Updated python-cryptography package fixes a security vulnerability

In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow CVE-2020-36242...

PT-2021-15383 · Joomla · Joomla!

Name of the Vulnerable Software and Affected Versions: Joomla! versions 3.2.0 through 3.9.24 Description: An issue was discovered in the core shipped but unused randval implementation within FOF FOFEncryptRandval, which used a potentially insecure implementation. This has been replaced with a cal...

[ASA-202102-36] python-cryptography: incorrect calculation

Arch Linux Security Advisory ASA-202102-36 ========================================== Severity: Medium Date : 2021-02-27 CVE-ID : CVE-2020-36242 Package : python-cryptography Type : incorrect calculation Remote : No Link : https://security.archlinux.org/AVG-1541 Summary ======= The package...

BaphoDashBoard - Dashboard For Manage And Generate The Baphomet Ransomware

With this proyect we will be able to handle the data of the victims we obtain with Baphomet Ransomware. BaphoDashBoard is developed in C under framework dotnet-core 3.1. Both Baphomet Ransomware and BaphoDashBoard proyects are thrown out for educational purposes and so we can get something out of...

Cypher - Crypto Cipher Encode Decode Hash

All in one tools for CRYPTOLOGY. Instagram: Capture the Root Screenshots !https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzEISVu6IIqjydF1vTUDcdbKWD8Vdi1BM5fQfCGuAnFRSCrZIh04d17YDeNKsRw0CRJD8cQmlIloLRldnU-Rounz7YQAvc7MOENa22PJkMajWGZvAelxpm3EoWCFL0BCnfBRMV4Ly99Y/w640-h36...

Denial Of Service (DoS)

nifi-toolkit-encrypt-config is vulnerable to denial of service. A large flow.xml.gz file causes the test to run for more than 2 minutes and potentially result in a denial of service condition...

Debian DLA-2484-1 : python-certbot - switch to ACMEv2 API

Let's Encrypt's ACMEv1 API is deprecated and in the process of being shut down. Beginning with brownouts in January 2021, and ending with a total shutdown in June 2021, the Let's Encrypt APIs will become unavailable. To prevent users having disruptions to their certificate renewals, this update...

Disabled Hostname Verification in Opencast

Opencast before version 8.9 and 7.9 disables HTTPS hostname verification of its HTTP client used for a large portion of Opencast's HTTP requests. Hostname verification is an important part when using HTTPS to ensure that the presented certificate is valid for the host. Disabling it can allow for...

[SECURITY] [DLA 2484-1] python-certbot - switch to ACMEv2 API

----------------------------------------------------------------------- Debian LTS Advisory DLA-2484-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta December 07, 2020 https://wiki.debian.org/LTS -...

Security update for MozillaThunderbird (moderate)

openSUSE Security Update: Security update for MozillaThunderbird Announcement ID: openSUSE-SU-2020:2133-1 Rating: moderate References: 1178611 Cross-References: CVE-2020-26950 Affected Products: openSUSE Leap 15.1 An update that fixes one vulnerability is now available. Description: This update f...

Bunkerized-Nginx - Nginx Docker Image Secure By Default

nginx Docker image secure by default. Avoid the hassle of following security best practices each time you need a web server or reverse proxy. Bunkerized-nginx provides generic security configs, settings and tools so you don't need to do it yourself. Non-exhaustive list of features : HTTPS support...

PT-2020-15552 · Jenkins Ci +1 · Jenkins Mail Commander Plugin +1

Name of the Vulnerable Software and Affected Versions: Jenkins Mail Commander Plugin for Jenkins-ci Plugin version 1.0.0 and earlier Description: The issue concerns the storage of passwords in an unencrypted manner in job config.xml files on the Jenkins controller. These passwords can be accessed...

USN-4583-2: PHP vulnerabilities

USN-4583-1 fixed vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 20.10. Original advisory details: It was discovered that PHP incorrectly handled certain encrypt ciphers. An attacker could possibly use this issue to decrease security or cause incorrect encryption...

DEBIAN-CVE-2020-7069

In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used with opensslencrypt function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data...

CVE-2020-12789

The Secure Monitor in Microchip Atmel ATSAMA5 products use a hardcoded key to encrypt and authenticate secure applets...

Noise-Java Out-of-Bounds Access Vulnerability

Noise-Java is a plain Java implementation of the Noise protocol. An out-of-bounds access vulnerability exists in AESGCMOnCtrCipherState.encryptWithAd in Noise-Java 2020-08-27 and earlier versions. No detailed vulnerability details are provided at this time...

Maximum Lifespan of SSL/TLS Certificates is 398 Days Starting Today

Starting today, the lifespan of new TLS certificates will be limited to 398 days, a little over a year, from the previous maximum certificate lifetime of 27 months 825 days. In a move that's meant to boost security, Apple, Google, and Mozilla are set to reject publicly rooted digital certificates...

Mbed TLS -- Local side channel attack on classical CBC decryption in (D)TLS

Manuel Pégourié-Gonnard reports: When decrypting/authenticating DTLS record in a connection using a CBC ciphersuite without the Encrypt-then-Mac extension RFC 7366, Mbed TLS used dummy rounds of the compression function associated with the hash used for HMAC in order to hide the length of the...

Design/Logic Flaw

A padding oracle vulnerability exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. The SDK allows users to encrypt files with AES-CBC without computing a Message Authentication Code MAC, which then allows an attacker who has write access to the target's S3 bucket and can observe...

CVE-2020-8912 In-band key negotiation issue in AWS S3 Crypto SDK for GoLang

A vulnerability in the in-band key negotiation exists in the AWS S3 Crypto SDK for GoLang versions prior to V2. An attacker with write access to the targeted bucket can change the encryption algorithm of an object in the bucket, which can then allow them to change AES-GCM to AES-CTR. Using this i...