Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-5739 (GCVE-0-2019-5739)
Vulnerability from cvelistv5
Published
2019-03-28 16:27
Modified
2024-08-04 20:01
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-400 - Uncontrolled Resource Consumption / Denial of Service
Summary
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-04T20:01:52.297Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"name": "openSUSE-SU-2019:1076",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1173",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO",
"x_transferred"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Node.js",
"vendor": "Node.js",
"versions": [
{
"status": "affected",
"version": "All versions prior to 6.17.0"
}
]
}
],
"datePublic": "2019-02-28T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption / Denial of Service",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-03-20T20:06:15",
"orgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"shortName": "nodejs"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"name": "openSUSE-SU-2019:1076",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1173",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"name": "GLSA-202003-48",
"tags": [
"vendor-advisory",
"x_refsource_GENTOO"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2019-5739",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to 6.17.0"
}
]
}
}
]
},
"vendor_name": "Node.js"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/",
"refsource": "MISC",
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"name": "openSUSE-SU-2019:1076",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1173",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190502-0008/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "386269d4-a6c6-4eaa-bf8e-bc0b0d010558",
"assignerShortName": "nodejs",
"cveId": "CVE-2019-5739",
"datePublished": "2019-03-28T16:27:34",
"dateReserved": "2019-01-09T00:00:00",
"dateUpdated": "2024-08-04T20:01:52.297Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2019-5739\",\"sourceIdentifier\":\"cve-request@iojs.org\",\"published\":\"2019-03-28T17:29:01.647\",\"lastModified\":\"2024-11-21T04:45:25.073\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.\"},{\"lang\":\"es\",\"value\":\"Las conexiones HTTP y HTTPS \\\"keep-alive\\\" pueden permanecer abiertas y inactivas durante hasta 2 minutos en Node.js en versiones 6.16.0 y anteriores. Node.js, en su versi\u00f3n 8.0.0, introduc\u00eda un server.keepAliveTimeout que se establece a 5 segundos, por defecto. Este comportamiento en Node.js, en versiones 6.16.0 y anteriores, es un vector potencial para denegaciones de servicio (DoS). Node.js, en su versi\u00f3n 6.17.0, introduce server.keepAliveTimeout y el establecimiento de 5 segundos por defecto.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"cve-request@iojs.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-400\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*\",\"versionEndIncluding\":\"6.16.0\",\"matchCriteriaId\":\"853EB571-4424-4796-BED6-578E86828FCE\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202003-48\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20190502-0008/\",\"source\":\"cve-request@iojs.org\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202003-48\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://security.netapp.com/advisory/ntap-20190502-0008/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
fkie_cve-2019-5739
Vulnerability from fkie_nvd
Published
2019-03-28 17:29
Modified
2024-11-21 04:45
Severity ?
Summary
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
References
| URL | Tags | ||
|---|---|---|---|
| cve-request@iojs.org | http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html | Third Party Advisory | |
| cve-request@iojs.org | http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html | Mailing List, Third Party Advisory | |
| cve-request@iojs.org | https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ | Vendor Advisory | |
| cve-request@iojs.org | https://security.gentoo.org/glsa/202003-48 | Third Party Advisory | |
| cve-request@iojs.org | https://security.netapp.com/advisory/ntap-20190502-0008/ | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html | Mailing List, Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/ | Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.gentoo.org/glsa/202003-48 | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://security.netapp.com/advisory/ntap-20190502-0008/ | Third Party Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
"matchCriteriaId": "853EB571-4424-4796-BED6-578E86828FCE",
"versionEndIncluding": "6.16.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*",
"matchCriteriaId": "5F65DAB0-3DAD-49FF-BC73-3581CC3D5BF3",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default."
},
{
"lang": "es",
"value": "Las conexiones HTTP y HTTPS \"keep-alive\" pueden permanecer abiertas y inactivas durante hasta 2 minutos en Node.js en versiones 6.16.0 y anteriores. Node.js, en su versi\u00f3n 8.0.0, introduc\u00eda un server.keepAliveTimeout que se establece a 5 segundos, por defecto. Este comportamiento en Node.js, en versiones 6.16.0 y anteriores, es un vector potencial para denegaciones de servicio (DoS). Node.js, en su versi\u00f3n 6.17.0, introduce server.keepAliveTimeout y el establecimiento de 5 segundos por defecto."
