Revision Note: V2.0 (May 18, 2016): Advisory updated to provide links to the current information regarding the use of the SHA1 hashing algorithm for the purposes of SSL and code signing. For more information, see Windows Enforcement of Authenticode Code Signing and Timestamping.
Summary: Microsoft is announcing a policy change to the Microsoft Root Certificate Program. The new policy will no longer allow root certificate authorities to issue X.509 certificates using the SHA-1 hashing algorithm for the purposes of SSL and code signing after January 1, 2016. Using the SHA-1 hashing algorithm in digital certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks.
Monthly Archives: May 2016
2012 LinkedIn Breach Just Got a Lot Worse: 117 Million New Logins For Sale
More than 100 million LinkedIn usernames and passwords for sale on dark web as 2012 breach comes back to haunt business-savvy social network.
Debian Security Advisory 3582-1
Debian Linux Security Advisory 3582-1 – Gustavo Grieco discovered that Expat, an XML parsing C library, does not properly handle certain kinds of malformed input documents, resulting in buffer overflows during processing and error reporting. A remote attacker can take advantage of this flaw to cause an application using the Expat library to crash, or potentially, to execute arbitrary code with the privileges of the user running the application.
Ubuntu Security Notice USN-2983-1
Ubuntu Security Notice 2983-1 – Gustavo Grieco discovered that Expat incorrectly handled malformed XML data. If a user or application linked against Expat were tricked into opening a crafted XML file, an attacker could cause a denial of service, or possibly execute arbitrary code.
Ubuntu Security Notice USN-2950-4
Ubuntu Security Notice 2950-4 – USN-2950-1 fixed vulnerabilities in Samba. The backported fixes introduced in Ubuntu 12.04 LTS caused interoperability issues. This update fixes compatibility with certain NAS devices, and allows connecting to Samba 3.6 servers by relaxing the “client ipc signing” parameter to “auto”. Various other issues were also addressed.
HP Security Bulletin HPSBGN03587 1
HP Security Bulletin HPSBGN03587 1 – 3rd party code template: A security vulnerability in Open vSwitch could potentially impact HPE Helion OpenStack resulting in a remote denial of Service (DoS) or arbitrary command execution. HPE Helion OpenStack has also addressed several OpenSSL vulnerabilities including: The Cross-protocol Attack on TLS using SSLv2 also known as “DROWN”, which could be exploited remotely resulting in disclosure of information. Multiple OpenSSL vulnerabilities which could be remotely exploited resulting in Denial of Service (DoS) or other impacts. Revision 1 of this advisory.
FreeBSD Security Advisory – FreeBSD-SA-16:18.atkbd
FreeBSD Security Advisory – Incorrect signedness comparison in the ioctl(2) handler allows a malicious local user to overwrite a portion of the kernel memory. A local user may crash the kernel, read a portion of kernel memory and execute arbitrary code in kernel context. The result of executing an arbitrary kernel code is privilege escalation.
FreeBSD Security Advisory – FreeBSD-SA-16:19.sendmsg
FreeBSD Security Advisory – Incorrect argument handling in the socket code allows malicious local user to overwrite large portion of the kernel memory. Malicious local user may crash kernel or execute arbitrary code in the kernel, potentially gaining superuser privileges.