SB2018071402 - OpenSUSE Linux update for nodejs8
Published: July 14, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 3 secuirty vulnerabilities.
1) NULL pointer dereference (CVE-ID: CVE-2018-1000168)
The vulnerability allows a remote unauthenticated attacker to cause DoS condition on the target system.
The weakness exists due to improper bounds checking. If an alternative services (ALTSVC) frame is too large, the pointer field that points to the ALTSVC frame payload is left NULL. A remote attacker can submit a large ALTSVC frame, trigger a NULL pointer dereference and cause the service to crash.
2) Improper input validation (CVE-ID: CVE-2018-7161)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to a cleanup bug where objects are used in native code after they are no longer available when the affected software interacts with an HTTP/2 server. A remote attacker can send a specially crafted request that submits malicious input to the targeted node server that provides an HTTP/2 server and cause the node server to crash.
3) Improper input validation (CVE-ID: CVE-2018-7167)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can supply Calling Buffer.fill() or Buffer.alloc() with some parameters and cause the server to hang.
Remediation
Install update from vendor's website.