}
],
"id": "CVE-2019-5739",
"lastModified": "2024-11-21T04:45:25.073",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-03-28T17:29:01.647",
"references": [
{
"source": "cve-request@iojs.org",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"source": "cve-request@iojs.org",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"source": "cve-request@iojs.org",
"tags": [
"Vendor Advisory"
],
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"source": "cve-request@iojs.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"source": "cve-request@iojs.org",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
}
],
"sourceIdentifier": "cve-request@iojs.org",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-400"
}
],
"source": "cve-request@iojs.org",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CERTFR-2019-AVI-453
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans IBM QRadar Packet Capture. Elles permettent à un attaquant de provoquer un déni de service à distance et une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
References
| Title | Publication Time | Tags | ||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "IBM Security QRadar Packet Capture versions 7.2.x ant\u00e9rieures \u00e0 7.2.8 Patch 6",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "IBM Security QRadar Packet Capture versions 7.3.x ant\u00e9rieures \u00e0 7.3.2 GA",
"product": {
"name": "QRadar",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2019-5739",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5739"
},
{
"name": "CVE-2019-5737",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5737"
},
{
"name": "CVE-2019-1559",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1559"
}
],
"initial_release_date": "2019-09-20T00:00:00",
"last_revision_date": "2019-09-20T00:00:00",
"links": [
{
"title": "Bulletin de s\u00e9curit\u00e9 IBM \u00e9 du 17 septembre 2019",
"url": "https://www.ibm.com/support/pages/security-bulletin-nodejs-used-ibm-qradar-packet-capture-vulnerable-following-cves-cve-2019-1559-cve-2019-5737-cve-2019-5739"
}
],
"reference": "CERTFR-2019-AVI-453",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-09-20T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans IBM QRadar Packet\nCapture. Elles permettent \u00e0 un attaquant de provoquer un d\u00e9ni de service\n\u00e0 distance et une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans IBM QRadar Packet Capture",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 IBM du 17 septembre 2019",
"url": null
}
]
}
CERTFR-2019-AVI-325
Vulnerability from certfr_avis
De multiples vulnérabilités ont été découvertes dans les produits Juniper. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, un déni de service à distance et un contournement de la politique de sécurité.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Juniper Networks | Junos Space | Junos Space versions antérieures à 19.2R1 | ||
| Juniper Networks | Secure Analytics | Juniper Secure Analytics (JSA) versions antérieures à 7.3.2 Patch 1 | ||
| Juniper Networks | Junos OS | Junos OS versions antérieures à 12.3R12-S13, 12.3X48-D80, 12.3X48-D85, 12.3X48-D90, 14.1X53-D130, 14.1X53-D49, 14.1X53-D51, 15.1F6-S12, 15.1F6-S13, 15.1R7-S4, 15.1X49-D170, 15.1X49-D171, 15.1X49-D180, 15.1X49-D181, 15.1X49-D190, 15.1X53-D237, 15.1X53-D238, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69, 16.1R3-S11, 16.1R7-S3, 16.1R7-S4, 16.1R7-S5, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.2R2-S7, 17.2R3, 17.2R3-S1, 17.2X75-D105, 17.3R3-S2, 17.3R3-S4, 17.4R1-S6, 17.4R1-S7, 17.4R1-S8, 17.4R2-S2, 17.4R2-S3, 17.4R2-S4, 17.4R2-S5, 17.4R3, 18.1R2-S4, 18.1R3-S2, 18.1R3-S3, 18.1R3-S5, 18.1R3-S6, 18.2R1-S5, 18.2R2, 18.2R2-S1, 18.2R2-S2, 18.2R2-S3, 18.2R3, 18.2X75-D12, 18.2X75-D30, 18.2X75-D40, 18.2X75-D50, 18.3R1-S2, 18.3R1-S3, 18.3R1-S4, 18.3R2, 18.4R1, 18.4R1-S1, 18.4R1-S2, 18.4R2, 19.1R1, 19.1R1-S1, 19.1R2 et 19.2R1 | ||
| Juniper Networks | Junos OS | Junos OS versions antérieures à 14.1X53-D115, 14.1X53-D51, 16.1R7-S5, 17.1R3, 17.2R3, 17.2R3-S2, 17.3R3-S2, 17.3R3-S3, 17.4R2, 17.4R2-S5, 17.4R3, 18.1R3, 18.1R3-S1, 18.2R2, 18.3R1, 18.3R2 et 18.4R1 sur séries EX4300 | ||
| Juniper Networks | N/A | Junos OS avec J-Web activé versions antérieures à 12.3R12-S14, 12.3X48-D80, 15.1F6-S13, 15.1R7-S4, 15.1X49-D170, 15.1X53-D497, 16.1R4-S13, 16.1R7-S5, 16.2R2-S10, 17.1R3, 17.2R2-S7, 17.2R3-S1, 17.3R3-S5, 17.4R1-S7, 17.4R2-S4, 17.4R3, 18.1R3-S5 et 18.2R1 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Junos Space versions ant\u00e9rieures \u00e0 19.2R1",
"product": {
"name": "Junos Space",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "Juniper Secure Analytics (JSA) versions ant\u00e9rieures \u00e0 7.3.2 Patch 1",
"product": {
"name": "Secure Analytics",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "Junos OS versions ant\u00e9rieures \u00e0 12.3R12-S13, 12.3X48-D80, 12.3X48-D85, 12.3X48-D90, 14.1X53-D130, 14.1X53-D49, 14.1X53-D51, 15.1F6-S12, 15.1F6-S13, 15.1R7-S4, 15.1X49-D170, 15.1X49-D171, 15.1X49-D180, 15.1X49-D181, 15.1X49-D190, 15.1X53-D237, 15.1X53-D238, 15.1X53-D496, 15.1X53-D591, 15.1X53-D69, 16.1R3-S11, 16.1R7-S3, 16.1R7-S4, 16.1R7-S5, 16.2R2-S9, 17.1R3, 17.2R1-S8, 17.2R2-S7, 17.2R3, 17.2R3-S1, 17.2X75-D105, 17.3R3-S2, 17.3R3-S4, 17.4R1-S6, 17.4R1-S7, 17.4R1-S8, 17.4R2-S2, 17.4R2-S3, 17.4R2-S4, 17.4R2-S5, 17.4R3, 18.1R2-S4, 18.1R3-S2, 18.1R3-S3, 18.1R3-S5, 18.1R3-S6, 18.2R1-S5, 18.2R2, 18.2R2-S1, 18.2R2-S2, 18.2R2-S3, 18.2R3, 18.2X75-D12, 18.2X75-D30, 18.2X75-D40, 18.2X75-D50, 18.3R1-S2, 18.3R1-S3, 18.3R1-S4, 18.3R2, 18.4R1, 18.4R1-S1, 18.4R1-S2, 18.4R2, 19.1R1, 19.1R1-S1, 19.1R2 et 19.2R1",
"product": {
"name": "Junos OS",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "Junos OS versions ant\u00e9rieures \u00e0 14.1X53-D115, 14.1X53-D51, 16.1R7-S5, 17.1R3, 17.2R3, 17.2R3-S2, 17.3R3-S2, 17.3R3-S3, 17.4R2, 17.4R2-S5, 17.4R3, 18.1R3, 18.1R3-S1, 18.2R2, 18.3R1, 18.3R2 et 18.4R1 sur s\u00e9ries EX4300",
"product": {
"name": "Junos OS",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
},
{
"description": "Junos OS avec J-Web activ\u00e9 versions ant\u00e9rieures \u00e0 12.3R12-S14, 12.3X48-D80, 15.1F6-S13, 15.1R7-S4, 15.1X49-D170, 15.1X53-D497, 16.1R4-S13, 16.1R7-S5, 16.2R2-S10, 17.1R3, 17.2R2-S7, 17.2R3-S1, 17.3R3-S5, 17.4R1-S7, 17.4R2-S4, 17.4R3, 18.1R3-S5 et 18.2R1",
"product": {
"name": "N/A",
"vendor": {
"name": "Juniper Networks",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2016-8615",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8615"
},
{
"name": "CVE-2019-0049",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0049"
},
{
"name": "CVE-2018-1060",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1060"
