DEBIAN-CVE-2020-1971

The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERALNAMEcmp which compares different instances of a GENERALNAME to see if they are equal or not. This function behaves incorrect...

LibreSSL -- NULL pointer dereference

The LibreSSL project reports: Malformed ASN.1 in a certificate revocation list or a timestamp response token can lead to a NULL pointer dereference...

curl: CVE-2020-8286: Inferior OCSP verification

cURL in /lib/vtls/openssl.c does not check that the certificate serial number in the stapled OCSP response matches the serial number of the certificate it is trying to validate the peer certificate. This results in a passed validity challenge even when connecting to a site that has had its...

Mozilla Firefox for Android 安全漏洞

Mozilla Firefox is an open source web browser from the Mozilla Foundation in the United States. A security vulnerability exists in Android Firefox that stems from a lack of service initialization and OneCRL being non-functional in the new Android Firefox. This may result in the inability to enfor...

Unbreakable Enterprise kernel-container security update

4.14.35-2025.402.2.1.el7 - powercap: restrict energy meter to root access Kanth Ghatraju Orabug: 32040805 CVE-2020-8694 CVE-2020-8695 4.14.35-2025.402.2.el7 - ocfs2: fix remounting needed after setfacl command Gang He - Fix multiple variable definition with syzkaller Hans Westgaard Ry Orabug:...

Unbreakable Enterprise kernel security update

5.4.17-2036.100.6.1.el8uek - powercap: restrict energy meter to root access Kanth Ghatraju Orabug: 32040802 CVE-2020-8694 CVE-2020-8695 - KVM: ioapic: break infinite recursion on lazy EOI Vitaly Kuznetsov Orabug: 32066585 CVE-2020-27152 CVE-2020-27152 - x86/mitigations: Restore paranoid checks fo...

CVE-2020-15950

Immuta v2.8.2 is affected by improper session management: user sessions are not revoked upon logout...

puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL

A flaw was found in Puppet, where the Puppet Agent did not verify the peer in the SSL connection before downloading to the Certificate Revocation List CRL. The primary risk is the availability of communications to computing systems and not Puppet itself. This flaw allows an attacker to submit a...

Security Bulletin: Denial of service vulnerability affecting Aspera Connect 3.7 or 3.8

Summary A vulnerability, if exploited, could disable or impair the use of certain versions of Aspera Connect. UPDATE 12/9/2019: The certificate for local.connectme.us has been revoked, as a result, Aspera Connect 3.7 and 3.8 no longer function on Firefox and Safari. The web application integrated...

jsrsasign

This is an open-source JavaScript library called jsrsasign, which provides cryptographic functions for RSA/RSAPSS/ECDSA/DSA signing and validation, ASN.1, PKCS1/5/8 private/public key, X.509 certificate, CRL, OCSP, CMS SignedData, TimeStamp, and CAdES. The library is available on Node.js and...

Insecure Error Handling

github.com/ory/fosite does not securely handle errors from the server. The TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid and may lead to unexpected behaviors in the server...

CVE-2020-15223 Ignored storage errors on token revokation in ORY Fosite

In ORY Fosite the security first OAuth2 & OpenID Connect framework for Go before version 0.34.0, the TokenRevocationHandler ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful revocation while the token is still valid. Whether an attacker can...

PT-2020-14290 · Ory · Ory Fosite

Name of the Vulnerable Software and Affected Versions: ORY Fosite versions prior to 0.34.0 Description: The issue arises from improper error handling in the TokenRevocationHandler, which ignores errors coming from the storage. This can lead to unexpected 200 status codes indicating successful...

PT-2020-13448 · Gitlab · Gitlab

Name of the Vulnerable Software and Affected Versions: GitLab versions prior to 13.1.10 GitLab versions prior to 13.2.8 GitLab versions prior to 13.3.4 Description: A security issue was found in GitLab where it failed to revoke current user sessions when two-factor authentication was activated,...

UBUNTU-CVE-2020-13302

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. Under certain conditions GitLab was not properly revoking user sessions and allowed a malicious user to access a user account with an old password...

CVE-2020-13302

Removed by vendor...

CVE-2020-13299

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...

CVE-2020-13299

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...

Design/Logic Flaw

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...

CVE-2020-13299

A vulnerability was discovered in GitLab versions before 13.1.10, 13.2.8 and 13.3.4. The revocation feature was not revoking all session tokens and one could re-use it to obtain a valid session...