OPENSUSE-SU-2019:1846-1 Security update for nodejs10

This update for nodejs10 to version 10.16.0 fixes the following issues: Security issue fixed: - CVE-2019-13173: Fixed a potential file overwrite via hardlink in fstream.DirWriter bsc1140290. Non-security issue fixed: - Update to new upstream LTS version 10.16.0, including npm version 6.9.0 and...

F5 Networks BIG-IP : iRulesLX debug NodeJS vulnerability (K75532331)

Similar to the issue identified inCVE-2018-12120, the BIG-IP system will bind a debug nodejs process to all interfaces when invoked. This may expose the process to unauthorized users if the plugin is left in debug mode and the port is accessible.CVE-2019-6644 Impact A remote attacker may be able ...

RHEL 7 : http-parser (RHSA-2019:2258)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2258 advisory. The http-parser package provides a utility for parsing HTTP messages. It parses both requests and responses. The parser is designed to be us...

SUSE-SU-2019:2099-1 Security update for nodejs10

This update for nodejs10 to version 10.16.0 fixes the following issues: Security issue fixed: - CVE-2019-13173: Fixed a potential file overwrite via hardlink in fstream.DirWriter bsc1140290. Non-security issue fixed: - Update to new upstream LTS version 10.16.0, including npm version 6.9.0 and...

SUSE-SU-2019:2081-1 Security update for nodejs10

This update for nodejs10 to version 10.16.0 fixes the following issues: Security issue fixed: - CVE-2019-13173: Fixed a potential file overwrite via hardlink in fstream.DirWriter bsc1140290. Non-security issue fixed: - Update to new upstream LTS version 10.16.0, including npm version 6.9.0 and...

nodejs: Denial of Service with large HTTP headers

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers almost 80 KB per connection, and carefully timed completion of the headers, it is possible to cause the HTTP...

nodejs: HTTP parser allowed for spaces inside Content-Length header values

It was found that the http module from Node.js could accept incorrect Content-Length values, containing spaces within the value, in HTTP headers. A specially crafted client could use this flaw to possibly confuse the script, causing unspecified behavior...

SUSE-SU-2019:2055-1 Security update for nodejs8

This update for nodejs8 fixes the following issues: Security issue fixed: - CVE-2019-13173: Fixed a potential file overwrite via hardlink in fstream.DirWriter bsc1140290. Non-security issue fixed: - Backported fixes for OpenSSL 1.1.1 from nodejs8 bsc1134209...

Security Bulletin: Security vulnerability affects IBM Cloud Object Storage SDK NodeJS (Mar 2019)

Summary Security vulnerability affects IBM Cloud Object Storage SDK NodeJS. This vulnerability has been addressed in the latest SDK NodeJS release. Vulnerability Details CVE-ID: CVE-2018-16487 Description: Node.js lodash module is vulnerable to a denial of service, caused by a prototype pollution...

nodejs: Insufficient Slowloris fix causing DoS via server.headersTimeout bypass

It was found that the original fix for Slowloris, CVE-2018-12122, was insufficient. It is possible to bypass the server's headersTimeout by sending two specially crafted HTTP requests in the same connection. An attacker could use this flaw to bypass Slowloris protection, resulting in a denial of...

nodejs: Hostname spoofing in URL parser for javascript protocol

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" e.g. "javAscript:" protoc...

nodejs: Slowloris HTTP Denial of Service

It was found that Node.js HTTP server was vulnerable to a Slowloris type attack. An attacker could make long lived connections by sending bytes very slowly to the server, saturating its resource and possibly resulting in a denial of service...

nodejs-tar: Arbitrary file overwrites when extracting tarballs containing a hard-link

A flaw was found in nodejs-tar in versions prior to 4.4.2. An arbitrary file overwrite can occur when extracting tarballs containing a hard-link to a file that already exists in the system. Further, a file that matches the hard-link may overwrite the system's files with the contents of the...

1st-project (=1.0.2), @142vip/egg-sequelize (>=0.0.1 <=0.0.2) +1065 more potentially affected by CVE-2019-10748 via sequelize (>=5.10.0 <=5.8.10)

sequelize NPM version =5.10.0, =0.0.1, =0.5.0, =1.0.0, =1.0.0, =1.0.0, =0.0.1, =1.0.1, =1.0.0, =0.2.0, =1.0.1, =1.0.2 - @aica/js-app =1.0.1 and more Source cves: CVE-2019-10748 Source advisory: SNYK:JS-SEQUELIZE-450221...

Fedora 30 : nodejs-tough-cookie (2019-76f1b57c1c)

Update to 2.3.4 upstream release Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. C Tenable Network...

Fedora Update for nodejs-tough-cookie FEDORA-2019-76f1b57c1c

The remote host is missing an update for the Copyright C 2019 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Bloodhound walkthrough. A Tool for Many Tradecrafts

A walkthrough on how to set up and use BloodHound BloodHound is an application used to visualize active directory environments. The front-end is built on electron and the back-end is a Neo4j database, the data leveraged is pulled from a series of data collectors also referred to as ingestors whic...

GHSA-886V-MM6P-4M66 High severity vulnerability that affects gun

Urgent Upgrade The static file server module included with GUN had a serious vulnerability: - Using curl --path-as-is allowed reads on any parent directory or files. This did not work via the browser or via curl without as-is option. Fixed This has been fixed since version 0.2019.416 and higher...

High severity vulnerability that affects gun

Urgent Upgrade The static file server module included with GUN had a serious vulnerability: - Using curl --path-as-is allowed reads on any parent directory or files. This did not work via the browser or via curl without as-is option. Fixed This has been fixed since version 0.2019.416 and higher...

09-nodejs (=1.0.0), 11.17r (=1.0.0) +1752 more potentially affected by unknown CVE via concat-stream (>=1.5.0 <=1.5.1)

concat-stream NPM version =1.5.0, =0.0.1, =1.0.1, =0.0.2, =0.0.1, =0.1.0, =0.1.0, =1.0.1-0.beta.1, =1.0.0-beta.1, =1.1.5-beta.4 - @arezooq/webserverpackage =1.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-G74R-FFVR-5Q9F...