Debian Security Advisory DSA 3787-1 (tomcat7 - security update)

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. OpenVAS Vulnerability Test $Id: deb3787.nasl 8972 2018-02-28 07:02:10Z cfischer $ Auto-generated from advisory DSA 3787-...

CVE-2017-6056

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the f...

UBUNTU-CVE-2017-6056

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the f...

Debian: Security Advisory (DSA-3788-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2017 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

secure.amesperf.com XSS vulnerability

Vulnerable URL: https://secure.amesperf.com/qilan/SearchWeb?ordernumbere=MzM4MzAwOQ%3D%3D%0D%0A%27%22%20/Style=position:fixed;top:0;left:0;font-size:999px;%20/Onmouseenter=confirmOPENBUGBOUNTY%20// Details: Description| Value ---|--- Patched:| No Latest check for patch:| 30.07.2017 Vulnerability...

Code Execution through IIFE

Overview Affected versions of node-serialize can be abused to execute arbitrary code via an immediately invoked function expression IIFE if untrusted user input is passed into unserialize. Recommendation There is no direct patch for this issue. The package author has reviewed this advisory, and...

Amazon Linux AMI : java-1.6.0-openjdk (ALAS-2017-795)

It was discovered that the Hotspot component of OpenJDK did not properly check arguments of the System.arraycopy function in certain cases. An untrusted Java application or applet could use this flaw to corrupt virtual machine's memory and completely bypass Java sandbox restrictions. CVE-2016-558...

Android Meterpreter Shell, Reverse HTTPS Inline

Connect back to attacker and spawn a Meterpreter shell This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework module MetasploitModule CachedSize = :dynamic include Msf::Payload::TransportConfig include Msf::Payload::Single...

catalog.snhu.edu XSS vulnerability

Vulnerable URL: http://catalog.snhu.edu/portfolionopop.php/"--!" Details: Description| Value ---|--- Patched:| Yes, at Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| Unknown / Not calculated VIP website status:| No Check catalog.snhu.edu SSL connection:| Grade: F...

ordinefarmacistibrindisi.gov.it XSS vulnerability

Vulnerable URL: http://www.ordinefarmacistibrindisi.gov.it/player.swf?debug=promptopenbugbounty Details: Description| Value ---|--- Patched:| Yes, at Vulnerability type:| XSS Vulnerability status:| Publicly disclosed Alexa Rank| 11684685 VIP website status:| No Check ordinefarmacistibrindisi.gov....

Fedora 25 : shotwell (2017-8c3c43cc4f)

This release turns on HTTPS encyption all over the publishing plugins. Users using Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade. Users of Picasa and Youtube publishing are strongly advised to...

Fedora 24 : shotwell (2017-ddee871dd1)

This release turns on HTTPS encyption all over the publishing plugins. Users using Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade. Users of Picasa and Youtube publishing are strongly advised to...

SUSE SLED12 / SLES12 Security Update : ceph (SUSE-SU-2017:0367-1)

This update for ceph fixes the following issues : - CVE-2016-5009: moncommand with empty prefix could crash monitor bsc987144 - Invalid commandd in SOC7 with ceph bsc1008894 - Performance fix was missing in SES4 bsc1005179 - ceph build problems on ppc64le bsc982141 - ceph make build unit test...

FreeBSD : shotwell -- failure to encrypt authentication (5a9b3d70-48e2-4267-b196-83064cb14fe0)

Jens Georg reports : I have just released Shotwell 0.24.5 and 0.25.4 which turn on HTTPS encryption all over the publishing plugins. Users using Tumblr and Yandex.Fotki publishing are strongly advised to change their passwords and reauthenticate Shotwell to those services after upgrade. Users of...

HTTPS Hits 50 Percent Traffic Milestone

This week HTTPS hit another big milestone. According to a two-week survey of telemetry data from the Mozilla Firefox browser, 50 percent of page loads used HTTPS. “For the first time, the running average crested the 50 percent HTTPS page load mark,” said Sarah Gran, director of communications for...

Design/Logic Flaw

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate...

CVE-2016-5117

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate...

CVE-2016-5117

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate...

CVE-2016-5117

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate...

DEBIAN-CVE-2016-5117

OpenNTPD before 6.0p1 does not validate the CN for HTTPS constraint requests, which allows remote attackers to bypass the man-in-the-middle mitigations via a crafted timestamp constraint with a valid certificate...