Apache Tomcat 8.5.0 < 8.5.5 multiple vulnerabilities

The version of Tomcat installed on the remote host is prior to 8.5.5. It is, therefore, affected by multiple vulnerabilities as referenced in the fixedinapachetomcat8.5.5and8.0.37security-8 advisory. - The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4,...

Updated python3/python packages fix security vulnerability

Fix for CVE-2016-1000110 HTTPoxy attack. Many software projects and vendors have implemented support for the “Proxy” request header in their respective CGI implementations and languages by creating the “HTTPPROXY” environmental variable based on the header value. When this variable is used in man...

CVE-2016-5387

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTPPROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could...

Kitty - Fuzzing Framework Written In Python

Kitty is an open-source modular and extensible fuzzing framework written in python, inspired by OpenRCE's Sulley and Michael Eddington's and now Deja Vu Security's Peach Fuzzer . Goal When we started writing Kitty, our goal was to help us fuzz unusual targets --- meaning proprietary and esoteric...

glibc security update

2.17-106.0.1.4 - Remove strstr and strcasestr implementations using sse4.2 instructions. - Upstream commits 584b18eb4df61ccd447db2dfe8c8a7901f8c8598 and 1818483b15d22016b0eae41d37ee91cc87b37510 backported. 2.17-106.4 - Revert problematic libresolv change, not needed for the CVE-2015-7547 fix...

FreeBSD : go -- information disclosure vulnerability (6809c6db-bdeb-11e5-b5fe-002590263bf5)

Jason Buberel reports : A security-related issue has been reported in Go's math/big package. The issue was introduced in Go 1.5. We recommend that all users upgrade to Go 1.5.3, which fixes the issue. Go programs must be recompiled with Go 1.5.3 in order to receive the fix. The Go team would like...

keybase: information leakage

This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way. Specifically,...

docker: information leakage

This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way. Specifically,...

go-ipfs: information leakage

This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way. Specifically,...

syncthing: information leakage

This issue can affect RSA computations in crypto/rsa, which is used by crypto/tls. TLS servers on 32-bit systems could plausibly leak their RSA private key due to this issue. Other protocol implementations that create many RSA signatures could also be impacted in the same way. Specifically,...

Google Chrome - Renderer Process to Browser Process Privilege Escalation

Source: https://code.google.com/p/google-security-research/issues/detail?id=664 There is an overflow in the ui::PlatformCursor WebCursor::GetPlatformCursor method. In src/content/common/cursors/webcursoraurax11.cc&q=webcursoraurax11.cc, there is the following code:...

CVE-2005-1797

The design of Advanced Encryption Standard AES, aka Rijndael, allows remote attackers to recover AES keys via timing attacks on S-box lookups, which are difficult to perform in constant time in AES implementations...

Cesar Cerrudo on Securing Smart Cities

IOActive Labs CTO Cesar Cerrudo talks to Ryan Naraine about major realistic security problems affecting technology implementations of smart cities — from traffic control systems to surveillance cameras and power grids — and warns that the damages from live attacks could be catastrophic. Download:...

Flawed TLS Implementations Leak RSA Keys

A number of TLS software implementations contain vulnerabilities that allow hackers with minimal computational expense to learn RSA keys. Florian Weimer, a researcher with Red Hat, last week published a paper called “Factoring RSA Keys With TLS Perfect Forward Secrecy” that demonstrated...

PT-2015-4518

Name of the Vulnerable Software and Affected Versions IBM Java versions prior to 8 SR1 IBM Java 7 R1 versions prior to SR2 FP11 IBM Java 7 versions prior to SR9 IBM Java 6 R1 versions prior to SR8 FP4 IBM Java 6 versions prior to SR16 FP4 IBM Java 5.0 versions prior to SR16 FP10 Description The...

CVE-2015-1117

The 1 setreuid and 2 setregid system-call implementations in the kernel in Apple iOS before 8.3, Apple OS X before 10.10.3, and Apple TV before 7.2 do not properly perform privilege drops, which makes it easier for attackers to execute code with unintended user or group privileges via a crafted a...

SuSE 11.3 Security Update : glibc (SAT Patch Number 10357)

glibc has ben updated to fix three security issues : - wordexp failed to honour WRDENOCMD bsc906371. CVE-2014-7817 - Fixed invalid file descriptor reuse while sending DNS query bsc915526. CVE-2013-7423 - Fixed buffer overflow in wscanf bsc916222 These non-security issues have been fixed:...

NAT-PMP Security Vulnerability Affects 1.2M Routers

Vulnerabilities in embedded devices, in particular small office and home office routers, have been relentless. Another serious issue was discovered this week that affects more than 1.2 million such devices due to improper NAT-PMP protocol implementations, most of which run counter to the...

SSL 3.0 MITM Attack

A vulnerability affecting most implementations of SSL 3.0 has been discovered that allows an attacker to decrypt some encrypted contents under certain conditions CVE-2014-3566. The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which mak...

Microsoft Extends SHA-2, TLS Support for Windows

One by one, tech companies have been tossing aside the SHA-1 cryptographic algorithm like the unreliable collision-prone mess that it is. Microsoft was among the first to steer its customers away from SHA-1 and established an internal edict that its developers would no longer use it for...