Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM Cognos Command Center (CVS-2015-7575)

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6 that is used by IBM Cognos Command Center. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”...

Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM API Management (CVE-2015-7575, CVE-2016-0466)

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 that is used by IBM API Management. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”. Vulnerability Details CVEI...

Security Bulletin: A vulnerability in IBM Java SDK affects IBM PureApplication System. (CVE-2015-7575)

Summary There is a vulnerability in IBM® SDK Java™ Technology Edition, Version 6 and 7, that is used by IBM PureApplication System. The issue was disclosed as part of the IBM Java SDK updates in January 2016 and this vulnerability is commonly referred to as “SLOTH”. Vulnerability Details CVEID:...

Security Bulletin:A vulnerability in IBM Java SDK affects IBM Workload Deployer. (CVE-2015-7575)

Summary There is a vulnerability in IBM® SDK Java™ Technology Edition Version 6 that is used by IBM Workload Deployer. The issue was disclosed as part of the IBM Java SDK updates in January 2016 and this vulnerability is commonly referred to as “SLOTH”. Vulnerability Details CVEID: CVE-2015-7575...

Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)

Summary WebSphere Application Server WAS is shipped as a component of IBM Business Process Manager BPM and WebSphere Lombardi Edition WLE. Information about security vulnerabilities affecting WebSphere Application Server has been published in security bulletins. There are multiple vulnerabilities...

Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect IBM WebSphere MQ (CVE-2016-0475, CVE-2015-7575, CVE-2016-0448)

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition that is used by IBM WebSphere MQ. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and include the vulnerability commonly referred to as “SLOTH”. Vulnerability Details...

Security Bulletin: Multiple vulnerabilities identified in IBM® Java SDK affect WebSphere Service Registry and Repository Studio (CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)

Summary There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Service Registry and Repository Studio. These issues were disclosed as part of the IBM Java SDK updates in January 2016 and includes the vulnerability commonly referred to as “SLOTH”...

FreeBSD : strongswan - Insufficient input validation in RSASSA-PSS signature parser (6a449a37-1570-11e8-8e00-000c294a5758)

Strongswan Release Notes reports : Fixed a DoS vulnerability in the parser for PKCS1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function MGF. Only MG...

strongswan - Insufficient input validation in RSASSA-PSS signature parser

Strongswan Release Notes reports: Fixed a DoS vulnerability in the parser for PKCS1 RSASSA-PSS signatures that was caused by insufficient input validation. One of the configurable parameters in algorithm identifier structures for RSASSA-PSS signatures is the mask generation function MGF. Only MGF...

CVE-2017-11696

Heap-based buffer overflow in the hashopen function in lib/dbm/src/hash.c in Mozilla Network Security Services NSS allows context-dependent attackers to have unspecified impact using a crafted cert8.db file...

CVE-2017-11696

Heap-based buffer overflow in the hashopen function in lib/dbm/src/hash.c in Mozilla Network Security Services NSS allows context-dependent attackers to have unspecified impact using a crafted cert8.db file...

expat: hash table collisions CPU usage DoS

A denial of service flaw was found in the implementation of hash arrays in Expat. An attacker could use this flaw to make an application using Expat consume an excessive amount of CPU time by providing a specially crafted XML file that triggers multiple hash function collisions. To mitigate this...

AIX bind Advisory : nettcp_advisory2.asc (IV86116) (IV86117) (IV86118) (IV86119) (IV86120) (IV86132)

The version of bind installed on the remote AIX host is affected by the following vulnerabilities : - The TLS protocol allows weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker can...

The scrypt parameters

The recommended scrypt parameters in the Go docs were recently brought up for discussion given they haven't changed since 2009. Even if at this point I memorized the three numbers N=16384, r=8, p=1 I only have a vague understanding of their meaning, so I took some time to read the scrypt paper...

CVE-2017-7607

The handlegnuhash function in readelf.c in elfutils 0.168 allows remote attackers to cause a denial of service heap-based buffer over-read and application crash via a crafted ELF file...

PYSEC-2017-143

The image signature algorithm in OpenStack Glance 11.0.0 allows remote attackers to bypass the signature verification process via a crafted image, which triggers an MD5 collision...

First Practical SHA-1 Collision Attack Arrives

Researchers unveiled on Thursday the first practical collision attack for the 22-year old cryptographic hash function SHA-1. While long expected, news of the attack, dubbed ‘SHAttered,’ should further accelerate the urgency of sunsetting of the maligned algorithm. Researchers from Google, Elie...

DEBIAN-CVE-2016-10154

The smbhash function in fs/cifs/smbencrypt.c in the Linux kernel 4.9.x before 4.9.1 interacts incorrectly with the CONFIGVMAPSTACK option, which allows local users to cause a denial of service system crash or memory corruption or possibly have unspecified other impact by leveraging use of more th...

AIX 5.3 TL 12 : nettcp (IV88957) (SLOTH) (deprecated)

https://vulners.com/cve/CVE-2015-7575 The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle...

AIX 7.1 TL 3 : nettcp (IV82331) (SLOTH) (deprecated)

https://vulners.com/cve/CVE-2015-7575 The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message during a TLS handshake. An attacker could exploit this vulnerability using man-in-the-middle...