},
{
"name": "CVE-2016-8619",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8619"
},
{
"name": "CVE-2018-15505",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-15505"
},
{
"name": "CVE-2018-0739",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-0739"
},
{
"name": "CVE-2018-10902",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10902"
},
{
"name": "CVE-2019-0048",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0048"
},
{
"name": "CVE-2016-8624",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8624"
},
{
"name": "CVE-2016-8616",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8616"
},
{
"name": "CVE-2016-8620",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8620"
},
{
"name": "CVE-2016-8617",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8617"
},
{
"name": "CVE-2019-0053",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0053"
},
{
"name": "CVE-2016-8618",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8618"
},
{
"name": "CVE-2019-5739",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-5739"
},
{
"name": "CVE-2019-0052",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0052"
},
{
"name": "CVE-2016-8623",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8623"
},
{
"name": "CVE-2019-0046",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-0046"
},
{
"name": "CVE-2018-12327",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-12327"
},
{
"name": "CVE-2018-11237",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-11237"
},
{
"name": "CVE-2016-8621",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8621"
},
{
"name": "CVE-2018-1061",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1061"
},
{
"name": "CVE-2018-0732",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-0732"
},
{
"name": "CVE-2019-1559",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-1559"
},
{
"name": "CVE-2018-15504",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-15504"
},
{
"name": "CVE-2016-8622",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8622"
},
{
"name": "CVE-2019-6133",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-6133"
},
{
"name": "CVE-2016-8625",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-8625"
},
{
"name": "CVE-2018-1729",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-1729"
}
],
"initial_release_date": "2019-07-11T00:00:00",
"last_revision_date": "2019-07-11T00:00:00",
"links": [],
"reference": "CERTFR-2019-AVI-325",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2019-07-11T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits\nJuniper. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer\nune ex\u00e9cution de code arbitraire \u00e0 distance, un d\u00e9ni de service \u00e0\ndistance et un contournement de la politique de s\u00e9curit\u00e9.\n",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits Juniper",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10938 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10938\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10946 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10946\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10942 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10942\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10949 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10949\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10943 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10943\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10951 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10951\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10950 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10950\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10948 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10948\u0026cat=SIRT_1\u0026actp=LIST"
},
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Juniper JSA10947 du 10 juillet 2019",
"url": "https://kb.juniper.net/InfoCenter/index?page=content\u0026id=JSA10947\u0026cat=SIRT_1\u0026actp=LIST"
}
]
}
gsd-2019-5739
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-5739",
"description": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.",
"id": "GSD-2019-5739",
"references": [
"https://www.suse.com/security/cve/CVE-2019-5739.html",
"https://advisories.mageia.org/CVE-2019-5739.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-5739"
],
"details": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.",
"id": "GSD-2019-5739",
"modified": "2023-12-13T01:23:54.800819Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2019-5739",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Node.js",
"version": {
"version_data": [
{
"version_value": "All versions prior to 6.17.0"
}
]
}
}
]
},
"vendor_name": "Node.js"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-400: Uncontrolled Resource Consumption / Denial of Service"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/",
"refsource": "MISC",
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"name": "openSUSE-SU-2019:1076",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1173",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190502-0008/",
"refsource": "CONFIRM",
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*",
"cpe_name": [],
"versionEndIncluding": "6.16.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-request@iojs.org",
"ID": "CVE-2019-5739"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-770"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/",
"refsource": "MISC",
"tags": [
"Vendor Advisory"
],
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/"
},
{
"name": "openSUSE-SU-2019:1076",
"refsource": "SUSE",
"tags": [
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"name": "openSUSE-SU-2019:1173",
"refsource": "SUSE",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
},
{
"name": "https://security.netapp.com/advisory/ntap-20190502-0008/",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://security.netapp.com/advisory/ntap-20190502-0008/"
},
{
"name": "GLSA-202003-48",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202003-48"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-10-16T19:08Z",
"publishedDate": "2019-03-28T17:29Z"
}
}
}
suse-su-2019:0818-1
Vulnerability from csaf_suse
Published
2019-03-29 17:03
Modified
2019-03-29 17:03
Summary
Security update for nodejs6
Notes
Title of the patch
Security update for nodejs6
Description of the patch
This update for nodejs6 to version 6.17.0 fixes the following issues:
Security issues fixed:
- CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service
when HTTP connection are kept active (bsc#1127533).
- CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service
when HTTP connection are kept active (bsc#1127532).
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances
a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).
Release Notes: https://nodejs.org/en/blog/release/v6.17.0/
Patchnames
SUSE-2019-818,SUSE-OpenStack-Cloud-7-2019-818,SUSE-OpenStack-Cloud-Crowbar-8-2019-818,SUSE-SLE-Module-Web-Scripting-12-2019-818,SUSE-Storage-4-2019-818
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs6",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs6 to version 6.17.0 fixes the following issues:\n\nSecurity issues fixed:\n\n\n- CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service \n when HTTP connection are kept active (bsc#1127533).\n- CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service\n when HTTP connection are kept active (bsc#1127532).\n- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances \n a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).\n\nRelease Notes: https://nodejs.org/en/blog/release/v6.17.0/ \n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2019-818,SUSE-OpenStack-Cloud-7-2019-818,SUSE-OpenStack-Cloud-Crowbar-8-2019-818,SUSE-SLE-Module-Web-Scripting-12-2019-818,SUSE-Storage-4-2019-818",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_0818-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2019:0818-1",
"url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190818-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2019:0818-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2019-March/005269.html"
},
{
"category": "self",
"summary": "SUSE Bug 1127080",
"url": "https://bugzilla.suse.com/1127080"
},
{
"category": "self",
"summary": "SUSE Bug 1127532",
"url": "https://bugzilla.suse.com/1127532"
},
{
"category": "self",
"summary": "SUSE Bug 1127533",
"url": "https://bugzilla.suse.com/1127533"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-1559 page",
"url": "https://www.suse.com/security/cve/CVE-2019-1559/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-5737 page",
"url": "https://www.suse.com/security/cve/CVE-2019-5737/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-5739 page",
"url": "https://www.suse.com/security/cve/CVE-2019-5739/"
}
],
"title": "Security update for nodejs6",
"tracking": {
"current_release_date": "2019-03-29T17:03:45Z",
"generator": {
"date": "2019-03-29T17:03:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2019:0818-1",
"initial_release_date": "2019-03-29T17:03:45Z",
"revision_history": [
{
"date": "2019-03-29T17:03:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.17.0-11.24.1.aarch64",
"product": {
"name": "nodejs6-6.17.0-11.24.1.aarch64",
"product_id": "nodejs6-6.17.0-11.24.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.17.0-11.24.1.aarch64",
"product": {
"name": "nodejs6-devel-6.17.0-11.24.1.aarch64",
"product_id": "nodejs6-devel-6.17.0-11.24.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm6-6.17.0-11.24.1.aarch64",
"product": {
"name": "npm6-6.17.0-11.24.1.aarch64",
"product_id": "npm6-6.17.0-11.24.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.17.0-11.24.1.i586",
"product": {
"name": "nodejs6-6.17.0-11.24.1.i586",
"product_id": "nodejs6-6.17.0-11.24.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.17.0-11.24.1.i586",
"product": {
"name": "nodejs6-devel-6.17.0-11.24.1.i586",
"product_id": "nodejs6-devel-6.17.0-11.24.1.i586"
}
},
{
"category": "product_version",
"name": "npm6-6.17.0-11.24.1.i586",
"product": {
"name": "npm6-6.17.0-11.24.1.i586",
"product_id": "npm6-6.17.0-11.24.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-docs-6.17.0-11.24.1.noarch",
"product": {
"name": "nodejs6-docs-6.17.0-11.24.1.noarch",
"product_id": "nodejs6-docs-6.17.0-11.24.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.17.0-11.24.1.ppc64le",
"product": {
"name": "nodejs6-6.17.0-11.24.1.ppc64le",
"product_id": "nodejs6-6.17.0-11.24.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.17.0-11.24.1.ppc64le",
"product": {
"name": "nodejs6-devel-6.17.0-11.24.1.ppc64le",
"product_id": "nodejs6-devel-6.17.0-11.24.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm6-6.17.0-11.24.1.ppc64le",
"product": {
"name": "npm6-6.17.0-11.24.1.ppc64le",
"product_id": "npm6-6.17.0-11.24.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.17.0-11.24.1.s390",
"product": {
"name": "nodejs6-6.17.0-11.24.1.s390",
"product_id": "nodejs6-6.17.0-11.24.1.s390"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.17.0-11.24.1.s390",
"product": {
"name": "nodejs6-devel-6.17.0-11.24.1.s390",
"product_id": "nodejs6-devel-6.17.0-11.24.1.s390"
}
},
{
"category": "product_version",
"name": "npm6-6.17.0-11.24.1.s390",
"product": {
"name": "npm6-6.17.0-11.24.1.s390",
"product_id": "npm6-6.17.0-11.24.1.s390"
}
}
],
"category": "architecture",
"name": "s390"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.17.0-11.24.1.s390x",
"product": {
"name": "nodejs6-6.17.0-11.24.1.s390x",
"product_id": "nodejs6-6.17.0-11.24.1.s390x"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.17.0-11.24.1.s390x",
"product": {
"name": "nodejs6-devel-6.17.0-11.24.1.s390x",
"product_id": "nodejs6-devel-6.17.0-11.24.1.s390x"
}
},
{
"category": "product_version",
"name": "npm6-6.17.0-11.24.1.s390x",
"product": {
"name": "npm6-6.17.0-11.24.1.s390x",
"product_id": "npm6-6.17.0-11.24.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs6-6.17.0-11.24.1.x86_64",
"product": {
"name": "nodejs6-6.17.0-11.24.1.x86_64",
"product_id": "nodejs6-6.17.0-11.24.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs6-devel-6.17.0-11.24.1.x86_64",
"product": {
"name": "nodejs6-devel-6.17.0-11.24.1.x86_64",
"product_id": "nodejs6-devel-6.17.0-11.24.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm6-6.17.0-11.24.1.x86_64",
