Security Bulletin: z/Transaction Processing Facility is affected by an OpenSSL vulnerability

Summary The z/TPF version of OpenSSL was updated to address the vulnerability described by CVE-2019-1563. Vulnerability Details CVEID:CVE-2019-1563 DESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by a padding oracle attack in PKCS7dataDecode and...

Security Bulletin: TLS padding vulnerability affects IBM HTTP Server (CVE-2014-8730)

Summary Transport Layer Security TLS padding vulnerability via a POODLE Padding Oracle On Downgraded Legacy Encryption like attack affects IBM HTTP Server. Vulnerability Details CVE-ID : CVE-2014-8730 DESCRIPTION : IBM HTTP Server could allow a remote attacker to obtain sensitive information,...

Ubuntu: Security Advisory (USN-361-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2022 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Grandoreiro Banking Trojan Attacks Industries in Spanish-Speaking Countries

Threat Level Attack Report For a detailed advisory, download the pdf file here Summary Grandoreiro banking trojan is a campaign that has been active since at least 2016 and targets a variety of businesses in Mexico and Spain, including automotive, chemical production, and others. Threat actors...

PT-2024-8441 · Linux +4 · Linux Kernel +4

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: The issue is related to the regmap component in the Linux kernel, specifically with the spi module. The max raw read and max raw write limits in the regmap spi struct do not account fo...

[SECURITY] Fedora 36 Update: golang-github-mvo5-uboot-0.4-11.fc36

Small Go package/app to read/write uboot env files that contain crc32 + 1 byte padding. Unlike fwset,printenv it does not needs a /etc/fwenv.config conf ig file...

Azure Storage SDK でのクライアントサイド暗号化におけるパディング オラクル の脆弱性を軽減

本ブログは、Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability の抄訳版です。最新の情報は原文を参照してください。...

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability

Summary: Google informed Microsoft under Coordinated Vulnerability Disclosure CVD of a padding oracle vulnerability that may affect customers using Azure Storage SDK for Python, .NET, Java client-side encryption CVE-2022-30187. To mitigate this vulnerability, we released a new General Availabilit...

Mitigation for Azure Storage SDK Client-Side Encryption Padding Oracle Vulnerability

Summary Summary Google informed Microsoft under Coordinated Vulnerability Disclosure CVD of a padding oracle vulnerability that may affect customers using Azure Storage SDK for Python, .NET, Java client-side encryption CVE-2022-30187. To mitigate this vulnerability, we released a new General...

[SECURITY] Fedora 35 Update: golang-github-mvo5-uboot-0.4-10.fc35

Small Go package/app to read/write uboot env files that contain crc32 + 1 byte padding. Unlike fwset,printenv it does not needs a /etc/fwenv.config conf ig file...

kernel: dm integrity: fix memory corruption when tag_size is less than digest size

In the Linux kernel, the following vulnerability has been resolved: dm integrity: fix memory corruption when tagsize is less than digest size It is possible to set up dm-integrity in such a way that the "tagsize" parameter is less than the actual digest size. In this situation, a part of the dige...

GHSA-64X4-9HC6-R2H6 Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library

Summary The Azure Storage Encryption library in Java and other languages is vulnerable to a CBC Padding Oracle attack, similar to CVE-2020-8911. The library is not vulnerable to the equivalent of CVE-2020-8912, but only because it currently only supports AES-CBC as encryption mode. Severity...

Microsoft: CBC Padding Oracle in Azure Blob Storage Encryption Library

Summary The Azure Storage Encryption library in Java and other languages is vulnerable to a CBC Padding Oracle attack, similar to CVE-2020-8911. The library is not vulnerable to the equivalent of CVE-2020-8912, but only because it currently only supports AES-CBC as encryption mode. Severity...

[SECURITY] Fedora 36 Update: golang-github-mvo5-uboot-0.4-10.fc36

Small Go package/app to read/write uboot env files that contain crc32 + 1 byte padding. Unlike fwset,printenv it does not needs a /etc/fwenv.config conf ig file...

kernel: dm integrity: fix memory corruption when tag_size is less than digest size

In the Linux kernel, the following vulnerability has been resolved: dm integrity: fix memory corruption when tagsize is less than digest size It is possible to set up dm-integrity in such a way that the "tagsize" parameter is less than the actual digest size. In this situation, a part of the dige...

BSA-2022-765

Security Advisory ID : BSA-2022-765 Component : OpenSSL Revision : 1.0 If an application encounters a fatal protocol error and then calls SSLshutdown twice once to send a closenotify, and once to receive one then OpenSSL can respond differently to the calling application if a 0-byte record is...

abomonation transmutes &T to and from &[u8] without sufficient constraints

This transmute is at the core of the abomonation crates. It's so easy to use it to violate alignment requirements that no test in the crate's test suite passes under miri. The use of this transmute in serialization/deserialization also incorrectly assumes that the layout of a reprRust type is...

Apache Shiro < 1.4.2 Padding Attack

Apache Shiro before 1.4.2, when using the default 'remember me' configuration, cookies could be susceptible to a padding attack. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number. C Tenable, Inc. include'compat.inc'; if...

GHSA-4FV4-CQ5V-X45M Improper Authentication in Apache MyFaces

shared/util/StateUtils.java in Apache MyFaces 1.1.x before 1.1.8, 1.2.x before 1.2.9, and 2.0.x before 2.0.1 uses an encrypted View State without a Message Authentication Code MAC, which makes it easier for remote attackers to perform successful modifications of the View State via a padding oracl...

GHSA-8353-FGCR-XFHX Improper Input Validation in Bouncy Castle

The TLS implementation in the Bouncy Castle Java library before 1.48 and C library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attack...