Sensitive Information Disclosure

Arm Mbed TLS is vulnerable to sensitive information leakage. When deterministic ECDSA is enabled, it uses an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times...

curl: Connect-only connections can use the wrong connection

Summary: If a connect-only easy handle is not read from or written to, its connection can time out and be closed. If a new connection is created it can be allocated at the same address, causing the easy handle to use the new connection. This new connection may not be connected to the same server ...

The Bouncy Castle Crypto APIs -- EC math vulnerability

The Bouncy Castle team reports:: Bouncy Castle BC Java before 1.66 has a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures...

CVE-2020-8434

Jenzabar JICS aka Internet Campus Solution before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. There is a hard-coded password to supply a PBKDF feeding into AES to encrypt a username and base64 encode ...

Hardcoded credentials

Jenzabar JICS aka Internet Campus Solution before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session cookies that are a deterministic function of the username. There is a hard-coded password to supply a PBKDF feeding into AES to encrypt a username and base64 encode ...

SUSE SLED15 / SLES15 Security Update : cloud-init (SUSE-SU-2020:0751-1)

This update for cloud-init fixes the following security issues : CVE-2020-8631: Replaced the theoretically predictable deterministic RNG with the system RNG bsc1162937. CVE-2020-8632: Increased the default random password length from 9 to 20 bsc1162936. Note that Tenable Network Security has...

CVE-2019-10064

hostapd before 2.6, in EAP mode, makes calls to the rand and random standard library functions without any preceding srand or srandom call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743...

Hostapd Security Feature Issue Vulnerability

hostapd is a user space daemon for access points and authentication servers. A security signature issue vulnerability exists in versions of hostapd prior to 2.6 that stems from a lack of security measures such as authentication, access control, and privilege management in a networked system or...

CVE-2019-10064

hostapd before 2.6, in EAP mode, makes calls to the rand and random standard library functions without any preceding srand or srandom call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743...

UBUNTU-CVE-2019-10064

hostapd before 2.6, in EAP mode, makes calls to the rand and random standard library functions without any preceding srand or srandom call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743...

CVE-2019-10064

hostapd before 2.6, in EAP mode, makes calls to the rand and random standard library functions without any preceding srand or srandom call, which results in inappropriate use of deterministic values. This was fixed in conjunction with CVE-2016-10743...

CVE-2020-5499

Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. There are non-deterministic results in which, sometimes, two global IDs are the same...

CVE-2020-5499

Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. There are non-deterministic results in which, sometimes, two global IDs are the same...

Sql injection

Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. There are non-deterministic results in which, sometimes, two global IDs are the same...

CVE-2020-5499

Summary: CVE-2020-5499 affects Baidu Rust SGX SDK up to version 1.0.8, where an enclave ID race can yield non‑deterministic results in which two global IDs are the same. The linked records consistently describe this as the enclave ID race issue and reference Baidu Rust SGX SDK 1.0.8 and earlier. ...

CVE-2020-5499

Baidu Rust SGX SDK through 1.0.8 has an enclave ID race. There are non-deterministic results in which, sometimes, two global IDs are the same...

Fedora 31 : mbedtls (2019-1240f0fe43)

Update to 2.16.3 - Side channel attack on deterministic ECDSA CVE-2019-16910 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.3-and-2.7.12-r eleased Security Advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security -advisory-2019-10 Note that Tenable...

Fedora 29 : mbedtls (2019-89891f3e4a)

Update to 2.16.3 - Side channel attack on deterministic ECDSA CVE-2019-16910 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.3-and-2.7.12-r eleased Security Advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security -advisory-2019-10 Note that Tenable...

Fedora 30 : mbedtls (2019-07940971b2)

Update to 2.16.3 - Side channel attack on deterministic ECDSA CVE-2019-16910 Release notes: https://tls.mbed.org/tech-updates/releases/mbedtls-2.16.3-and-2.7.12-r eleased Security Advisory: https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security -advisory-2019-10 Note that Tenable...

DEBIAN-CVE-2019-16910

Arm Mbed TLS before 2.19.0 and Arm Mbed Crypto before 2.0.0, when deterministic ECDSA is enabled, use an RNG with insufficient entropy for blinding, which might allow an attacker to recover a private key via side-channel attacks if a victim signs the same message many times. For Mbed TLS, the fix...