NetCommWireless HSPA 3G10WVE Wireless Router Multiple vulnerabilities
Monthly Archives: May 2016
Bugtraq: [SECURITY] [DSA 3566-1] openssl security update
[SECURITY] [DSA 3566-1] openssl security update
Bugtraq: Swagger Editor v2.9.9 "description" Key DOM-based Cross-Site Scripting
Swagger Editor v2.9.9 “description” Key DOM-based Cross-Site Scripting
USN-2959-1: OpenSSL vulnerabilities
Ubuntu Security Notice USN-2959-1
3rd May, 2016
openssl vulnerabilities
A security issue affects these releases of Ubuntu and its
derivatives:
- Ubuntu 16.04 LTS
- Ubuntu 15.10
- Ubuntu 14.04 LTS
- Ubuntu 12.04 LTS
Summary
Several security issues were fixed in OpenSSL.
Software description
- openssl
– Secure Socket Layer (SSL) cryptographic library and tools
Details
Huzaifa Sidhpurwala, Hanno Böck, and David Benjamin discovered that OpenSSL
incorrectly handled memory when decoding ASN.1 structures. A remote
attacker could use this issue to cause OpenSSL to crash, resulting in a
denial of service, or possibly execute arbitrary code. (CVE-2016-2108)
Juraj Somorovsky discovered that OpenSSL incorrectly performed padding when
the connection uses the AES CBC cipher and the server supports AES-NI. A
remote attacker could possibly use this issue to perform a padding oracle
attack and decrypt traffic. (CVE-2016-2107)
Guido Vranken discovered that OpenSSL incorrectly handled large amounts of
input data to the EVP_EncodeUpdate() function. A remote attacker could use
this issue to cause OpenSSL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-2105)
Guido Vranken discovered that OpenSSL incorrectly handled large amounts of
input data to the EVP_EncryptUpdate() function. A remote attacker could use
this issue to cause OpenSSL to crash, resulting in a denial of service, or
possibly execute arbitrary code. (CVE-2016-2106)
Brian Carpenter discovered that OpenSSL incorrectly handled memory when
ASN.1 data is read from a BIO. A remote attacker could possibly use this
issue to cause memory consumption, resulting in a denial of service.
(CVE-2016-2109)
As a security improvement, this update also modifies OpenSSL behaviour to
reject DH key sizes below 1024 bits, preventing a possible downgrade
attack.
Update instructions
The problem can be corrected by updating your system to the following
package version:
- Ubuntu 16.04 LTS:
-
libssl1.0.0
1.0.2g-1ubuntu4.1
- Ubuntu 15.10:
-
libssl1.0.0
1.0.2d-0ubuntu1.5
- Ubuntu 14.04 LTS:
-
libssl1.0.0
1.0.1f-1ubuntu2.19
- Ubuntu 12.04 LTS:
-
libssl1.0.0
1.0.1-4ubuntu5.36
To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.
After a standard system update you need to reboot your computer to make
all the necessary changes.
References
Google Expands Default HTTPS to Blogspot
On Tuesday Google flipped the switch on default HTTPS support for its blog publishing service Blogspot, upping the security ante for millions of its bloggers.
WatchGuard Protects Students While Leveraging Latest Learning Technology
CEBA-2016:0713 CentOS 6 initscripts BugFix Update
CentOS Errata and Bugfix Advisory 2016:0713 Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-0713.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 65ed46aeaddec92e92bbb9501164ef3800bb88ba16f3309a36e324a114b49d34 debugmode-9.03.49-1.el6.centos.5.i686.rpm f6efaf9160b02c157c0d72a6b9b44a306b17a0ee5c920733491abe54344b9d0e initscripts-9.03.49-1.el6.centos.5.i686.rpm x86_64: 505383d600b993ac8986f0557ba28ef65dc12b6e738e7fa5fb55cf5bdce966a2 debugmode-9.03.49-1.el6.centos.5.x86_64.rpm 74007651137890193f328fc113fc1fb79fdf6985fddce5a5d0232fb0efaeffd3 initscripts-9.03.49-1.el6.centos.5.x86_64.rpm Source: f6b1847129f1030e550ab1213f2113eb6bb172be943697da3fc7bfeefb198ab1 initscripts-9.03.49-1.el6.centos.5.src.rpm
CEBA-2016:0714 CentOS 6 mod_nss BugFix Update
CentOS Errata and Bugfix Advisory 2016:0714 Upstream details at : https://rhn.redhat.com/errata/RHBA-2016-0714.html The following updated files have been uploaded and are currently syncing to the mirrors: ( sha256sum Filename ) i386: 6721dd9ce9edab03f763b556b9efe1f2b88bb98c587f7ea5326bc6f160f9e945 mod_nss-1.0.10-2.el6_7.i686.rpm x86_64: 9004453c2296db298f12473fa2b395daa60eee6cc90936a435f7cc78eac6fc99 mod_nss-1.0.10-2.el6_7.x86_64.rpm Source: aa71f2f7677c51de96b83855ee697f847a002598bd86a392ca2df78cf7edc704 mod_nss-1.0.10-2.el6_7.src.rpm
OpenSSL Releases Security Updates
Original release date: May 03, 2016
OpenSSL has released security updates to address vulnerabilities in previous versions. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.
Available updates include:
- OpenSSL 1.0.2h for 1.0.2 users
- OpenSSL 1.0.1t for 1.0.1 users
US-CERT encourages users and administrators to review the OpenSSL Security Advisory page and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Linux Foundation Badge Program to Boost Open Source Security
A new CII Best Practices Badge program will help companies, interested in adopting open source technologies evaluate projects based on security, quality and stability.