[SECURITY] [DSA 2849-1] curl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-2849-1 [email protected] http://www.debian.org/security/ Florian Weimer January 31, 2014 http://www.debian.org/security/faq -...

Debian Security Advisory DSA 2849-1 (curl - information disclosure)

Paras Sethia discovered that libcurl, a client-side URL transfer library, would sometimes mix up multiple HTTP and HTTPS connections with NTLM authentication to the same server, sending requests for one user over the connection authenticated as a different user. OpenVAS Vulnerability Test $Id:...

Google Pwnium 4 to Offer $2.7M in Prizes at CanSecWest

Building on the success of the last couple of years, Google plans to offer more than $2.7 million in potential rewards in the next iteration of its Pwnium hacking competition at this year’s CanSecWest conference in Vancouver. The company has run the contest in parallel with the older Pwn2Own...

Google Chrome Eavesdropping Exploit Published

The developer of the annyang speech recognition JavaScript library has published exploit code for a bug in Google’s Chrome browser that could allow a malicious website to eavesdrop using a computer’s microphone long after a visitor has left a website. The code disclosure is in response, said...

Fedora Update for drupal7-entity FEDORA-2014-0508

Check for the Version of drupal7-entity OpenVAS Vulnerability Test Fedora Update for drupal7-entity FEDORA-2014-0508 Authors: System Generated Check Copyright: Copyright C 2014 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify i...

sstp-discover NSE Script

Check if the Secure Socket Tunneling Protocol is supported. This is accomplished by trying to establish the HTTPS layer which is used to carry SSTP traffic as described in: - Current SSTP server implementations: - Microsoft Windows Server 2008/Server 2012 - MikroTik RouterOS - SEIL Example...

Twitter Forces HTTPS Connections to its API

UPDATE: As of yesterday, Twitter’s application programming interface API will only recognize traffic traveling via Transport Layer Security TLS or Secure Sockets Layer SSL. Any applications connecting to the API in plaintext will no longer work. There is a vast selection of third-party Twitter...

Yahoo Encryption Slammed for Lack of Forward Secrecy, HSTS

Yahoo, as promised, rolled out HTTPs by default this week for its email service, bringing it in line with other Internet companies that have been securing users’ communication for years. But if Yahoo expected applause from security experts, it can think again. The response from those well-versed ...

Yahoo Mail turns on HTTPS encryption by default to protect users

After the release of NSA Secret spying over Internet communications, I am expecting from all tech companies to make surveillance significantly harder. Yahoo has HTTPS encryption support since late 2012, but users had to opt in to use the feature. Documents revealed by the Edward Snowden shows tha...

Fedora Update for thunderbird FEDORA-2013-23291

Check for the Version of thunderbird OpenVAS Vulnerability Test Fedora Update for thunderbird FEDORA-2013-23291 Authors: System Generated Check Copyright: Copyright C 2014 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modify it und...

RedHat Update for xorg-x11-server RHSA-2013:1868-01

Check for the Version of xorg-x11-server OpenVAS Vulnerability Test RedHat Update for xorg-x11-server RHSA-2013:1868-01 Authors: System Generated Check Copyright: Copyright C 2013 Greenbone Networks GmbH, http://www.greenbone.net This program is free software; you can redistribute it and/or modif...

USN-2058-1: curl vulnerability

Marc Deslauriers discovered that libcurl incorrectly verified CN and SAN name fields when digital signature verification was disabled in the GnuTLS backend. When libcurl is being used in this uncommon way by specific applications, an attacker could exploit this to perform a machine-in-the-middle...

rubygems: Two security fixes in v1.8.23

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack...

CVE-2013-6926

The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 allows remote authenticated users to bypass intended restrictions on administrative actions by leveraging access to a 1 guest or 2 operator account...

CVE-2013-6925

The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 allows remote attackers to hijack web sessions by predicting a session id value...

Design/Logic Flaw

The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 allows remote attackers to hijack web sessions by predicting a session id value...

Design/Logic Flaw

The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 allows remote authenticated users to bypass intended restrictions on administrative actions by leveraging access to a 1 guest or 2 operator account...

CVE-2013-6925

CVE-2013-6925 affects Siemens RuggedCom ROS prior to version 3.12.2, where the integrated HTTPS Web server on Port 443 could allow remote attackers to hijack active Web sessions by predicting a session ID value. Root cause is use of insufficiently random values (CWE-330), enabling session predict...

CVE-2013-6926

The CVE concerns Siemens RuggedCom ROS prior to v3.12.2, where the integrated HTTPS server on port 443/TCP could allow remote authenticated attackers to bypass restrictions and perform limited administrative actions by using a guest or operator account. The vulnerability stems from an authenticat...

CVE-2013-6925

The integrated HTTPS server in Siemens RuggedCom ROS before 3.12.2 allows remote attackers to hijack web sessions by predicting a session id value...