DSA-2782-1 polarssl - several

Bulletin has no description...

Apache 'mod_accounting'模块SQL注入漏洞(CVE-2013-5697)

BUGTRAQ ID: 62677 CVE ID: CVE-2013-5697 modaccounting是Apache 1.3.x上的流量计费模块，该模块使用数据记录流量，支持的数据库类型包括MySQL及PostgreSQL。 modaccounting 0.5模块在Host报文头中存在SQL注入漏洞，攻击者可利用此漏洞破坏应用，执行未授权数据库操作。该漏洞源于用户提供的HTTP报文头未经过滤即用在查询内。该模块使用了简单的字符串串联来修改已定义查询内的占位符，然后再发送到数据库内。该代码位于modaccounting.c内。 0 modaccounting 0.5 临时解决方法：...

JavaScript and Timing Attacks Used to Steal Browser Data

LAS VEGAS–Security researchers have been warning about the weaknesses and issues with JavaScript and iframes for years now, but the problem goes far deeper than even many of them thought. A researcher in the U.K. has developed a new technique that uses a combination of JavaScript-based timing...

SuSE 10 Security Update : OpenSSL (ZYPP Patch Number 8517)

OpenSSL has been updated to fix several security issues : - Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable 'OPENSSLNODEFAULTZLIB' to 'no' enables compression again. CVE-2012-4929 Please note that openssl on SUSE Linux Enterprise 10 is not...

SUSE-SU-2015:1184-2 Security update for OpenSSL

OpenSSL has been updated to fix several security issues: CVE-2012-4929: Avoid the openssl CRIME attack by disabling SSL compression by default. Setting the environment variable 'OPENSSLNODEFAULTZLIB' to 'no' enables compression again. CVE-2013-0169: Timing attacks against TLS could be used by...

Mozilla NSS library TLS timing attacks

"Lucky Thirteen" attacks are possible...

OpenSSL / PolarSSL / GnuTLS security vulnerabilities

Timing attacks, DoS...

OpenSSL 1.0.1 < 1.0.1e Information Disclosure

According to its banner, the remote web server is running a version of OpenSSL 1.0.1 prior to 1.0.1e. The OpenSSL library is, therefore, reportedly affected by an incomplete fix for CVE-2013-0169. An error exists related to the SSL/TLS/DTLS protocols, CBC mode encryption and response time. An...

CVE-2013-0169

The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct...

CVE-2013-1624

The TLS implementation in the Bouncy Castle Java library before 1.48 and C library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attack...

[BSA-060] Security Update for openssl

Andres Salomon uploaded new packages for openssl which fixed the following security problems: CVE-2011-3210 Unsafe thread handling in ECDH ciphersuite allow denial of service attack. CVE-2011-1945 Timing attacks against ECDHEECDSA private keys. CVE-2011-0014 Remote denial of service attacks...

Debian Security Advisory DSA 2309-1 (openssl)

The remote host is missing an update to openssl announced via advisory DSA 2309-1. OpenVAS Vulnerability Test $Id: deb23091.nasl 6613 2017-07-07 12:08:40Z cfischer $ Description: Auto-generated from advisory DSA 2309-1 openssl Authors: Thomas Reinke Copyright: Copyright c 2011 E-Soft Inc...

Three Questions for Billy Brumley on the OpenSSL Timing Attack

Timing attacks have been a problem for designers of cryptosystems–as well as for people implementing those systems–for a long time. They’ve plagued just about every popular system, and although practical attacks have been demonstrated many times, the problem and what can be done to defend against...

CVE-2011-0910

The cookie implementation in Vanilla Forums before 2.0.17.6 makes it easier for remote attackers to spoof signed requests, and consequently obtain access to arbitrary user accounts, via HMAC timing attacks...

Code injection

The cookie implementation in Vanilla Forums before 2.0.17.6 makes it easier for remote attackers to spoof signed requests, and consequently obtain access to arbitrary user accounts, via HMAC timing attacks...

CVE-2011-0910

Vanilla Forums vulnerability CVE-2011-0910 affects versions before 2.0.17.6. The cookie implementation allows remote attackers to spoof signed requests and potentially gain access to arbitrary user accounts via HMAC timing attacks. Root cause: flawed cookie handling enabling timing-based forgery....

Gaining Precision in Information Leakage Attacks

It’s hard to narrow down your life’s work into one interesting event or tidbit. Even picking 10 would be tough. So instead of picking something I am well-known for, I wanted to look for something I had a lot of fun coming up with that you probably didn’t read. I’ve always been interested in...

Ubuntu Update for firefox vulnerabilities USN-490-1

Ubuntu Update for Linux kernel vulnerabilities USN-490-1 OpenVAS Vulnerability Test $Id: gbubuntuUSN4901.nasl 7969 2017-12-01 09:23:16Z santu $ Ubuntu Update for firefox vulnerabilities USN-490-1 Authors: System Generated Check Copyright: Copyright c 2009 Greenbone Networks GmbH,...

Design/Logic Flaw

Unspecified vulnerability in the Secure Shell SSH in HP Tru64 UNIX 5.1B-4 and 5.1B-3 allows remote attackers to identify valid users via unspecified vectors, probably related to timing attacks and AuthInteractiveFailureRandomTimeout...

CVE-2007-2791

Unspecified vulnerability in the Secure Shell SSH in HP Tru64 UNIX 5.1B-4 and 5.1B-3 allows remote attackers to identify valid users via unspecified vectors, probably related to timing attacks and AuthInteractiveFailureRandomTimeout...