Debian Nodejs vulnerabilities

CVE-2017-14919 [HIGH] CVE-2017-14919: nodejs - Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote atta... Node.js before 4.8.5, 6.x before 6.11.5, and 8.x before 8.8.0 allows remote attackers to cause a denial of service (uncaught exception and crash) by leveraging a change in the zlib module 1.2.9 making 8 an invalid value for the windowBits parameter. Scope: local bookworm: resolved bullseye: resolved forky: resolved sid: resolved trixie: resolved

CVE-2016-1669 [HIGH] CVE-2016-1669: nodejs - The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Goog... The Zone::New function in zone.cc in Google V8 before 5.0.71.47, as used in Google Chrome before 50.0.2661.102, does not properly determine when to expand certain memory allocations, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via crafted JavaScript code. Scope: local bookworm: resolved (fixed i

CVE-2016-2216 [HIGH] CVE-2016-2216: nodejs - The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.... The HTTP header parsing code in Node.js 0.10.x before 0.10.42, 0.11.6 through 0.11.16, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allows remote attackers to bypass an HTTP response-splitting protection mechanism via UTF-8 encoded Unicode characters in the HTTP header, as demonstrated by %c4%8d%c4%8a. Scope: local bookworm: resolved (fixed in 4.3.0~df

CVE-2016-2086 [HIGH] CVE-2016-2086: nodejs - Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x ... Node.js 0.10.x before 0.10.42, 0.12.x before 0.12.10, 4.x before 4.3.0, and 5.x before 5.6.0 allow remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header. Scope: local bookworm: resolved (fixed in 4.3.0~dfsg-1) bullseye: resolved (fixed in 4.3.0~dfsg-1) forky: resolved (fixed in 4.3.0~dfsg-1) sid: resolved (fixed in 4.3.0~df

CVE-2016-7099 [MEDIUM] CVE-2016-7099: nodejs - The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x be... The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate. Scope: local bookworm: resolved (fixed in 4.6.0~dfsg-1) bullseye: resolved (fi

CVE-2016-5325 [MEDIUM] CVE-2016-5325: nodejs - CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js... CRLF injection vulnerability in the ServerResponse#writeHead function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the reason argument. Scope: local bookworm: resolved (fixed in 4.6.0~dfsg-1) bullseye: resolved (f

CVE-2015-6764 [CRITICAL] CVE-2015-6764: nodejs - The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the... The BasicJsonStringifier::SerializeJSArray function in json-stringifier.h in the JSON stringifier in Google V8, as used in Google Chrome before 47.0.2526.73, improperly loads array elements, which allows remote attackers to cause a denial of service (out-of-bounds memory access) or possibly have unspecified other impact via crafted JavaScript code. Scope: local boo

CVE-2015-8027 [HIGH] CVE-2015-8027: nodejs - Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not en... Node.js 0.12.x before 0.12.9, 4.x before 4.2.3, and 5.x before 5.1.1 does not ensure the availability of a parser for each HTTP socket, which allows remote attackers to cause a denial of service (uncaughtException and service outage) via a pipelined HTTP request. Scope: local bookworm: resolved (fixed in 4.2.3~dfsg-1) bullseye: resolved (fixed in 4.2.3~dfsg-1) forky: r

CVE-2015-7384 [HIGH] CVE-2015-7384: nodejs - Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of ser... Node.js 4.0.0, 4.1.0, and 4.1.1 allows remote attackers to cause a denial of service. Scope: local bookworm: resolved (fixed in 4.1.1~dfsg-3) bullseye: resolved (fixed in 4.1.1~dfsg-3) forky: resolved (fixed in 4.1.1~dfsg-3) sid: resolved (fixed in 4.1.1~dfsg-3) trixie: resolved (fixed in 4.1.1~dfsg-3)

CVE-2015-5380 [HIGH] CVE-2015-5380: nodejs - The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8,... The Utf8DecoderBase::WriteUtf16Slow function in unicode-decoder.cc in Google V8, as used in Node.js before 0.12.6, io.js before 1.8.3 and 2.x before 2.3.3, and other products, does not verify that there is memory available for a UTF-16 surrogate pair, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impac

CVE-2014-5256 [MEDIUM] CVE-2014-5256: nodejs - Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibil... Node.js 0.8 before 0.8.28 and 0.10 before 0.10.30 does not consider the possibility of recursive processing that triggers V8 garbage collection in conjunction with a V8 interrupt, which allows remote attackers to cause a denial of service (memory corruption and application crash) via deep JSON objects whose parsing lets this interrupt mask an overflow of the program

CVE-2014-9748 [HIGH] CVE-2014-9748: nodejs - The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv ... The uv_rwlock_t fallback implementation for Windows XP and Server 2003 in libuv before 1.7.4 does not properly prevent threads from releasing the locks of other threads, which allows attackers to cause a denial of service (deadlock) or possibly have unspecified other impact by leveraging a race condition. Scope: local bookworm: resolved (fixed in 4.0.0~dfsg-1) bullseye

CVE-2013-4450 [MEDIUM] CVE-2013-4450: nodejs - The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows ... The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of service (memory and CPU consumption) by sending a large number of pipelined requests without reading the response. Scope: local bookworm: resolved (fixed in 0.10.21~dfsg1-1) bullseye: resolved (fixed in 0.10.21~dfsg1-1) forky: resolved (fixed in 0.10.

CVE-2012-2330 [MEDIUM] CVE-2012-2330: nodejs - The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 be... The Update method in src/node_http_parser.cc in Node.js before 0.6.17 and 0.7 before 0.7.8 does not properly check the length of a string, which allows remote attackers to obtain sensitive information (request header contents) and possibly spoof HTTP headers via a zero length string. Scope: local bookworm: resolved (fixed in 0.6.17~dfsg1-1) bullseye: resolved (fixed