CVE-2016-1669

Summary Buffer overflow in the Google V8 Javascript implementation used by IBM SDK for Node.js Vulnerability Details CVEID: CVE-2016-1669 DESCRIPTION: Google Chrome is vulnerable to a buffer overflow, caused by an error in V8. By persuading a victim to visit a specially-crafted Web site, a remote...

Security Bulletin: Multiple vulnerabilities in current releases of IBM® SDK for Node.js™ in IBM Bluemix (CVE-2015-3197, CVE-2016-2086, CVE-2016-2216)

Summary This bulletin describes CVE-2015-3197 that was reported on January 26, 2015 by the OpenSSL Project, plus two additional vulnerabilities. Vulnerability Details CVEID: CVE-2015-3197 DESCRIPTION: OpenSSL could allow a remote attacker to conduct man-in-the-middle attacks, caused by the use of...

Security Bulletin: Vulnerability in OpenSSL affects IBM® SDK for Node.js™ (CVE-2015-1793)

Summary OpenSSL alternate chains certificate forgery vulnerability CVE-2015-1793 disclosed by the OpenSSL Project on July 9 2015. IBM SDK for Node.js has addressed this CVE. Vulnerability Details CVEID: CVE-2015-1793 DESCRIPTION: OpenSSL could allow a remote attacker to bypass security...

Security Bulletin: Vulnerabilities in OpenSSL including Logjam affect IBM® SDK for Node.js™ in IBM Bluemix

Summary OpenSSL vulnerabilities were disclosed on June 11, 2015 by the OpenSSL Project. This includes the Logjam Attack on TLS connections using the Diffie-Hellman DH key exchange protocol CVE-2015-4000 which affects IBM SDK for Node.js in IBM Bluemix. Vulnerability Details CVEID: CVE-2015-4000...

Security Bulletin: Current Release of IBM® SDK for Node.js™ in IBM Bluemix is affected by CVE-2015-5380

Summary Denial of service vulnerability caused by an out of bounds write in the V8 JavaScript engine's UTF decoder. Vulnerability Details CVEID: CVE-2015-5380 DESCRIPTION: Google V8, as used in Node.js, is vulnerable to a denial of service that is caused by the failure to verify available memory...

Security Bulletin: IBM® SDK for Node.js™ may be affected by CVE-2014-9748

Summary Unsafe use of read/write locks on Windows 2003 and Windows XP in libuv Vulnerability Details CVEID: CVE-2014-9748 DESCRIPTION: libuv, as used in Node.js is vulnerable to a denial of service, caused by an error in the read/write locks implementation. A local attacker could exploit this...

Security Bulletin: Multiple Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ in IBM Bluemix

Summary OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs including the "DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities may affect IBM® SDK for Node.js™

Summary OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs, plus three additional vulnerabilities unrelated to the OpenSSL release. Vulnerability Details CVEID:...

Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ (CVE-2017-3737 CVE-2017-3738)

Summary OpenSSL vulnerabilities were disclosed on December 7, 2017 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2017-3737 DESCRIPTION: OpenSSL could allow a remote attacker to bypass securit...

Security Bulletin: Current Releases of IBM® SDK for Node.js™ in IBM Bluemix are affected by CVE-2016-3956, CVE-2016-2515 and CVE-2016-2537.

Summary IBM SDK for Node.js in IBM Bluemix are affected by a HTTP bearer token leak in the npm package management tool and two denial of service vulnerabilities in modules used by the npm package management tool. Vulnerability Details CVE-ID: CVE-2016-3956 Description: npm could allow a remote...

Security Bulletin: IBM® SDK for Node.js™ is affected by the following OpenSSL vulnerabilities: CVE-2014-0224, CVE-2014-0221, CVE-2014-0195, CVE-2014-0198, CVE-2010-5298, CVE-2014-3470

Summary Security vulnerabilities have been discovered in OpenSSL that were reported on June 5, 2014 by the OpenSSL Project. Vulnerability Details CVE-ID: CVE-2014-0224 DESCRIPTION: OpenSSL is vulnerable to a man-in-the-middle attack, caused by the use of weak keying material in SSL/TLS clients an...

Security Bulletin: Vulnerabilities in OpenSSL affect IBM® SDK for Node.js™ (CVE-2016-2107, CVE-2016-2105)

Summary OpenSSL vulnerabilities were disclosed on May 3, 2016 by the OpenSSL Project. OpenSSL is used by IBM SDK for Node.js. IBM SDK for Node.js has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2016-2107 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive...

Security Bulletin: Multiple vulnerabilities in current releases of IBM® SDK for Node.js™

Summary This bulletin describes security vulnerabilities discovered in OpenSSL that were reported on December 3, 2015 by the OpenSSL Project, plus two additional vulnerabilities. Vulnerability Details CVEID: CVE-2015-3193 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive...

Security Bulletin: Vulnerability in RC4 stream cipher affects IBM® SDK for Node.js™ (CVE-2015-2808)

Summary The RC4 “Bar Mitzvah” Attack for SSL/TLS affects IBM SDK for Node.js Vulnerability Details CVEID: CVE-2015-2808 DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this...

Security Bulletin: Vulnerability may affect IBM® SDK for Node.js™ (CVE-2017-14919)

Summary A vulnerability was disclosed in October 2017 by the Node.js project. IBM SDK for Node.js has addressed the CVE. Vulnerability Details CVEID: CVE-2017-14919 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an uncaught exception flaw in the zlib module. By making 8 an...

Security Bulletin: Current Release of IBM® SDK for Node.js™ is affected by CVE-2014-7191

Summary Node.js qs denial-of-service vulnerability. Vulnerability Details CVE-ID: CVE-2014-7191 DESCRIPTION: Node.js is vulnerable to a denial of service, caused by an error in the qs module when parsing a string representing a deeply nested object. An attacker could exploit this vulnerability to...