Fedora 43 : dovecot (2026-693373747f)

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-693373747f advisory. CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA--PLUS channel binding could be faked...

Fedora 44 : dovecot (2026-96eeb03b88)

The remote Fedora 44 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-96eeb03b88 advisory. CVE-2026-27851: lib-var-expand: Safe filter marks all following pipelines safe. CVE-2026-33603: auth: CRAM-SHA--PLUS channel binding could be faked...

CVE-2026-33603

A flaw was found in Dovecot. An attacker, positioned as a Man-in-the-Middle MITM between Dovecot and a client, can exploit a specially crafted base64 exchange to fake SCRAM TLS channel binding. This allows the attacker to eavesdrop on communications between Dovecot and the client, leading to...

EUVD-2026-29468

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and...

CVE-2026-33603

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and...

CVE-2026-33603

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and...

CVE-2026-33603

Attacker can use a specially crafted base64 exchange between Dovecot and Client to fake SCRAM TLS channel binding. This requires that the attacker is able to position itself between Dovecot and the client connection. If successful, the attacker can eavesdrop communications between Dovecot and...

CVE-2026-33603

The CVE-2026-33603 affects Dovecot (and client) via a specially crafted base64 exchange to fake SCRAM TLS channel binding. Root cause: attacker positions between Dovecot and client to perform MITM, enabling eavesdropping. Impact: confidentiality and integrity of the conversation can be compromise...

Atlassian Confluence 9.2.8 < 9.2.11 (CONFSERVER-101842)

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101842 advisory. - pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding...

PT-2025-52949

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel’s wifi subsystem, specifically within the cfg80211 and OCB Operation Channel Binding components. The issue involves unnecessary requests to the driver o...

Security Bulletin: IBM Datapower Operations Dashboard could allow allow a man-in-the-middle attacker to intercept connections CVE-2025-49146

Summary postgresql is used in KeyCloak which is used by the IBM Datapower Operations Dashboard for authentication and authorization Vulnerability Details CVEID:CVE-2025-49146 DESCRIPTION: pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC drive...

Cryptographic Binding Should Not Be Optional: A Formal-Methods Analysis of FIDO UAF Channel Binding

As a case study in cryptographic binding, we present a formal-methods analysis of the cryptographic channel binding mechanisms in the Fast IDentity Online FIDO Universal Authentication Framework UAF authentication protocol, which seeks to reduce the use of traditional passwords in favor of...

Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities.

Summary There are vulnerabilities in Open-Source Software OSS components consumed by IBM Cognos Dashboards on Cloud Pak for Data. Vulnerability Details CVEID:CVE-2023-45857 DESCRIPTION: An issue discovered in Axios 1.5.1 inadvertently reveals the confidential XSRF-TOKEN stored in cookies by...

Security Bulletin: IBM Connect:Direct Web Services is affected by a PostgreSQL vulnerability (CVE-2025-49146)

Summary IBM Connect:Direct Web Services has addressed a PostgreSQL vulnerability. Vulnerability Details CVEID:CVE-2025-49146 DESCRIPTION: pgjdbc is an open source postgresql JDBC Driver. From 42.7.4 and until 42.7.7, when the PostgreSQL JDBC driver is configured with channel binding set to requir...

curl: OpenSSL backend: X509 peer certificate not freed in ossl_get_channel_binding causes per-request memory leak (DoS risk for long-lived clients)

Summary: In curl’s OpenSSL backend, osslgetchannelbinding retains a new reference to the server’s X509 certificate via SSLget1peercertificate and never releases it. When Negotiate SPNEGO over TLS is in use, this path is invoked and leaks one X509 object per trigger. Over many requests in a...

EUVD-2022-7637

Malicious code in bioql PyPI...

EUVD-2025-18118

Malicious code in bioql PyPI...

Important: Red Hat Security Advisory: Red Hat AMQ Broker 7.12.5 release and security update

Red Hat AMQ Broker 7.12.5 is now available from the Red Hat Customer Portal. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability...

pgjdbc: pgjdbc insecure authentication in channel binding

A connection handling flaw was found in the pgjdbc connection driver in configurations that require channel binding. Connections created with authentication methods that should not allow channel binding permit connections to use channel binding. This flaw allows attackers to position themselves i...

SUSE-SU-2025:03262-1 Security update for java-1_8_0-ibm

This update for java-180-ibm fixes the following issues: Update to Java 8.0 Service Refresh 8 Fix Pack 50. Security issues fixed: - Oracle July 15 2025 CPU bsc1247754. - CVE-2025-30749: heap corruption allows unauthenticated attacker with network access to compromise and takeover Java application...