Debian dla-3455 : golang-golang-x-crypto-dev - security update

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3455 advisory. ------------------------------------------------------------------------- Debian LTS Advisory DLA-3455-1 [email protected]...

Sploit - Go Package That Aids In Binary Analysis And Exploitation

Sploit is a Go package that aids in binary analysis and exploitation. The motivating factor behind the development of sploit is to be able to have a well designed API with functionality that rivals some of the more common Python exploit development frameworks while taking advantage of the Go...

MGASA-2020-0173 Updated golang packages fix security vulnerability

Updated golang packages fix security vulnerability: An integer overflow vulnerability was found in the Go crypto/x509 and golang.org/x/crypto/cryptobyte libraries on 32-bit architectures. A remote attacker could exploit this by supplying a crafted x.509 certificate, or other ASN.1 structure, as...

RHEL 7 : nss-softokn (RHSA-2020:1345)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1345 advisory. The nss-softokn package provides the Network Security Services Softoken Cryptographic Module. Security Fixes: nss: Out-of-bounds write when...

RHEL 7 : nss, nss-softokn, nss-util, and nspr (RHSA-2019:2237)

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:2237 advisory. Network Security Services NSS is a set of libraries designed to support the cross-platform development of security-enabled client and server...

HTTPS client certificate authentication security issues. Part 2/3

In the first story, I described some issues related to client certificates authentication implementations in environments with load balancers. This time I’d like to mention some typical issues in custom certificate validation processes when a developer is doing this itself in application code...

CDF - Crypto Differential Fuzzing

CDF is a tool to automatically test the correctness and security of cryptographic software. CDF can detect implementation errors, compliance failures, side-channel leaks, and so on. CDF implements a combination of unit tests with "differential fuzzing", an approach that compares the behavior of...

EulerOS 2.0 SP5 : openssl (EulerOS-SA-2019-1009)

According to the versions of the openssl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries CVE-2018-0495 - openssl: Malicious server can send large prime to...

Scientific Linux Security Update : openssl on SL7.x x86_64 (20181030)

Security Fixes : - openssl: ROHNP - Key Extraction Side Channel in Multiple Crypto Libraries CVE-2018-0495 - openssl: Malicious server can send large prime to client during DHE TLS handshake causing the client to hang CVE-2018-0732 - openssl: Handling of crafted recursive ASN.1 structures can cau...

Tests Crypto Libraries Against Known Attacks: Wycheproof

Rests Crypto Libraries Against Known Attacks Project Wycheproof tests crypto libraries against known attacks. It is developed and maintained by members of Google Security Team, but it is not an official Google product. In cryptography, subtle mistakes can have catastrophic consequences. Good...

GnuTLS certificate verification security vulnerability found

GnuTLS, an open source SSL and TLS implementation used in hundreds of software packages including Red Hat desktop and server products and all Debian and Ubuntu Linux distributions, is the latest crypto package to improperly verify digital certificates as authentic. The vulnerability, discovered a...

RSA Conference 2014 Art Coviello RSA keynote

SAN FRANCISCO – RSA Security executive chairman Art Coviello today at RSA Conference 2014 made his first public comments about the security company’s relationship with the National Security Agency, painting the landmark firm as a victim of the spy agency’s blurring of the lines between its...

Debian DSA-2300-2 : nss - compromised certificate authority

Several unauthorised SSL certificates have been found in the wild issued for the DigiNotar Certificate Authority, obtained through a security compromise with said company. Debian, like other software distributors, has as a precaution decided to disable the DigiNotar Root CA by default in the NSS...

DSA-2300-1 nss - compromised certificate authority

Bulletin has no description...

Threatpost News Wrap #4: Crypto libraries, cybersecurity czar job

Threatpost editors Ryan Naraine and Dennis Fisher talk about the problems with developers implementing their own crypto libraries in Web applications, the short list of names for the cybersecurity czar job and the possibility of a full-scale hacker bracket competition. Download SHOW NOTES: Short...

Crypto flaws becoming a killer for Web applications

One of the few things that most people in the security community seem to agree on is that there is a dire need for better security around Web applications. That need begins with the lack of security training for most Web developers and extends through the inconsistent use of Web-application...

Vulnerability in OpenSSL

Dan Boneh and I have been researching timing attacks against software crypto libraries. Timing attacks are usually used to attack weak computing devices such as smartcards. We've successfully developed and mounted timing attacks against software crypto libraries running on general purpose PC's. W...