Fedora: Security Advisory for golang-github-acme-lego (FEDORA-2022-fae3ecee19)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 36 Update: golang-github-xordataexchange-crypt-0.0.2-12.20190412gitb2862e3.fc36

Store and retrieve encrypted configs from etcd or consul...

[SECURITY] Fedora 36 Update: golang-github-acme-lego-4.4.0-6.fc36

Let's Encrypt client and ACME library written in Go...

The vulnerability in the implementation of the EncryptInterceptor class of the Apache Tomcat application server allows a hacker to cause a service failure.

The vulnerability of the EncryptInterceptor class implementation in Apache Tomcat applications is related to incomplete documentation regarding program execution. Exploiting this vulnerability could allow a malicious actor to cause service failures remotely...

Improper Input Validation in JGroups

JGroups before 4.0 does not require the proper headers for the ENCRYPT and AUTH protocols from nodes joining the cluster, which allows remote attackers to bypass security restrictions and send and receive messages within the cluster via unspecified vectors. Fixes for this issue have been backport...

GHSA-R84P-88G2-2VX2 Apache Tomcat EncryptInterceptor error leads to Uncontrolled Resource Consumption

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide...

UBUNTU-CVE-2022-29885

The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide...

Fedora: Security Advisory for golang-github-acme-lego (FEDORA-2022-08ae2dd481)

The remote host is missing an update for the Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

[SECURITY] Fedora 36 Update: golang-github-acme-lego-4.4.0-4.fc36

Let's Encrypt client and ACME library written in Go...

How to password protect a folder

There are times when you would like a folder to be accessible by you alone. Financial information, personal documents, or work related files on your personal system sometimes need to be hidden from prying eyes. One of the ways to do this is to password protect the folder. Windows For the Windows...

CVE-2022-25577

ALF-BanCO v8.2.5 and below was discovered to use a hardcoded password to encrypt the SQLite database containing the user's data. Attackers who are able to gain remote or local access to the system are able to read and modify the data...

ICT Protege GX/WX 2.08 Cross Site Scripting

ICT Protege GX/WX 2.08 Authenticated Stored XSS Vulnerability Vendor: Integrated Control Technology Ltd. Product web page: https://www.ict.co Affected version: GX: Ver: 2.08.1002 K1B3 Lib: 04.00.217 Int: 2.3.235.J013 OS: 2.0.20 WX: Ver: 4.00 284 H062 App: 02.08.766 Lib: 04.00.169 Int: 02.2.208...

Use of a Broken or Risky Cryptographic Algorithm

A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this i...

Let’s Encrypt to revoke “mis-issued” certificates

If you use a Let’s Encrypt SSL/TLS certificate, you may wish to check your account over the coming days. Revocation is coming, and you’ve only got until tomorrow to figure things out. What’s the deal with free certificates? If you’re running a website, you want to make sure that it’s HTTPs. It...

PT-2021-24238

Name of the Vulnerable Software and Affected Versions: Mbed TLS versions prior to 2.28.0 Mbed TLS versions 3.x prior to 3.1.0 Description: The issue allows policy bypass or oracle-based decryption when the output buffer is at memory locations accessible to an untrusted application, specifically...

openssl: integer overflow in CipherUpdate

Calls to EVPCipherUpdate, EVPEncryptUpdate and EVPDecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissible length for an integer on the platform. In such cases the return value from the function call will be 1 indicating succes...

Security issues in AWS KMS and AWS Encryption SDKs: in-band protocol negotiation and robustness

Authors: Thai "thaidn" Duong Summary The following security vulnerabilities was discovered and reported to Amazon, affecting AWS KMS and all versions of AWS Encryption SDKs prior to version 2.0.0: Information leakage: an attacker can create ciphertexts that would leak the user’s AWS account ID,...

GHSA-WQGP-VPHW-HPHF Security issues in AWS KMS and AWS Encryption SDKs: in-band protocol negotiation and robustness

Authors: Thai "thaidn" Duong Summary The following security vulnerabilities was discovered and reported to Amazon, affecting AWS KMS and all versions of AWS Encryption SDKs prior to version 2.0.0: Information leakage: an attacker can create ciphertexts that would leak the user’s AWS account ID,...

A week in security (Oct 4 – Oct 10)

Last week on Malwarebytes Labs Does Cybersecurity Awareness Month actually improve security? Police take a piece out of a ransomware gang, but won’t say which one Neiman Marcus data breach affects millions Windows 11 is out. Is it any good for security? Criminals were inside Syniverse for 5 years...

GnuPG fixes a problem with Let’s Encrypt certificate chain validation

Despite advance warnings that a root certificate provided by Let’s Encrypt would expire on September 30, users reported issues with a variety of services and websites once that deadline hit. So what happened? The problem A number of high profile tech and security companies noticed their products...