"product": {
"name": "npm6-6.17.0-11.24.1.x86_64",
"product_id": "npm6-6.17.0-11.24.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
},
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 4",
"product": {
"name": "SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.aarch64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64"
},
"product_reference": "nodejs6-6.17.0-11.24.1.aarch64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x"
},
"product_reference": "nodejs6-6.17.0-11.24.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64"
},
"product_reference": "nodejs6-6.17.0-11.24.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
},
"product_reference": "nodejs6-6.17.0-11.24.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64"
},
"product_reference": "nodejs6-6.17.0-11.24.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le"
},
"product_reference": "nodejs6-6.17.0-11.24.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x"
},
"product_reference": "nodejs6-6.17.0-11.24.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64"
},
"product_reference": "nodejs6-6.17.0-11.24.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-devel-6.17.0-11.24.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64"
},
"product_reference": "nodejs6-devel-6.17.0-11.24.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-devel-6.17.0-11.24.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le"
},
"product_reference": "nodejs6-devel-6.17.0-11.24.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-devel-6.17.0-11.24.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x"
},
"product_reference": "nodejs6-devel-6.17.0-11.24.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-devel-6.17.0-11.24.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64"
},
"product_reference": "nodejs6-devel-6.17.0-11.24.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-docs-6.17.0-11.24.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch"
},
"product_reference": "nodejs6-docs-6.17.0-11.24.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm6-6.17.0-11.24.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64"
},
"product_reference": "npm6-6.17.0-11.24.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm6-6.17.0-11.24.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le"
},
"product_reference": "npm6-6.17.0-11.24.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm6-6.17.0-11.24.1.s390x as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x"
},
"product_reference": "npm6-6.17.0-11.24.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm6-6.17.0-11.24.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64"
},
"product_reference": "npm6-6.17.0-11.24.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.aarch64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64"
},
"product_reference": "nodejs6-6.17.0-11.24.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs6-6.17.0-11.24.1.x86_64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64"
},
"product_reference": "nodejs6-6.17.0-11.24.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-1559",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-1559"
}
],
"notes": [
{
"category": "general",
"text": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-1559",
"url": "https://www.suse.com/security/cve/CVE-2019-1559"
},
{
"category": "external",
"summary": "SUSE Bug 1127080 for CVE-2019-1559",
"url": "https://bugzilla.suse.com/1127080"
},
{
"category": "external",
"summary": "SUSE Bug 1130039 for CVE-2019-1559",
"url": "https://bugzilla.suse.com/1130039"
},
{
"category": "external",
"summary": "SUSE Bug 1141798 for CVE-2019-1559",
"url": "https://bugzilla.suse.com/1141798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-29T17:03:45Z",
"details": "low"
}
],
"title": "CVE-2019-1559"
},
{
"cve": "CVE-2019-5737",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-5737"
}
],
"notes": [
{
"category": "general",
"text": "In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-5737",
"url": "https://www.suse.com/security/cve/CVE-2019-5737"
},
{
"category": "external",
"summary": "SUSE Bug 1127532 for CVE-2019-5737",
"url": "https://bugzilla.suse.com/1127532"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-29T17:03:45Z",
"details": "low"
}
],
"title": "CVE-2019-5737"
},
{
"cve": "CVE-2019-5739",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-5739"
}
],
"notes": [
{
"category": "general",
"text": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-5739",
"url": "https://www.suse.com/security/cve/CVE-2019-5739"
},
{
"category": "external",
"summary": "SUSE Bug 1127533 for CVE-2019-5739",
"url": "https://bugzilla.suse.com/1127533"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Enterprise Storage 4:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-devel-6.17.0-11.24.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs6-docs-6.17.0-11.24.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.s390x",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.aarch64",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.s390x",
"SUSE OpenStack Cloud 7:nodejs6-6.17.0-11.24.1.x86_64",
"SUSE OpenStack Cloud Crowbar 8:nodejs6-6.17.0-11.24.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-29T17:03:45Z",
"details": "low"
}
],
"title": "CVE-2019-5739"
}
]
}
suse-su-2019:0658-1
Vulnerability from csaf_suse
Published
2019-03-20 13:32
Modified
2019-03-20 13:32
Summary
Security update for nodejs4
Notes
Title of the patch
Security update for nodejs4
Description of the patch
This update for nodejs4 fixes the following issues:
Security issues fixed:
- CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service
when HTTP connection are kept active (bsc#1127533).
- CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service
when HTTP connection are kept active (bsc#1127532).
- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances
a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).
Patchnames
SUSE-2019-658,SUSE-SLE-Module-Web-Scripting-12-2019-658,SUSE-Storage-4-2019-658
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for nodejs4",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for nodejs4 fixes the following issues:\n\nSecurity issues fixed:\n\n- CVE-2019-5739: Fixed a potentially attack vector which could lead to Denial of Service \n when HTTP connection are kept active (bsc#1127533).\n- CVE-2019-5737: Fixed a potentially attack vector which could lead to Denial of Service\n when HTTP connection are kept active (bsc#1127532).\n- CVE-2019-1559: Fixed OpenSSL 0-byte Record Padding Oracle which under certain circumstances \n a TLS server can be forced to respond differently to a client and lead to the decryption of the data (bsc#1127080).\t \n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-2019-658,SUSE-SLE-Module-Web-Scripting-12-2019-658,SUSE-Storage-4-2019-658",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_0658-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2019:0658-1",
"url": "https://www.suse.com/support/update/announcement/2019/suse-su-20190658-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2019:0658-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2019-March/005212.html"
},
{
"category": "self",
"summary": "SUSE Bug 1127080",
"url": "https://bugzilla.suse.com/1127080"
},
{
"category": "self",
"summary": "SUSE Bug 1127532",
"url": "https://bugzilla.suse.com/1127532"
},
{
"category": "self",
"summary": "SUSE Bug 1127533",
"url": "https://bugzilla.suse.com/1127533"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-1559 page",
"url": "https://www.suse.com/security/cve/CVE-2019-1559/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-5737 page",
"url": "https://www.suse.com/security/cve/CVE-2019-5737/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2019-5739 page",
"url": "https://www.suse.com/security/cve/CVE-2019-5739/"
}
],
"title": "Security update for nodejs4",
"tracking": {
"current_release_date": "2019-03-20T13:32:01Z",
"generator": {
"date": "2019-03-20T13:32:01Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2019:0658-1",
"initial_release_date": "2019-03-20T13:32:01Z",
"revision_history": [
{
"date": "2019-03-20T13:32:01Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-4.9.1-15.20.1.aarch64",
"product": {
"name": "nodejs4-4.9.1-15.20.1.aarch64",
"product_id": "nodejs4-4.9.1-15.20.1.aarch64"
}
},
{
"category": "product_version",
"name": "nodejs4-devel-4.9.1-15.20.1.aarch64",
"product": {
"name": "nodejs4-devel-4.9.1-15.20.1.aarch64",
"product_id": "nodejs4-devel-4.9.1-15.20.1.aarch64"
}
},
{
"category": "product_version",
"name": "npm4-4.9.1-15.20.1.aarch64",
"product": {
"name": "npm4-4.9.1-15.20.1.aarch64",
"product_id": "npm4-4.9.1-15.20.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-4.9.1-15.20.1.i586",
"product": {
"name": "nodejs4-4.9.1-15.20.1.i586",
"product_id": "nodejs4-4.9.1-15.20.1.i586"
}
},
{
"category": "product_version",
"name": "nodejs4-devel-4.9.1-15.20.1.i586",
"product": {
"name": "nodejs4-devel-4.9.1-15.20.1.i586",
"product_id": "nodejs4-devel-4.9.1-15.20.1.i586"
}
},
{
"category": "product_version",
"name": "npm4-4.9.1-15.20.1.i586",
"product": {
"name": "npm4-4.9.1-15.20.1.i586",
"product_id": "npm4-4.9.1-15.20.1.i586"
}
}
],
"category": "architecture",
"name": "i586"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-docs-4.9.1-15.20.1.noarch",
"product": {
"name": "nodejs4-docs-4.9.1-15.20.1.noarch",
"product_id": "nodejs4-docs-4.9.1-15.20.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-4.9.1-15.20.1.ppc64le",
"product": {
"name": "nodejs4-4.9.1-15.20.1.ppc64le",
"product_id": "nodejs4-4.9.1-15.20.1.ppc64le"
}
},
{
"category": "product_version",
"name": "nodejs4-devel-4.9.1-15.20.1.ppc64le",
"product": {
"name": "nodejs4-devel-4.9.1-15.20.1.ppc64le",
"product_id": "nodejs4-devel-4.9.1-15.20.1.ppc64le"
}
},
{
"category": "product_version",
"name": "npm4-4.9.1-15.20.1.ppc64le",
"product": {
"name": "npm4-4.9.1-15.20.1.ppc64le",
"product_id": "npm4-4.9.1-15.20.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "nodejs4-4.9.1-15.20.1.x86_64",
"product": {
"name": "nodejs4-4.9.1-15.20.1.x86_64",
"product_id": "nodejs4-4.9.1-15.20.1.x86_64"
}
},
{
"category": "product_version",
"name": "nodejs4-devel-4.9.1-15.20.1.x86_64",
"product": {
"name": "nodejs4-devel-4.9.1-15.20.1.x86_64",
"product_id": "nodejs4-devel-4.9.1-15.20.1.x86_64"
}
},
{
"category": "product_version",
"name": "npm4-4.9.1-15.20.1.x86_64",
"product": {
"name": "npm4-4.9.1-15.20.1.x86_64",
"product_id": "npm4-4.9.1-15.20.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product": {
