Debian Linux Security Advisory 3513-1 – Several vulnerabilities have been discovered in the chromium web browser.

Slackware Security Advisory – New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1, and -current to fix security issues.

FreeBSD Security Advisory – A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP3) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN. Various other issues were also addressed.

FreeBSD Security Advisory – Testing by ISC has uncovered a defect in control channel input handling which can cause named to exit due to an assertion failure in sexpr.c or alist.c when a malformed packet is sent to named’s control channel (the interface which allows named to be controlled using the “rndc” server control utility). An error when parsing signature records for DNAME records having specific properties can lead to named exiting due to an assertion failure in resolver.c or db.c. A remote attacker can deliberately trigger the failed assertion if the DNS server accepts remote rndc commands regardless if authentication is configured. Note that this is not enabled by default. A remote attacker who can cause a server to make a query deliberately chosen to generate a response containing a signature record which would trigger a failed assertion and cause named to stop. Disabling DNSsec does not provide protection against this vulnerability.