Debian DLA-180-1 : gnutls26 security update

Multiple vulnerabilities have been discovered in GnuTLS, a library implementing the TLS and SSL protocols. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2014-8155 Missing date/time checks on CA certificates CVE-2015-0282 GnuTLS does not verify the RSA PK...

Code injection

GnuTLS before 3.1.0 does not verify that the RSA PKCS 1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors...

CVE-2015-0282

GnuTLS before 3.1.0 does not verify that the RSA PKCS#1 signature algorithm matches the signature algorithm in the certificate, enabling remote downgrade attacks via unspecified vectors. Impact is downgrade/traffic manipulation risk with affected deployments. The CVE entry explicitly targets GnuTLS...

USN-2540-1 gnutls26, gnutls28 vulnerabilities

It was discovered that GnuTLS did not perform date and time checks on CA certificates, contrary to expectations. This issue only affected Ubuntu 10.04 LTS. CVE-2014-8155 Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly verified that signature algorithms matched. A remote attacker could...

Debian Security Advisory DSA 3191-1 (gnutls26 - security update)

Multiple vulnerabilities have been discovered in GnuTLS, a library implementing the TLS and SSL protocols. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2015-0282 GnuTLS does not verify the RSA PKCS 1 signature algorithm to match the signature algorithm i...

DSA-3191-1 gnutls26 - security update

Bulletin has no description...

UBUNTU-CVE-2015-0282

GnuTLS before 3.1.0 does not verify that the RSA PKCS 1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors...

cryptopp -- multiple vulnerabilities

Multiple sources report: CVE-2015-2141: The InvertibleRWFunction::CalculateInverse function in rw.cpp in libcrypt++ 5.6.2 does not properly blind private key operations for the Rabin-Williams digital signature algorithm, which allows remote attackers to obtain private keys via a timing attack...

Mandriva Linux Security Advisory : openssl (MDVSA-2015:019)

Multiple vulnerabilities has been discovered and corrected in openssl : A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack CVE-2014-3571. A memory leak can occur in the dtls1bufferrecord...

Updated openssl packages fix security vulnerabilities

A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. This could lead to a Denial Of Service attack CVE-2014-3571. A memory leak can occur in the dtls1bufferrecord function under certain conditions. In particular this could occur if an...

CVE-2014-8627

PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors...

Code injection

PolarSSL 1.3.8 does not properly negotiate the signature algorithm to use, which allows remote attackers to conduct downgrade attacks via unspecified vectors...

CVE-2014-8627

CVE-2014-8627 affects PolarSSL 1.3.8 where signature algorithm negotiation is flawed, enabling downgrade-like scenarios via unspecified vectors. Public sources (NVD/NASL/Nessus/OpenVAS) describe downgrad e risk and context; a patch path is to upgrade to newer PolarSSL versions (e.g., 1.3.9) as no...

Updated polarssl package fix security vulnerabilities

A regression in PolarSSL 1.3.8 resulted in servers negotiating a weaker signature algorithm than available. This has been fixed in PolarSSL 1.3.9 CVE-2014-8627. Two remotely-triggerable memory leaks were found by the Codenomicon Defensics tool and fixed in PolarSSL 1.3.9 CVE-2014-8628...

MGASA-2014-0481 Updated polarssl package fix security vulnerabilities

A regression in PolarSSL 1.3.8 resulted in servers negotiating a weaker signature algorithm than available. This has been fixed in PolarSSL 1.3.9 CVE-2014-8627. Two remotely-triggerable memory leaks were found by the Codenomicon Defensics tool and fixed in PolarSSL 1.3.9 CVE-2014-8628...

Code injection

SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8.4.30, as used in SAP NetWeaver AS for ABAP and SAP HANA, allows remote attackers to spoof Digital Signature Algorithm DSA signatures via unspecified vectors...

CVE-2014-8587

SAPCRYPTOLIB before 5.555.38, SAPSECULIB, and CommonCryptoLib before 8.4.30, as used in SAP NetWeaver AS for ABAP and SAP HANA, allows remote attackers to spoof Digital Signature Algorithm DSA signatures via unspecified vectors...

OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

The OpenSSL service on the remote host is vulnerable to a man-in-the-middle MiTM attack, based on its acceptance of a specially crafted handshake. This flaw could allow a MiTM attacker to decrypt or forge SSL messages by telling the service to begin encrypted communications before key material ha...

IBM WebSphere Application Server 8.0 < Fix Pack 9 Multiple Vulnerabilities

IBM WebSphere Application Server 8.0 prior to Fix Pack 9 is running on the remote host. It is, therefore, affected by the following vulnerabilities : - A cross-site scripting flaw exists within the Administration Console, where user input is improperly validated. This could allow a remote attacke...

McAfee Email Gateway OpenSSL Multiple Vulnerabilities (SB10075)

The remote host is running a version of McAfee Email Gateway MEG that is affected by the multiple vulnerabilities related to the included OpenSSL library : - An error exists in the function 'ssl3readbytes' that can allow data to be injected into other sessions or allow denial of service attacks...