aports issueshttps://gitlab.alpinelinux.org/alpine/aports/-/issues2021-07-18T07:23:52Zhttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10010[3.9] nasm: Multiple vulnerabilities (CVE-2019-6290, CVE-2019-6291)2021-07-18T07:23:52ZAlicha CH[3.9] nasm: Multiple vulnerabilities (CVE-2019-6290, CVE-2019-6291)**CVE-2019-6290**: An infinite recursion issue was discovered in eval.c
in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion
problem resulting from infinite recursion in the functions expr, rexp,
bexpr and cexpr in ce...**CVE-2019-6290**: An infinite recursion issue was discovered in eval.c
in Netwide Assembler (NASM) through 2.14.02. There is a stack exhaustion
problem resulting from infinite recursion in the functions expr, rexp,
bexpr and cexpr in certain scenarios involving lots of ‘{’ characters.
Remote attackers could leverage this vulnerability to cause a
denial-of-service via a crafted asm file.
### References:
https://bugzilla.nasm.us/show\_bug.cgi?id=3392548
https://nvd.nist.gov/vuln/detail/CVE-2019-6290
**CVE-2019-6291**: An issue was discovered in the function expr6 in
eval.c in Netwide Assembler (NASM) through 2.14.02. There is a stack
exhaustion problem caused by the expr6 function making recursive calls
to itself in certain scenarios involving lots of ‘!’ or ‘+’ or ‘-’
characters. Remote attackers could leverage this vulnerability to cause
a denial-of-service via a crafted asm file.
### References:
https://bugzilla.nasm.us/show\_bug.cgi?id=3392549
https://nvd.nist.gov/vuln/detail/CVE-2019-6291
*(from redmine: issue id 10010, created on 2019-02-21)*
* Relations:
* parent #100083.9.7Natanael CopaNatanael Copahttps://gitlab.alpinelinux.org/alpine/aports/-/issues/10055[3.9] nodejs-current: Slowloris HTTP Denial of Service with keep-alive (CVE-2...2021-02-23T19:45:13ZAlicha CH[3.9] nodejs-current: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
...An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
Attack potential is mitigated by the use of a load balancer or other
proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in
November, 2018. The 40 second timeout and its adjustment
by server.headersTimeout apply to this fix as in CVE-2018-12121.
Severity is LOW.
### References:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
https://cwe.mitre.org/data/definitions/400.html
*(from redmine: issue id 10055, created on 2019-03-05)*
* Relations:
* parent #100533.9.7https://gitlab.alpinelinux.org/alpine/aports/-/issues/10049[3.9] nodejs: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)2021-01-05T09:07:13ZAlicha CH[3.9] nodejs: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737)An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
...An attacker can cause a Denial of Service (DoS) by establishing an HTTP
or HTTPS connection in keep-alive mode and by sending headers very
slowly thereby keeping
the connection and associated resources alive for a long period of time.
Attack potential is mitigated by the use of a load balancer or other
proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in
November, 2018. The 40 second timeout and its adjustment
by server.headersTimeout apply to this fix as in CVE-2018-12121.
Severity is LOW.
### References:
https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/
https://cwe.mitre.org/data/definitions/400.html
*(from redmine: issue id 10049, created on 2019-03-05)*
* Relations:
* parent #100473.9.7Jakub JirutkaJakub Jirutka