SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2016:2470-1)

This update brings the new upstream nodejs LTS version 4.6.0, fixing bugs and security issues : - Nodejs embedded openssl version update + upgrade to 1.0.2j CVE-2016-6304, CVE-2016-2183, CVE-2016-2178, CVE-2016-6306, CVE-2016-7052 + remove support for dynamic 3rd party engine modules - http:...

nodeCrypto - Ransomware Written In NodeJs

Ransomware written in NodeJs. Install and run git clone https://github.com/atmoner/nodeCrypto.git cd nodeCrypto && npm install You must edit first variable in index.js Once your configuration is complete, you can start the ransomware. node index.js The files at the root of the web server will...

RHEL 7 : Red Hat OpenShift Application Runtimes Node.js 8.11.4 (RHSA-2018:2552)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2552 advisory. Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications...

RHEL 7 : OpenShift Container Platform 3.11 (RHSA-2018:3537)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:3537 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or privat...

RHEL 7 : Red Hat OpenShift Application Runtimes Node.js 10.9.0 (RHSA-2018:2553)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2553 advisory. Red Hat Openshift Application Runtimes provides an application platform that reduces the complexity of developing and operating applications...

RHEL 7 : nodejs and nodejs-tough-cookie (RHSA-2016:2101)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:2101 advisory. Red Hat OpenShift Container Platform is the company's cloud computing Platform-as-a-Service PaaS solution designed for on-premise or private...

A week in security (November 26 – December 2)

Last week on Malwarebytes Labs, we took a look at our cybersecurity predictions for 2019, we explained why Malwarebytes participated in AV testing and how we took part in an joint take down of massive ad fraud botnets, warned that ESTA registration websites still lurk in paid ads on Google,...

ALPINE-CVE-2018-12123

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Hostname spoofing in URL parser for javascript protocol: If a Node.js application is using url.parse to determine the URL hostname, that hostname can be spoofed by using a mixed case "javascript:" e.g. "javAscript:" protoc...

UBUNTU-CVE-2018-12120

Node.js: All versions prior to Node.js 6.15.0: Debugger port 5858 listens on any interface by default: When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate...

UBUNTU-CVE-2018-12121

Node.js: All versions prior to Node.js 6.15.0, 8.14.0, 10.14.0 and 11.3.0: Denial of Service with large HTTP headers: By using a combination of many requests with maximum sized headers almost 80 KB per connection, and carefully timed completion of the headers, it is possible to cause the HTTP...

Rogue Developer Infects Widely Used NodeJS Module to Steal Bitcoins

A widely used third-party NodeJS module with nearly 2 million downloads a week was compromised after one of its open-source contributor gone rogue, who infected it with a malicious code that was programmed to steal funds stored in Bitcoin wallet apps. The Node.js library in question is...

Critical: Red Hat Security Advisory: OpenShift Container Platform 3.11 security update

An update is now available for Red Hat OpenShift Container Platform 3.11. Red Hat Product Security has rated this update as having a security impact of Critical. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from...

192.168.0.172 (=4.6.1), 1campus_nodedsa (>=0.0.1 <=0.0.4) +10307 more potentially affected by CVE-2017-16026 via request (>=2.2.6 <=2.67.0)

request NPM version =2.2.6, =0.0.1, =0.1.1, =0.1.1, =1.0.0, =0.2.2, =0.1.0, =0.1.0, =0.1.0, =0.0.1, =0.0.1, =0.0.1, =0.0.3 and more Source cves: CVE-2017-16026 Source advisory: OSV:GHSA-7XFP-9C55-5VQJ...

nodejs: HTTP parser allowed for spaces inside Content-Length header values

It was found that the http module from Node.js could accept incorrect Content-Length values, containing spaces within the value, in HTTP headers. A specially crafted client could use this flaw to possibly confuse the script, causing unspecified behavior...

nodejs: Denial of Service by calling Buffer.fill() or Buffer.alloc() with specially crafted parameters

It was found that the Buffer.fill and Buffer.alloc function may hang. An attacker able to control the input of these function could use this flaw to cause a denial of service...

nodejs: denial of service (DoS) by causing a node server providing an http2 server to crash

All versions of Node.js 8.x, 9.x, and 10.x are vulnerable and the severity is HIGH. An attacker can cause a denial of service DoS by causing a node server providing an http2 server to crash. This can be accomplished by interacting with the http2 server in a manner that triggers a cleanup bug wher...

Shopify: H1514 Server Side Template Injection in Return Magic email templates?

Summary: Possible template injection in return magic email templates. Description: I've been playing with return magic workflow email templates and there seems to be some kinda of template injection but I am not sure if it's exploitable or even valid. Here is why I think it could be vulnerable: I...

Node.js: Pull Request #12949 - Security Implications without CVE assignment

Summary: Pull Request 12949 has security implications but it was not assigned a CVE by the Node team. It is being reported by Qualys as a 6.8 severity issue without a CVE. Description: Here is the commit and pull request - https://github.com/nodejs/node/commit/010f864426...

SUSE-SU-2018:2812-1 Security update for nodejs8

This update for nodejs8 to version 8.11.4 fixes the following issues: Security issues fixed: - CVE-2018-12115: Fixed an out-of-bounds memory write in Buffer that could be used to write to memory outside of a Buffer's memory space buffer bsc1105019 - Upgrade to OpenSSL 1.0.2p, which fixed: -...

SUSE-SU-2018:2796-1 Security update for nodejs6

This update for nodejs6 to version 6.14.4 fixes the following issues: Security issues fixed: CVE-2018-12115: Fixed an out-of-bounds OOB write in Buffer.write for UCS-2 encoding bsc1105019 CVE-2018-0732: Upgrade to OpenSSL 1.0.2p, fixing a client DoS due to large DH parameter bsc1097158 Other issu...