Critical Vulnerabilities Affecting JSON Web Token Libraries

Critical vulnerabilities exist in several JSON Web Token JWT libraries – namely the JavaScript and PHP versions – that could let an attacker bypass the verification step. Tim McLean, a Canadian security researcher who specializes in cryptography and dug up the issues, points out that attackers...

Design/Logic Flaw

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic...

CVE-2015-2808

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic...

CVE-2015-2808

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic...

openSUSE Security Update : gnutls (openSUSE-2015-269)

gnutls was updated to fix a security issue : A certificate algorithm consistency checking issue was fixed CVE-2015-0294. %NASLMINLEVEL 70300 C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from openSUSE Security Update openSUSE-2015-269. The...

SSL/TLS Suffers ‘Bar Mitzvah Attack’vulnerability detection method and repair recommendations-vulnerability warning-the black bar safety net

0x01 introduction April Fool's Day is coming, and SSL again due to the Bar Mitzvah Attack vulnerability to get everyone to not mind. Held in Singapore's Black Hat Asia Security Conference, the Imperva security Director Itsik Mantin detailed description of how to use the attack principle,the...

CVE-2015-2808

The RC4 algorithm, as used in the TLS protocol and SSL protocol, does not properly combine state data with key data during the initialization phase, which makes it easier for remote attackers to conduct plaintext-recovery attacks against the initial bytes of a stream by sniffing network traffic...

PRNG weakness allows for DNS poisoning on Android — Mozilla

Mozilla developer Daniel Stenberg reported that the DNS resolver in Firefox for Android uses an insufficiently random algorithm when generating random numbers for the unique identifier. This was derived from an old version of the Bionic libc library and suffered from insufficient randomness in th...

By the commandment of the ritual attack: - SSL/TLS and exposure of new vulnerabilities, plaintext read data transmission-vulnerability warning-the black bar safety net

! The SSL/TLS Protocol is a widely used encryption Protocol, and researchers recently have exposed a section called“by the commandment of ritual”new means of attack, to steal through the SSL and TLS Protocol of the transmission of confidential data such as Bank card numbers, passwords and other...

Debian DLA-180-1 : gnutls26 security update

Multiple vulnerabilities have been discovered in GnuTLS, a library implementing the TLS and SSL protocols. The Common Vulnerabilities and Exposures project identifies the following problems : CVE-2014-8155 Missing date/time checks on CA certificates CVE-2015-0282 GnuTLS does not verify the RSA PK...

Operators issued a large number of routers to contain high-risk vulnerabilities, most of the“problem router”IP in China-vulnerability warning-the black bar safety net

! According to statistics, the global operators to the General Public of Internet users has issued at least 7 0 million ADSL Router, but unfortunately, these routers exist high-risk vulnerabilities, and thus is likely to cause large-scale router attacks. It is worth mentioning that most of...

Code injection

GnuTLS before 3.1.0 does not verify that the RSA PKCS 1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors...

CVE-2015-0282

GnuTLS before 3.1.0 does not verify that the RSA PKCS 1 signature algorithm matches the signature algorithm in the certificate, which allows remote attackers to conduct downgrade attacks via unspecified vectors...

CVE-2015-0282

GnuTLS before 3.1.0 does not verify that the RSA PKCS#1 signature algorithm matches the signature algorithm in the certificate, enabling remote downgrade attacks via unspecified vectors. Impact is downgrade/traffic manipulation risk with affected deployments. The CVE entry explicitly targets GnuTLS...

USN-2540-1 gnutls26, gnutls28 vulnerabilities

It was discovered that GnuTLS did not perform date and time checks on CA certificates, contrary to expectations. This issue only affected Ubuntu 10.04 LTS. CVE-2014-8155 Nikos Mavrogiannopoulos discovered that GnuTLS incorrectly verified that signature algorithms matched. A remote attacker could...

SUSE-SU-2015:0735-1 Security update for gnutls

gnutls was updated to fix a certificate algorithm consistency checking issue. CVE-2015-0294...

New "PoSeidon" Point of Sale Malware Spotted in the Wild

A new and terribly awful breed of Point-of-Sale POS malware has been spotted in the wild by the security researchers at Cisco's Talos Security Intelligence & Research Group that the team says is more sophisticated and nasty than previously seen Point of Sale malware. The Point-of-Sale malware,...

[SECURITY] Fedora 20 Update: librsync-1.0.0-1.fc20

librsync implements the "rsync" algorithm, which allows remote differencing of binary files. librsync computes a delta relative to a file's checksum, so the two files need not both be present to generate a delta. This library was previously known as libhsync up to version 0.9.0. The current versi...

lib32-openssl: multiple issues

CVE-2015-1787 denial of service If client auth is used then a server can segfault in the event of a DHE ciphersuite being selected and a zero length ClientKeyExchange message being sent by the client. This could be exploited in a DoS attack. - CVE-2015-0207 denial of service The DTLSv1listen...

Vulnerability in OpenSSL - Segmentation fault for invalid PSS parameters

Segmentation fault for invalid PSS parameters. The signature verification routines will crash with a NULL pointer dereference if presented with an ASN.1 signature using the RSA PSS algorithm and invalid parameters. Since these routines are used to verify certificate signature algorithms this can ...