Debian Security Advisory DSA 2457-2 (iceweasel - several vulnerabilities)

Several vulnerabilities have been discovered in Iceweasel, a web browser based on Firefox. The included XULRunner library provides rendering services for several other applications included in Debian. CVE-2012-0467Bob Clary, Christian Holler, Brian Hackett, Bobby Holley, Gary Kwong, Hilary Hall,...

BEAST Cryptographic Attack Mitigations Overturned

The BEAST cryptographic attack, once thought to be largely mitigated, has two things conspiring against it to make breaches potentially possible again. Not only has a server-side mitigation essentially been rendered moot by recent research into the RC4 cryptographic protocol, but Apple has yet to...

Frequently Unanswered Questions on the NSA Leaks

The flood of documents regarding the NSA’s collection methods and capabilities that have been leaked this summer has produced thousands of news stories and several metric tons of speculation about what it all means. But for all of the postulating, analysis and reporting, there are still a lot of...

HTTP Cookie 'secure' Property Transport Mismatch

The remote web server sends out cookies to clients with a 'secure' property that does not match the transport, HTTP or HTTPS, over which they were received. This may occur in two forms : 1. The cookie is sent over HTTP, but has the 'secure' property set, indicating that it should only be sent ove...

Moderate: Red Hat Security Advisory: rubygems security update

An updated rubygems package that fixes two security issues is now available for Red Hat OpenShift Enterprise 1.2.2. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity...

Amazon Linux AMI : nss (ALAS-2011-21)

It was found that the Malaysia-based Digicert Sdn. Bhd. subordinate Certificate Authority CA issued HTTPS certificates with weak keys. This update renders any HTTPS certificates signed by that CA as untrusted. This covers all uses of the certificates, including SSL, S/MIME, and code signing. Note...

Amazon Linux AMI : rubygems (ALAS-2012-79)

RubyGems before 1.8.23 can redirect HTTPS connections to HTTP, which makes it easier for remote attackers to observe or modify a gem during installation via a man-in-the-middle attack. C Tenable Network Security, Inc. The descriptive text and package checks in this plugin were extracted from Amaz...

Amazon Linux AMI : perl-libwww-perl (ALAS-2011-17)

The Net::HTTPS module in libwww-perl LWP before 6.00, as used in WWW::Mechanize, LWP::UserAgent, and other products, when running in environments that do not set the If-SSL-Cert-Subject header, does not enable full validation of SSL certificates by default, which allows remote attackers to spoof...

Amazon Linux AMI : ca-certificates (ALAS-2011-03)

This update includes the latest updates to the root Certificate Authority list from Mozilla. It was found that a Certificate Authority CA issued fraudulent HTTPS certificates. This update removes that CA's root certificate from the ca-certificates package, rendering any HTTPS certificates signed ...

Firefox Extension HTTP Nowhere Allows Users to Surf in Encrypted-Only Mode

It’s no secret that the Web wasn’t really meant to be a secure platform, for communications or commerce or anything else. But it’s used for all of these functions every day, and for the most part they depend upon the sites they deal with using SSL and doing so correctly. That’s not always a sure...

Obehotel CMS SQL Injection Vulnerability

Obehotel CMS suffers from denial of service, insecure transit, directory listing, and remote SQL injection vulnerabilities. OBEHOTEL Spanish CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post I-VULNERABILITY...

Obehotel CMS Denial Of Service / SQL Injection

OBEHOTEL Spanish CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post I-VULNERABILITY ------------------------- Title: OBEHOTEL CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing /...

Debian DSA-2740-2 : python-django - XSS vulnerability

Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The issafeurl utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed...

[SECURITY] [DSA 2740-1] python-django security update

------------------------------------------------------------------------- Debian Security Advisory DSA-2740-1 [email protected] http://www.debian.org/security/ Salvatore Bonaccorso August 23, 2013 http://www.debian.org/security/faq -...

Debian Security Advisory DSA 2740-2 (python-django - cross-site scripting vulnerability)

Nick Brunn reported a possible cross-site scripting vulnerability in python-django, a high-level Python web development framework. The issafeurl utility function used to validate that a used URL is on the current host to avoid potentially dangerous redirects from maliciously-constructed...

CVE-2013-4964

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

CVE-2013-4964

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

Session fixation

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

CVE-2013-4964

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...

CVE-2013-4964

Puppet Enterprise before 3.0.1 does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session...