CVE-2014-3556

The STARTTLS implementation in mail/ngxmailsmtphandler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command...

Command injection

The STARTTLS implementation in mail/ngxmailsmtphandler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command...

UBUNTU-CVE-2014-3556

The STARTTLS implementation in mail/ngxmailsmtphandler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command...

CVE-2014-3556

The CVE-2014-3556 entry affects nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4. The STARTTLS implementation in mail/ngx_mail_smtp_handler.c allows an MITM to inject commands into encrypted SMTP sessions by sending a cleartext command after TLS is established, due to insufficient I/O bu...

CVE-2014-3556

The STARTTLS implementation in mail/ngxmailsmtphandler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command...

CVE-2014-3556

The STARTTLS implementation in mail/ngxmailsmtphandler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and 1.7.x before 1.7.4 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command...

STARTTLS command injection

STARTTLS command injection Severity: medium CVE-2014-3556 Not vulnerable: 1.7.4+, 1.6.1+ Vulnerable: 1.5.6-1.7.3...

EFF Calls Out ISPs Modifying STARTTLS Encryption Commands

As Net Neutrality debates swirl, privacy advocates at the Electronic Frontier Foundation and VPN provider Golden Frog have gone public with a Federal Communications Commission filing that got more attention for accusations that Verizon FIOS customers were having their Netflix streaming service...

DEBIAN-CVE-2014-8760

ejabberd before 2.1.13 does not enforce the starttlsrequired setting when compression is used, which causes clients to establish connections without encryption...

CVE-2014-8760

ejabberd before 2.1.13 does not enforce the starttlsrequired setting when compression is used, which causes clients to establish connections without encryption...

SSL/TLS: SMTP Missing Support For STARTTLS

The remote SMTP server does not support the Copyright C 2014 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Facebook Says 95 Percent of Notification Email Encrypted

All that’s missing from the organic encrypt the web movement seems to be a hashtag. Otherwise, no one can accuse major web providers of slacking as leading players such as Microsoft and Yahoo, prompted by the Snowden leaks, have made noteworthy leaps in the last 15 months to encrypt everything fr...

nginx -- inject commands into SSL session vulnerability

The nginx project reports: Security: pipelined commands were not discarded after STARTTLS command in SMTP proxy CVE-2014-3556; the bug had appeared in 1.5.6...

Microsoft Expands TLS, Forward Secrecy Support

Microsoft is no exception when it comes to large technology providers committing to encrypting the services its users depend on. Today, the company announced an update on the progress it has made in engineering those changes, including the news that Outlook.com, its web-based email service,...

Heartbleed OpenSSL - Information Leak Exploit (2) - DTLS Support

No description provided by source. / CVE-2014-0160 heartbleed OpenSSL information leak exploit ========================================================= This exploit uses OpenSSL to create an encrypted connection and trigger the heartbleed leak. The leaked information is returned within encrypted...

OpenSSL Heartbeat (Heartbleed) Information Leak

This module implements the OpenSSL Heartbleed attack. The problem exists in the handling of heartbeat requests, where a fake length can be used to leak memory data in the response. Services that support STARTTLS may also be vulnerable. The module supports several actions, allowing for scanning,...

openSUSE Security Update : inn (openSUSE-SU-2012:1171-1)

fix starttls command injection issue CVE-2012-3523, bnc776967 - handle /var/run on tmpfs. bnc778439 %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update openSUSE-2012-600. The text description of...

openSUSE Security Update : exim (openSUSE-SU-2011:0535-1)

This update fixes a security issues : - exim remote code exection CVE-2011-1407 also some safety improvements regarding STARTTLS. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update exim-4604. The...

openSUSE Security Update : cyrus-imapd (openSUSE-SU-2011:0800-1)

cyrus-imapd recognized commands before switching to an encrypted channel via STARTTLS. Attackers could potentially exploit that to inject plain text commands CVE-2011-1926. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted...

openSUSE Security Update : pure-ftpd (openSUSE-SU-2011:0483-1)

Pure-ftpd is vulnerable to the STARTTLS command injection issue similar to CVE-2011-0411 of postfix. CVE-2011-1575 has been assigned to this issue. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security...