Debian Security Advisory DSA 3062-1 (wget - security update)

HD Moore of Rapid7 discovered a symlink attack in Wget, a command-line utility to retrieve files via HTTP, HTTPS, and FTP. The vulnerability allows to create arbitrary files on the user OpenVAS Vulnerability Test $Id: deb3062.nasl 6637 2017-07-10 09:58:13Z teissa $ Auto-generated from advisory DS...

CentOS Update for wget CESA-2014:1764 centos6

Check the version of wget SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.882071";...

CentOS 6 / 7 : wget (CESA-2014:1764)

An updated wget package that fixes one security issue is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availab...

Moderate: Red Hat Security Advisory: wget security update

An updated wget package that fixes one security issue is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is availab...

wget security update

CentOS Errata and Security Advisory CESA-2014:1764 An updated wget package that fixes one security issue is now available for Red Hat Enterprise Linux 6 and 7. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System CVSS base score,...

SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE

The default connector as written in /conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS. h3. Reproduction steps: Follow the...

SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE

The default connector as written in /conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS. h3. Reproduction steps: Follow the...

SSLv3 Is Not Disabled When sslProtocol is Set to TLS, Vulnerable to POODLE

The default connector as written in /conf/server.xml uses sslProtocol="TLS". This should only enable TLS connectors, but it also enables SSLv3. Our documentation and the included server.xml need to be updated to reflect the correct settings to enable only TLS. h3. Reproduction steps: Follow the...

Amazon Linux AMI : nginx (ALAS-2014-421)

A virtual host confusion issue was found in nginx, allowing HTTPS connections for one origin to be redirected to the virtual host of a different origin. This leads to a variety of issues, such as cookie theft and session hijacking. It could be triggered from a cross-site scripting flaw, tricking ...

Amazon Linux AMI : ca-certificates (ALAS-2011-3)

This package contains the set of CA certificates chosen by the Mozilla Foundation for use with the Internet Public Key Infrastructure PKI. It was found that a Certificate Authority CA issued fraudulent HTTPS certificates. This update removes that CA's root certificate from the ca-certificates...

Fedora Update for xen FEDORA-2014-12000

Check the version of xen SPDX-FileCopyrightText: 2014 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription scriptoid"1.3.6.1.4.1.25623.1.0.868383";...

F5 Networks BIG-IP : HTTP cookie vulnerability (SOL15406)

The built-in web servers for multiple networking devices do not set the Secure attribute for sensitive cookies in HTTPS sessions, which could cause the user agent to send those cookies in plaintext over an HTTP session with the same server. CVE-2004-0462 C Tenable Network Security, Inc. The...

Wordpress Slideshow Gallery 1.4.6 - Shell Upload (Python Exploit)

No description provided by source. !/usr/bin/env python WordPress Slideshow Gallery 1.4.6 Shell Upload Exploit WordPress Slideshow Gallery plugin version 1.4.6 suffers from a remote shell upload vulnerability CVE-2014-5460 Vulnerability discovered by: Jesus Ramirez Pichardo -...

mwebfp - Massive Web Fingerprinter

The "LowNoiseHG LNHG Massive Web Fingerprinter " "mwebfp " from now on was conceived in July 2013 after realizing the usefulness of webserver screenshots to pentesters, during an engagement with large external or internal IP address ranges, as a quick means of identification of critical assets,...

Wiretapping storm: the Android platform https sniffing hijacking vulnerability-vulnerability warning-the black bar safety net

0x0 Preface Last year 1 0 mid-May, Tencent Security Center in the daily terminal Safety audits found that, in the Android platform used in https communication of app the vast majority of are not safe to use the google API, a direct result of https communication of sensitive information leakage ev...

CVE-2014-0140

Red Hat CloudForms 3.1 Management Engine CFME before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request...

CVE-2014-0140

Red Hat CloudForms Management Engine (CFME) prior to 5.3 is affected. An authenticated user could access sensitive controllers and actions via direct HTTP(S) requests, enabling possible privilege escalation. The issue is documented under CVE-2014-0140 and addressed in Red Hat’s RHSA-2014:1317; re...

CVE-2014-0140

Red Hat CloudForms 3.1 Management Engine CFME before 5.3 allows remote authenticated users to access sensitive controllers and actions via a direct HTTP or HTTPS request...

Apache Subversion 1.0.x - 1.7.17 / 1.8.x < 1.8.10 Multiple Vulnerabilities

The version of Subversion Server installed on the remote host is version 1.x.x prior to 1.7.18 or 1.8.x prior to 1.8.10. It is, therefore, affected by the following vulnerabilities : - A flaw exists in the Serf RA layer. This flaw causes wildcards for HTTPS connections to be improperly evaluated,...

X (Formerly Twitter): Profile Pic padding (Length-hiding) fails due to use of GZIP

Back in August, I noted that Twitter was appending anywhere from dozens to thousands of junk 0x20 bytes on the end of the JPEG and PNG files they serve for users’ profile images. It was suggested that, though invalid, they were doing this deliberately, as an information-hiding mechanism. The HTTP...