SUSE-SU-2017:2318-1 Security update for icu

icu was updated to fix two security issues. These security issues were fixed: - CVE-2014-8147: The resolveImplicitLevels function in common/ubidi.c in the Unicode Bidirectional Algorithm implementation in ICU4C in International Components for Unicode ICU used an integer data type that is...

PYSEC-2017-24

In PyJWT 1.5.0 and below the invalidstrings check in HMACAlgorithm.preparekey does not account for all PEM encoded public keys. Specifically, the PKCS1 PEM encoded format would be allowed because it is prefaced with the string -----BEGIN RSA PUBLIC KEY----- which is not accounted for. This enable...

Discuz X3. 3 authkey generation algorithm of the security vulnerability and the background arbitrary code execution vulnerability

0x00 background description Discuz official in 2017 8 May 1 release of the latest version of the X3. 4 version, the latest version fixes multiple security issues. 360CERT and 360 0KEE Team then for the events to follow. 0x01 vulnerability overview 360CERT and 360 0KEE Team by comparing DiscuzX3...

Code injection

In all Qualcomm products with Android releases from CAF using the Linux kernel, the GPS client may use an insecure cryptographic algorithm...

CVE-2014-9969

In all Qualcomm products with Android releases from CAF using the Linux kernel, the GPS client may use an insecure cryptographic algorithm...

CVE-2014-9969

In all Qualcomm products with Android releases from CAF using the Linux kernel, the GPS client may use an insecure cryptographic algorithm...

CVE-2014-9969

CVE-2014-9969 concerns Qualcomm GPS client cryptography on Android CAF builds using the Linux kernel, where the GPS client may use an insecure cryptographic algorithm. Connected documents corroborate this description (Android/Qualcomm stack). The provided sources do not include concrete patch ver...

Legal Robot: Weak Cryptography for Passwords

Hi Team, I saw while creating new account.Password is being encrypted that's good best practice. But Issue is: 1. It is showing in the request What type of encryptionAlgorithm is used in request. 2. I copied the encrypted password and past it online tool http://md5decrypt.net/en/Sha256/ and i was...

SUSE-SU-2017:2175-1 Security update for java-1_8_0-openjdk

This java-180-openjdk update to version jdk8u141 icedtea 3.5.0 fixes the following issues: Security issues fixed: - CVE-2017-10053: Improved image post-processing steps bsc1049305 - CVE-2017-10067: Additional jar validation steps bsc1049306 - CVE-2017-10074: Image conversion improvements bsc10493...

OpenJDK: DSA implementation timing attack (JCE, 8175106)

A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel...

Backdoor in the nssock2.dll module of several products including NetSarang Xmanager and Xshell

NetSarang is a company that provides secure link solutions and Xshell is a terminal emulation software. The related nssock2.dll module, a component used for network communication, in the installation directories of Xshell, Xlpd, Xmanager, and Xftp has been found to contain backdoor-type code samp...

SMA Solar Technology inverter weak password vulnerability

SMA Solar Technology inverter is a photovoltaic inverter device from SMA Germany. A security vulnerability exists in the SMA Solar Technology inverter that stems from the inverter's use of a weak hashing algorithm. The vulnerability can be exploited by an attacker to crack passwords...

CVE-2017-7781/CVE-2017-10176: Issue with elliptic curve addition in mixed Jacobian-affine coordinates in Firefox/Java

tl;dr Firefox and Java suffered from a moderate vulnerability affecting the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result POINTATINFINITY when it should not. Introduction Few months ago I was working on a vulnerability affecting th...

CVE-2017-7781

An error occurs in the elliptic curve point addition algorithm that uses mixed Jacobian-affine coordinates where it can yield a result "POINTATINFINITY" when it should not. A man-in-the-middle attacker could use this to interfere with a connection, resulting in an attacked party computing an...

kernel: crypto: GPF in lrw_crypt caused by null-deref

The lrwcrypt function in 'crypto/lrw.c' in the Linux kernel before 4.5 allows local users to cause a system crash and a denial of service by the NULL pointer dereference via accept2 system call for AFALG socket without calling setkey first to set a cipher key...

Uber Drivers Hacking the System to Cause Surge Pricing

Interesting story about Uber drivers who have figured out how to game the company's algorithms to cause surge pricing: According to the study. drivers manipulate Uber's algorithm by logging out of the app at the same time, making it think that there is a shortage of cars. ... The study said drive...

KLA11082 Multiple vulnerabilities in Mozilla Firefox and Firefox ESR

Multiple serious vulnerabilities have been found in Firefox and Firefox ESR. Malicious users can exploit these vulnerabilities to cause denial of service, privilege escalation, spoof user interface, bypass security restrictions, obtain sensitive information and execute arbitrary code. Below is...

OpenJDK: DSA implementation timing attack (JCE, 8175106)

A covert timing channel flaw was found in the DSA implementation in the JCE component of OpenJDK. A remote attacker able to make a Java application generate DSA signatures on demand could possibly use this flaw to extract certain information about the used key via a timing side channel...

Hacking Slot Machines by Reverse-Engineering the Random Number Generators

Interesting story: The venture is built on Alex's talent for reverse engineering the algorithms -- known as pseudorandom number generators, or PRNGs -- that govern how slot machine games behave. Armed with this knowledge, he can predict when certain games are likeliest to spit out money­insight...

ManageEngine OpManager 11 - 12.2 Weak Encryption Algorithm Vulnerability

ManageEngine OpManager is prone to a weak encryption algorithm vulnerability. SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...