Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2024-558)

It is, therefore, affected by a vulnerability as referenced in the ALAS2023-2024-558 advisory. This update enables libpsl support in curl, which adds protection against domain spanning super cookies as described in section 5.3 of RFC 6265. Tenable has extracted the preceding description block...

Low: curl

Issue Overview: This update enables libpsl support in curl, which adds protection against domain spanning "super cookies" as described in section 5.3 of RFC 6265. Affected Packages: curl Issue Correction: Run dnf update curl --releasever 2023.3.20240304 to update your system. New Packages: aarch6...

Amazon Linux 2 : curl (ALAS-2024-2490)

The version of curl installed on the remote host is prior to 8.3.0-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2490 advisory. This update enables libpsl support in curl, which adds protection against domain spanning super cookies as described in section 5.3 of...

Low: curl

Issue Overview: This update enables libpsl support in curl, which adds protection against domain spanning "super cookies" as described in section 5.3 of RFC 6265. Affected Packages: curl Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the...

Eclipse Jetty's cookie parsing of quoted values can exfiltrate values from other cookies

Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " double quote, it will continue to read the cookie string unti...

Exposure of Sensitive Information to an Unauthorized Actor in httpie

Impact HTTPie have the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. As an example, we can make an authenticated request and save it to a named session called api:...

Moderate: Red Hat Security Advisory: python-django security update

An update for python-django is now available for Red Hat Enterprise Linux OpenStack Platform 7.0 Kilo for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, ...

python-django: CSRF protection bypass on a site with Google Analytics

A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavi...

CVE-2016-7401

A CSRF flaw was found in Django, where an interaction between Google Analytics and Django's cookie parsing could allow an attacker to set arbitrary cookies leading to a bypass of CSRF protection. In this update, the parser for ''request.COOKIES'' has been simplified to better match browser behavi...

DHS Alerts to Continuing Browser Cookie Vulnerabilities

In case didn’t know or need a reminder, browser cookies aren’t exactly impervious to attack. The DHS-sponsored CERT at the Software Engineering Institute at Carnegie Mellon University this week dropped an alert that warns users about the continued prevalence of a class of cookie vulnerabilities...

Exploiting Browser Cookies to Bypass HTTPS and Steal Private Information

A newly discovered critical flaw in the implementation of web cookies by major browsers could open secured HTTPS browsing to Man-in-the-middle attacks. The US Computer Emergency Response Team CERT has revealed that all the main browser vendors have improperly implemented the RFC 6265 Standard, al...

Cookies set via HTTP requests may be used to bypass HTTPS and reveal private information

Overview RFC 6265 previously RFC 2965 established HTTP State Management, also known as "cookies". In most web browser implementations of RFC 6265, cookies set via HTTP requests may allow a remote attacker to bypass HTTPS and reveal private session information. Description HTTP cookies have long...