"name": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-web-scripting:12"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 4",
"product": {
"name": "SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.20.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64"
},
"product_reference": "nodejs4-4.9.1-15.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.20.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le"
},
"product_reference": "nodejs4-4.9.1-15.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.20.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64"
},
"product_reference": "nodejs4-4.9.1-15.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-devel-4.9.1-15.20.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64"
},
"product_reference": "nodejs4-devel-4.9.1-15.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-devel-4.9.1-15.20.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le"
},
"product_reference": "nodejs4-devel-4.9.1-15.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-devel-4.9.1-15.20.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64"
},
"product_reference": "nodejs4-devel-4.9.1-15.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-docs-4.9.1-15.20.1.noarch as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch"
},
"product_reference": "nodejs4-docs-4.9.1-15.20.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm4-4.9.1-15.20.1.aarch64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64"
},
"product_reference": "npm4-4.9.1-15.20.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm4-4.9.1-15.20.1.ppc64le as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le"
},
"product_reference": "npm4-4.9.1-15.20.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "npm4-4.9.1-15.20.1.x86_64 as component of SUSE Linux Enterprise Module for Web and Scripting 12",
"product_id": "SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
},
"product_reference": "npm4-4.9.1-15.20.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Web and Scripting 12"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.20.1.aarch64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64"
},
"product_reference": "nodejs4-4.9.1-15.20.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "nodejs4-4.9.1-15.20.1.x86_64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64"
},
"product_reference": "nodejs4-4.9.1-15.20.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2019-1559",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-1559"
}
],
"notes": [
{
"category": "general",
"text": "If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable \"non-stitched\" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-1559",
"url": "https://www.suse.com/security/cve/CVE-2019-1559"
},
{
"category": "external",
"summary": "SUSE Bug 1127080 for CVE-2019-1559",
"url": "https://bugzilla.suse.com/1127080"
},
{
"category": "external",
"summary": "SUSE Bug 1130039 for CVE-2019-1559",
"url": "https://bugzilla.suse.com/1130039"
},
{
"category": "external",
"summary": "SUSE Bug 1141798 for CVE-2019-1559",
"url": "https://bugzilla.suse.com/1141798"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-20T13:32:01Z",
"details": "low"
}
],
"title": "CVE-2019-1559"
},
{
"cve": "CVE-2019-5737",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-5737"
}
],
"notes": [
{
"category": "general",
"text": "In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer. This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-5737",
"url": "https://www.suse.com/security/cve/CVE-2019-5737"
},
{
"category": "external",
"summary": "SUSE Bug 1127532 for CVE-2019-5737",
"url": "https://bugzilla.suse.com/1127532"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-20T13:32:01Z",
"details": "low"
}
],
"title": "CVE-2019-5737"
},
{
"cve": "CVE-2019-5739",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2019-5739"
}
],
"notes": [
{
"category": "general",
"text": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2019-5739",
"url": "https://www.suse.com/security/cve/CVE-2019-5739"
},
{
"category": "external",
"summary": "SUSE Bug 1127533 for CVE-2019-5739",
"url": "https://bugzilla.suse.com/1127533"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Enterprise Storage 4:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-devel-4.9.1-15.20.1.x86_64",
"SUSE Linux Enterprise Module for Web and Scripting 12:nodejs4-docs-4.9.1-15.20.1.noarch",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.aarch64",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.ppc64le",
"SUSE Linux Enterprise Module for Web and Scripting 12:npm4-4.9.1-15.20.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2019-03-20T13:32:01Z",
"details": "low"
}
],
"title": "CVE-2019-5739"
}
]
}
ghsa-wr35-fh22-q84x
Vulnerability from github
Published
2022-05-13 01:14
Modified
2022-05-13 01:14
Severity ?
