UBUNTU-CVE-2019-11759

An attacker could have caused 4 bytes of HMAC output to be written past the end of a buffer stored on the stack. This could be used by an attacker to execute arbitrary code or more likely lead to a crash. This vulnerability affects Firefox 70, Thunderbird 68.2, and Firefox ESR 68.2...

Security Bulletin: Multiple Security Vulnerabilities in OpenSSL affect IBM Netezza Analytics

Summary OpenSSL is used by IBM Netezza Analytics. IBM Netezza Analytics has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2016-6304 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by multiple memory leaks in t1lib.c during session renegotiation. By sending an...

[SECURITY] [DSA 4539-3] openssl regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-4539-3 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso October 13, 2019 https://www.debian.org/security/faq -...

CVE-2016-6302

An integer underflow flaw leading to a buffer over-read was found in the way OpenSSL parsed TLS session tickets. A remote attacker could use this flaw to crash a TLS server using OpenSSL if it used SHA-512 as HMAC for session tickets...

Timing attack on HMAC signature comparison in Apache Tapestry

The code which checks HMAC in form submissions used String.equals for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison...

CVE-2019-10071

The code which checks HMAC in form submissions used String.equals for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison...

CVE-2019-10071

The code which checks HMAC in form submissions used String.equals for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison...

Code injection

The code which checks HMAC in form submissions used String.equals for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison...

CVE-2019-10071

CVE-2019-10071 is an Apache Tapestry timing-attack vulnerability caused by using String.equals() to compare HMACs in form submissions. This creates a timing side channel that could let an attacker estimate the correct signature for a payload, potentially enabling remote code execution. Affected v...

CVE-2019-10071

The code which checks HMAC in form submissions used String.equals for comparisons, which results in a timing side channel for the comparison of the HMAC signatures. This could lead to remote code execution if an attacker is able to determine the correct signature for their payload. The comparison...

Deserialization of untrusted data

Manipulating classpath asset file URLs, an attacker could guess the path to a known file in the classpath and have it downloaded. If the attacker found the file with the value of the tapestry.hmac-passphrase configuration symbol, most probably the webapp's AppModule class, the value of this symbo...

CVE-2019-16143

An issue was discovered in the blake2 crate before 0.8.1 for Rust. The BLAKE2b and BLAKE2s algorithms, when used with HMAC, produce incorrect results because the block sizes are half of the required sizes...

CVE-2019-16143

An issue was discovered in the blake2 crate before 0.8.1 for Rust. The BLAKE2b and BLAKE2s algorithms, when used with HMAC, produce incorrect results because the block sizes are half of the required sizes...

Design/Logic Flaw

An issue was discovered in the blake2 crate before 0.8.1 for Rust. The BLAKE2b and BLAKE2s algorithms, when used with HMAC, produce incorrect results because the block sizes are half of the required sizes...

CVE-2019-16143

The CVE concerns the blake2 crate for Rust, affecting versions before 0.8.1. The root cause is incorrect block sizes when BLAKE2b/BLAKE2s are used with HMAC, causing MAC results to be computed with half the required sizes. Documents consistently describe miscalculation of MAC results (MacResult) ...

CVE-2019-16143

An issue was discovered in the blake2 crate before 0.8.1 for Rust. The BLAKE2b and BLAKE2s algorithms, when used with HMAC, produce incorrect results because the block sizes are half of the required sizes...

Apache Tapestry 5.3.6 HMAC Timing Attack Vulnerability

Exploit for java platform in category web applications CVE-2019-10071: Timing Attack in HMAC Verification in Apache Tapestry Affected versions: - Apache Tapestry 5.3.6 through current releases. Description: Apache Tapestry uses HMACs to verify the integrity of objects stored on the client side...

RUSTSEC-2019-0019 HMAC-BLAKE2 algorithms compute incorrect results

When used in conjunction with the Hash-based Message Authentication Code HMAC, the BLAKE2b and BLAKE2s implementations in blake2 crate versions prior to v0.8.1 used an incorrect block size 32-bytes instead of 64-bytes for BLAKE2s, and 64-bytes instead of 128-bytes for BLAKE2b, causing them to...

HMAC-BLAKE2 algorithms compute incorrect results

When used in conjunction with the Hash-based Message Authentication Code HMAC, the BLAKE2b and BLAKE2s implementations in blake2 crate versions prior to v0.8.1 used an incorrect block size 32-bytes instead of 64-bytes for BLAKE2s, and 64-bytes instead of 128-bytes for BLAKE2b, causing them to...

OPENSUSE-SU-2019:1888-1 Security update for libheimdal

This update for libheimdal fixes the following issues: libheimdal was updated to version 7.7.0: + Bug fixes: - PKCS11 hcrypto back-end: + initialize the p11moduleload function list + verify that not only is a mechanism present but that its mechanism info states that it offers the required...