aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2021-07-18T07:23:52Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10010[3.9] nasm: Multiple vulnerabilities (CVE-2019-6290, CVE-2019-6291)2021-07-18T07:23:52ZAlicha CH[3.9] nasm: Multiple vulnerabilities (CVE-2019-6290, CVE-2019-6291)**CVE-2019-6290**: An infinite recursion issue was discovered in eval.c
in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion
problem resulting from infinite recursion in the functions expr, rexp,
bexpr and cexpr in ce...**CVE-2019-6290**: An infinite recursion issue was discovered in eval.c
in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion
problem resulting from infinite recursion in the functions expr, rexp,
bexpr and cexpr in certain scenarios involving lots of ‘{’ characters.
Remote attackers could leverage this vulnerability to cause a
denial-of-service via a crafted asm file.
### References:
https://bugzilla.nasm.us/show\_bug.cgi?id=3392548
https://nvd.nist.gov/vuln/detail/CVE-2019-6290
**CVE-2019-6291**: An issue was discovered in the function expr6 in
eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack
exhaustion problem caused by the expr6 function making recursive calls
to itself in certain scenarios involving lots of ‘!’ or ‘+’ or ‘-’
characters. Remote attackers could leverage this vulnerability to cause
a denial-of-service via a crafted asm file.
### References:
https://bugzilla.nasm.us/show\_bug.cgi?id=3392549
https://nvd.nist.gov/vuln/detail/CVE-2019-6291
*(from redmine: issue id 10010, created on 2019-02-21)*
* Relations:
* parent #100083.9.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10055[3.9] nodejs-current: Slowloris HTTP Denial of Service with keep-alive (CVE-2...2021-02-23T19:45:13ZAlicha CH[3.9] nodejs-current: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
...An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
Attack potential is mitigated by the use of a load balancer or other
proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in
November, 2018. The 40 second timeout and its adjustment
by server.headersTimeout apply to this fix as in CVE-2018-12121.
Severity is LOW.
### References:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
https://cwe.mitre.org/data/definitions/400.html
*(from redmine: issue id 10055, created on 2019-03-05)*
* Relations:
* parent #100533.9.7https://gitlab.alpinelinux.org/alpine/aports/-/issues/10049[3.9] nodejs: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)2021-01-05T09:07:13ZAlicha CH[3.9] nodejs: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
...An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
Attack potential is mitigated by the use of a load balancer or other
proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in
November, 2018. The 40 second timeout and its adjustment
by server.headersTimeout apply to this fix as in CVE-2018-12121.
Severity is LOW.
### References:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
https://cwe.mitre.org/data/definitions/400.html
*(from redmine: issue id 10049, created on 2019-03-05)*
* Relations:
* parent #100473.9.7Jakub JirutkaJakub Jirutkahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10031ssl_client cannot handle inappropriate OCSP2020-04-23T14:09:38ZMagicloud Magicloudsssl_client cannot handle inappropriate OCSPThe root cause may be on server side. But as for modern browser, it
falls back to CRL to make things work. ssl\_client just fails.
This even occurs with github, so it is annoying.
Connecting to gist.githubusercontent.com (151.101.1...The root cause may be on server side. But as for modern browser, it
falls back to CRL to make things work. ssl\_client just fails.
This even occurs with github, so it is annoying.
Connecting to gist.githubusercontent.com (151.101.108.133:443)
ssl_client: gist.githubusercontent.com: ocsp verify failed: ocsp response not current
wget: error getting response: Connection reset by peer
*(from redmine: issue id 10031, created on 2019-02-25)*3.9.7