VLAI Severity ?
Details
Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.
{
"affected": [],
"aliases": [
"CVE-2019-5739"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-03-28T17:29:00Z",
"severity": "HIGH"
},
"details": "Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2 minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js 6.16.0 and earlier is a potential Denial of Service (DoS) attack vector. Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.",
"id": "GHSA-wr35-fh22-q84x",
"modified": "2022-05-13T01:14:31Z",
"published": "2022-05-13T01:14:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5739"
},
{
"type": "WEB",
"url": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202003-48"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20190502-0008"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00041.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00046.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
]
}
cnvd-2019-42554
Vulnerability from cnvd
Title
Joyent Node.js拒绝服务漏洞(CNVD-2019-42554)
Description
Joyent Node.js是美国Joyent公司的一套建立在Google V8 JavaScript引擎之上的网络应用平台。该平台主要用于构建高度可伸缩的应用程序,以及编写能够处理数万条且同时连接到一个物理机的连接代码。
Joyent Node.js 6版本中存在拒绝服务漏洞,该漏洞源于程序没有实现‘server.keepAliveTimeout’函数。远程攻击者可利用该漏洞通过创建HTTP或HTTPS连接造成拒绝服务。
Severity
中
VLAI Severity ?
Patch Name
Joyent Node.js拒绝服务漏洞(CNVD-2019-42554)的补丁
Patch Description
Joyent Node.js是美国Joyent公司的一套建立在Google V8 JavaScript引擎之上的网络应用平台。该平台主要用于构建高度可伸缩的应用程序,以及编写能够处理数万条且同时连接到一个物理机的连接代码。
Joyent Node.js 6版本中存在拒绝服务漏洞,该漏洞源于程序没有实现‘server.keepAliveTimeout’函数。远程攻击者可利用该漏洞通过创建HTTP或HTTPS连接造成拒绝服务。目前,供应商发布了安全公告及相关补丁信息,修复了此漏洞。
Formal description
目前厂商已发布升级补丁以修复漏洞,补丁获取链接: https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
Reference
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
Impacted products
| Name | Joyent Node.js 6 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-5739",
"cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5739"
}
},
"description": "Joyent Node.js\u662f\u7f8e\u56fdJoyent\u516c\u53f8\u7684\u4e00\u5957\u5efa\u7acb\u5728Google V8 JavaScript\u5f15\u64ce\u4e4b\u4e0a\u7684\u7f51\u7edc\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u9ad8\u5ea6\u53ef\u4f38\u7f29\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ee5\u53ca\u7f16\u5199\u80fd\u591f\u5904\u7406\u6570\u4e07\u6761\u4e14\u540c\u65f6\u8fde\u63a5\u5230\u4e00\u4e2a\u7269\u7406\u673a\u7684\u8fde\u63a5\u4ee3\u7801\u3002\n\nJoyent Node.js 6\u7248\u672c\u4e2d\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u5b9e\u73b0\u2018server.keepAliveTimeout\u2019\u51fd\u6570\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u521b\u5efaHTTP\u6216HTTPS\u8fde\u63a5\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002",
"formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8865\u4e01\u83b7\u53d6\u94fe\u63a5\uff1a\r\nhttps://nodejs.org/en/blog/vulnerability/february-2019-security-releases/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2019-42554",
"openTime": "2019-11-27",
"patchDescription": "Joyent Node.js\u662f\u7f8e\u56fdJoyent\u516c\u53f8\u7684\u4e00\u5957\u5efa\u7acb\u5728Google V8 JavaScript\u5f15\u64ce\u4e4b\u4e0a\u7684\u7f51\u7edc\u5e94\u7528\u5e73\u53f0\u3002\u8be5\u5e73\u53f0\u4e3b\u8981\u7528\u4e8e\u6784\u5efa\u9ad8\u5ea6\u53ef\u4f38\u7f29\u7684\u5e94\u7528\u7a0b\u5e8f\uff0c\u4ee5\u53ca\u7f16\u5199\u80fd\u591f\u5904\u7406\u6570\u4e07\u6761\u4e14\u540c\u65f6\u8fde\u63a5\u5230\u4e00\u4e2a\u7269\u7406\u673a\u7684\u8fde\u63a5\u4ee3\u7801\u3002\r\n\r\nJoyent Node.js 6\u7248\u672c\u4e2d\u5b58\u5728\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7a0b\u5e8f\u6ca1\u6709\u5b9e\u73b0\u2018server.keepAliveTimeout\u2019\u51fd\u6570\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u901a\u8fc7\u521b\u5efaHTTP\u6216HTTPS\u8fde\u63a5\u9020\u6210\u62d2\u7edd\u670d\u52a1\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
"patchName": "Joyent Node.js\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff08CNVD-2019-42554\uff09\u7684\u8865\u4e01",
"products": {
"product": "Joyent Node.js 6"
},
"referenceLink": "https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/",
"serverity": "\u4e2d",
"submitTime": "2019-03-06",
"title": "Joyent Node.js\u62d2\u7edd\u670d\u52a1\u6f0f\u6d1e\uff08CNVD-2019-42554\uff09"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…