PT-2026-39574

Zephyr sockets created with IPPROTO TLS 1 3 can still negotiate a TLS 1.2 connection when both TLS versions are enabled in Kconfig, because the socket-level protocol selection is not propagated to mbedTLS e.g. via mbedtls ssl conf min tls version. The ClientHello advertises both versions and the...

EUVD-2020-2738

Malware in sbrugna...

CVE-2024-28755

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtlssslsessionreset API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection,...

UBUNTU-CVE-2024-28836

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiating the TLS version on the server side, it can fall back to the TLS 1.2 implementation of the protocol if it is disabled. If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 client could put a TLS 1.3-only server...

CVE-2024-28755

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When an SSL context was reset with the mbedtlssslsessionreset API, the maximum TLS version to be negotiated was not restored to the configured one. An attacker was able to prevent an Mbed TLS server from establishing any TLS 1.3 connection,...

CVE-2024-28836

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiating the TLS version on the server side, it can fall back to the TLS 1.2 implementation of the protocol if it is disabled. If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 client could put a TLS 1.3-only server...

CVE-2024-28836

An issue was discovered in Mbed TLS 3.5.x before 3.6.0. When negotiating the TLS version on the server side, it can fall back to the TLS 1.2 implementation of the protocol if it is disabled. If the TLS 1.2 implementation was disabled at build time, a TLS 1.2 client could put a TLS 1.3-only server...

PT-2024-22603 · Mbed Tls · Mbed Tls

Name of the Vulnerable Software and Affected Versions: Mbed TLS versions 3.5.x through 3.5.x before 3.6.0 Mbed TLS versions prior to 3.6.0 Description: An issue was discovered in Mbed TLS when negotiating the TLS version on the server side, it can fall back to the TLS 1.2 implementation of the...

Denial Of Service (DoS)

Microsoft QUIC is vulnerable to Denial Of Service DoS. The vulnerability is due to the library allowing version negotiation packets for server connections, which enables an attacker to crash the application...

Remote Denial of Service Vulnerability in Microsoft.Native.Quic.MsQuic.Schannel

Impact The MsQuic server application or process will crash, resulting in a denial of service. Patches The following patch was made: - Don't Allow Version Negotiation Packets for Server Connections - https://github.com/microsoft/msquic/commit/3226cff07d22662f16fc98d605656860e64cd343 Workarounds...

Micro Air Vehicle Link Path Traversal Vulnerability

Micro Air Vehicle Link MAVLink is a lightweight messaging protocol from the Dronecode project that is primarily used for communication between ground control terminals ground stations and UAVs as well as between airborne UAV components. A security vulnerability exists in the Micro Air Vehicle Lin...

PT-2020-12032 · Dronecode · Mavlink

Name of the Vulnerable Software and Affected Versions: MAVLink versions prior to 2.0 Description: The issue concerns the negotiation of the MAVLink protocol version between the Ground Control Station GCS and the autopilot. An attacker can manipulate the negotiation process to force the autopilot ...

Security Bulletin: SSLv3 POODLE attack vulnerability affects IBM Image Construction and Composition Tool (CVE-2014-3566)

Summary A vulnerability within IBM Image Construction and Composition Tool’s usage of SSLv3 might allow a man-in-the-middle attacker to access the plain text of network traffic encrypted using SSLv3. This vulnerability has been dubbed the Padding Oracle On Downgraded Legacy Encryption POODLE...

Security changes in Opera 25; the poodle attacks

Security Security changes in Opera 25; the poodle attacks Share October 15th, 2014 So the last weeks have been rather hectic behind the scenes in the browser security world, when Google security group found a new way to exploit a rather well known design weakness in SSLv3 published in the paper...