FreeBSD : LibreSSL -- TLS verification vulnerability (24673ed7-2bf3-11e7-b291-b499baebfeaf)

Jakub Jirutka reports : LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSLgetverifyresult is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx...

Code injection

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSLgetverifyresult is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx...

ALPINE-CVE-2017-8301

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSLgetverifyresult is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx...

CVE-2017-8301

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSLgetverifyresult is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx...

CVE-2017-8301

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSLgetverifyresult is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx...

CVE-2017-8301

CVE-2017-8301 affects LibreSSL 2.5.1–2.5.3 and describes a TLS certificate verification weakness that can occur when relying on SSL_get_verify_result for a later check and a user-provided verification callback returns 1, demonstrated by nginx accepting invalid certificates. The core issue is insu...

CVE-2017-8301

LibreSSL 2.5.1 to 2.5.3 lacks TLS certificate verification if SSLgetverifyresult is relied upon for a later check of a verification result, in a use case where a user-provided verification callback returns 1, as demonstrated by acceptance of invalid certificates by nginx...

Weblate: weblate.org: X-XSS-Protection not enabled

Hi, X-Xss-Protection @https://weblate.org has not been set. This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari Webkit. Valid settings for the header are 0, which disables the protection, 1 which enables the protection and 1;...

Weblate: hosted.weblate.org: X-XSS-Protection not enabled

Hi, X-Xss-Protection @https://hosted.weblate.org/ has not been set. This header is used to configure the built in reflective XSS protection found in Internet Explorer, Chrome and Safari Webkit. Valid settings for the header are 0, which disables the protection, 1 which enables the protection and ...

Phusion Passenger Elevation of Privilege Vulnerability

Phusion Passenger is an Apache module for deploying Ruby on Rails projects on Apache and Nginx web servers from Phusion Netherlands. An elevation of privilege vulnerability exists in versions of Phusion Passenger prior to 5.1.0. A local attacker can exploit this vulnerability to gain privileges...

Homebrew: Sensitive information disclosure via response headers on jenkins.brew.sh

While logging into jenkins.brew.sh site, the vulnerable nginx version is disclosed via response headers. There is a chance with known vulnerabilities this could be compromised. so better to avoid banner disclosure with "Server Tokens Prod off" modification in conf file. Please let me know if any...

DEBIAN-CVE-2016-10345

In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user...

UBUNTU-CVE-2016-10345

In Phusion Passenger before 5.1.0, a known /tmp filename was used during passenger-install-nginx-module execution, which could allow local attackers to gain the privileges of the passenger user...

Homebrew: Server version disclosure on [jenkins.brew.sh]

Hello Homebrew security team, I know this is a low severity issue but I thought to get you in notice will be best. The site jenkins.brew.sh discloses the Nginx server version. Impact The information is can be used by attacker for further finding of exploits and information gathering. curl -i...

Evilginx - MITM Attack Framework [Advanced Phishing With Two-factor Authentication Bypass]

Evilginx is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. It's core runs on Nginx HTTP server, which utilizes proxypass and subfilter to proxy and modify HTTP content, while intercepting traffic between client and server. You can learn...

Kong and Wallarm Partner Up to Boost Microservices API Security

Wallarm has partnered with Mashape to provide the microservices community with API security. Mashape enterprise customers who use Kong API gateway can now quickly add API security protection without change in Kong user’s deployment. Read more about Kong and Wallarm partnership in this blog. Today...

Wallarm Teams up with NGINX Plus to Provide Advanced Security

Wallarm is excited to be a pioneer security vendor in NGINX Certified Module program and provide trusted and verified security functionality to NGINX Plus customers. “We are pleased to announce that Wallarm is now part of the NGINX Plus Certified Module program with the Wallarm Next Generation WA...

New Relic: SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

Hi, I get in touch to report that cloud.newrelic.com is vulnerable to CVE-2014-3566 POODLE. Websites that support SSLv3 and CBC-mode ciphers are potentially vulnerable to an active MITM Man-in-the-middle attack. This attack, called POODLE, is similar to the BEAST attack and also allows a network...

Farmer's Fridge Kiosk 2.0.0 Information Disclosure

Farmer's Fridge Kiosk 2.0.0 Unprotected Event Log Information Disclosure Vendor: Farmer's Fridge Product web page: http://www.farmersfridge.com Affected version: 2.0.0 Summary: Donat think of the Farmeras Fridge kiosk as a vending machine. Itas a veggie machine. And just as each salad is a culina...

FalconGate - A smart gateway to stop hackers and Malware attacks

A smart gateway to stop hackers, Malware and more... Motivation Cyber attacks are on the raise. Hacker and cyber criminals are continuously improving their methods and building new tools and Malware with the purpose of hacking your network, spying on you and stealing valuable data. Recently a new...