SUSE-SU-2018:1698-1 Security update for gpg2

This update for gpg2 fixes the following security issue: - CVE-2018-12020: GnuPG mishandled the original filename during decryption and verification actions, which allowed remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the '--status-fd 2'...

Security Bulletin: IBM WebSphere MQ keystore password traced by mqcertck on IBM i platform (CVE-2015-7462)

Summary The mqcertck tool which was newly added in MQ 8.0.0.4 could trace certificate keystore passwords. Vulnerability Details CVEID: CVE-2015-7462 DESCRIPTION: IBM WebSphere MQ could allow a local user with administrator privileges to decrypt other MQ administrators passwords by using the...

Security Bulletin: Multiple vulnerabilities in OpenSSL affect IBM MQ Appliance

Summary OpenSSL vulnerabilities were disclosed on March 1, 2016 by the OpenSSL Project. OpenSSL is used by IBM MQ Appliance. IBM MQ Appliance has addressed the applicable CVEs including the “DROWN: Decrypting RSA with Obsolete and Weakened eNcryption" vulnerability. Vulnerability Details CVEID:...

Security Bulletin: Padding Oracle Protection in IBM DataPower Gateways GatewayScript modules (CVE-2015-7412)

Summary IBM DataPower Gateways has addressed a Padding Oracle Protection vulnerability in GatewayScript decryption. Vulnerability Details CVEID: CVE-2015-7412 DESCRIPTION: IBM DataPower Gateways GatewayScript modules may be vulnerable to Padding Oracle attacks in some scenarios, which could allow...

Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Business Monitor (CVE-2015-0138)

Summary WebSphere Application Server is shipped as a component of IBM Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. Vulnerability Details CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various I...

Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM MQ Light (CVE-2015-0138)

Summary The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability affects IBM WebSphere Application Server Liberty Profile Version 8.5.5 that is used by IBM MQ Light. Vulnerability Details CVEID: CVE-2015-0138 DESCRIPTION: A vulnerability in various IBM SSL/TLS...

Security Bulletin: Vulnerability with RSA Export Keys may affect IBM WebSphere Application Server (CVE-2015-0138)

Summary The “FREAK: Factoring Attack on RSA-EXPORT keys" TLS/SSL client and server vulnerability CVE-2015-0138 may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition...

Security Bulletin: TLS padding vulnerability affects IBM WebSphere MQ (CVE-2014-8730)

Summary Transport Layer Security TLS padding vulnerability via a POODLE Padding Oracle On Downgraded Legacy Encryption like attack affects IBM WebSphere MQ. Vulnerability Details CVE-ID: CVE-2014-8730 DESCRIPTION: Product could allow a remote attacker to obtain sensitive information, caused by th...

Security Bulletin: Vulnerability in SSLv3 affects IBM Integration Designer and WebSphere Integration Developer (CVE-2014-3566)

Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. SSLv3 is enabled in IBM Integration Designer and WebSphere Integration Developer. Vulnerability Details CVE-ID : CVE-2014-3566 DESCRIPTION : IBM Integration Design...

Security Bulletin: Vulnerability in SSLv3 affects IBM WebSphere Application Server shipped with WebSphere Service Registry and Repository

Summary SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption POODLE attack. SSLv3 is enabled by default in IBM WebSphere Application Server. Vulnerability Details CVE ID: CVE-2014-3566 DESCRIPTION: IBM WebSphere Application could allow a...

IBM WebSphere Cast Iron Security Bulletin: Multiple security vulnerabilities in IBM JRE 6 and IBM JRE 7

Abstract Multiple security vulnerabilities exist in the IBM Java Runtime Environment component of WebSphere Cast Iron in IBM JRE 6.0 SR15 and earlier and IBM JRE 7.0 SR5 and earlier Content VULNERABILITY DETAILS There are multiple security vulnerabilities in the IBM Java Runtime Environment used ...

Security Bulletin: Websphere DataPower vulnerability in SSL ChangeCipherSpec processing (CVE-2014-0224)

Summary A security vulnerability in ChangeCipherSpec processing allows intermediate nodes to intercept encrypted data and decrypt them and can force the use of weak keying material in SSL/TLS clients and servers. Vulnerability Details CVE ID: CVE-2014-0224 DESCRIPTION: An attacker using a careful...

USN-3675-2 gnupg2 vulnerability

USN-3675-1 fixed a vulnerability in GnuPG 2 for Ubuntu 18.04 LTS and Ubuntu 17.10. This update provides the corresponding update for GnuPG 2 in Ubuntu 16.04 LTS and Ubuntu 14.04 LTS. Original advisory details: Marcus Brinkmann discovered that during decryption or verification, GnuPG did not...

Ubuntu 14.04 LTS / 16.04 LTS : GnuPG 2 vulnerability (USN-3675-2)

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3675-2 advisory. USN-3675-1 fixed a vulnerability in GnuPG 2 for Ubuntu 18.04 LTS and Ubuntu 17.10. This update provides the corresponding update for GnuPG 2 in Ubuntu...

Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : GnuPG vulnerabilities (USN-3675-1)

The remote Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3675-1 advisory. Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when...

USN-3675-1: GnuPG vulnerabilities

Marcus Brinkmann discovered that during decryption or verification, GnuPG did not properly filter out terminal sequences when reporting the original filename. An attacker could use this to specially craft a file that would cause an application parsing GnuPG output to incorrectly interpret the...

CVE-2018-5133

If the "app.support.baseURL" preference is changed by a malicious local program to contain HTML and script content, this content is not sanitized. It will be executed if a user loads "chrome://browser/content/preferences/in-content/preferences.xul" directly in a tab and executes a search. This...

GnuPG Security Bypass Vulnerability (CNVD-2018-21053)

GnuPG GNU Privacy Guard is a suite of open source encryption software developed by the GNU Project under the GNU General Public License. The software supports public key, symmetric encryption, hashing and other algorithms. A security vulnerability exists in the mainproc.c file in versions of GnuP...

CVE-2018-12020

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represen...

Code injection

mainproc.c in GnuPG before 2.2.8 mishandles the original filename during decryption and verification actions, which allows remote attackers to spoof the output that GnuPG sends on file descriptor 2 to other programs that use the "--status-fd 2" option. For example, the OpenPGP data might represen...