 The premier general security mailing list. Vulnerabilities are often announced here first, so check frequently!
List Archives
Latest Posts
[SECURITY] [DSA 3746-1] graphicsmagick security update
Luciano Bello (Dec 25)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3746-1 security () debian org
https://www.debian.org/security/ Luciano Bello
December 24, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : graphicsmagick
CVE ID : CVE-2015-8808 CVE-2016-2317...
[slackware-security] expat (SSA:2016-359-01)
Slackware Security Team (Dec 25)
[slackware-security] expat (SSA:2016-359-01)
New expat packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/expat-2.2.0-i586-1_slack14.2.txz: Upgraded.
This update fixes bugs and security issues:
Multiple integer overflows in XML_GetBuffer.
Fix crash on malformed input.
Improve...
[slackware-security] openssh (SSA:2016-358-02)
Slackware Security Team (Dec 25)
[slackware-security] openssh (SSA:2016-358-02)
New openssh packages are available for Slackware 13.0, 13.1, 13.37, 14.0, 14.1,
14.2, and -current to fix security issues.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/openssh-7.4p1-i586-1_slack14.2.txz: Upgraded.
This is primarily a bugfix release, and also addresses security issues.
ssh-agent(1): Will now refuse to load PKCS#11...
[slackware-security] httpd (SSA:2016-358-01)
Slackware Security Team (Dec 25)
[slackware-security] httpd (SSA:2016-358-01)
New httpd packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix security issues.
Here are the details from the Slackware 14.2 ChangeLog:
+--------------------------+
patches/packages/httpd-2.4.25-i586-1_slack14.2.txz: Upgraded.
This update fixes the following security issues:
* CVE-2016-8740: mod_http2: Mitigate DoS memory exhaustion via endless
CONTINUATION frames.
*...
XAMPP Control Panel Memory Corruption Denial Of Service
HYP3RLINX (Dec 25)
[+] Credits: John Page (hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/XAMPP-CONTROL-PANEL-MEMORY-CORRUPTION-DOS.txt
[+] ISR: ApparitionSec
Vendor:
=====================
www.apachefriends.org
Product:
===================
XAMPP Control Panel
XAMPP is a free and open source cross-platform web server solution stack package developed by Apache Friends,
consisting mainly of the...
[SECURITY] [DSA 3744-1] libxml2 security update
Salvatore Bonaccorso (Dec 23)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3744-1 security () debian org
https://www.debian.org/security/ Salvatore Bonaccorso
December 23, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : libxml2
CVE ID : CVE-2016-4658 CVE-2016-5131
Debian...
FreeBSD Security Advisory FreeBSD-SA-16:39.ntp
FreeBSD Security Advisories (Dec 22)
=============================================================================
FreeBSD-SA-16:39.ntp Security Advisory
The FreeBSD Project
Topic: Multiple vulnerabilities of ntp
Category: contrib
Module: ntp
Announced: XXXX-XX-XX
Credits: Network Time Foundation
Affects: All supported versions of FreeBSD....
CVE-2014-4138: MSIE 11 MSHTML CPasteCommand::ConvertBitmaptoPng heap-based buffer overflow
Berend-Jan Wever (Dec 22)
Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 37th entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161221001.html. There you can find a repro
that triggered this issue in addition to the information below, as well
as a Proof-of-Concept exploit that attempts to prove exploitability.
If you find these releases...
[SECURITY] [DSA 3732-2] php-ssh2 regression update
Sebastien Delafond (Dec 21)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3732-2 security () debian org
https://www.debian.org/security/ Sebastien Delafond
December 21, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : php-ssh2
Debian Bug : 848632
The update for php5...
ASP.NET Core 5-RC1 HTTP Header Injection
Advisories (Dec 21)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: ASP.NET Core
# Vendor: Microsoft https://www.microsoft.com
# CSNC ID: CSNC-2016-006
# Subject: HTTP Header Injection
# Risk: Medium
# Effect: HTTP Header manipulation
# Author: Reto Schädler (advisories ()...
[SECURITY] [DSA 3743-1] python-bottle security update
Sebastien Delafond (Dec 21)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3743-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
December 20, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : python-bottle
CVE ID : CVE-2016-9964
Debian Bug...
CVE-2014-1785: MSIE 11 MSHTML CSpliceTreeEngine::RemoveSplice use-after-free
Berend-Jan Wever (Dec 20)
Since November I have been releasing details on all vulnerabilities I
found that I have not released before. This is the 36th entry in the
series. This information is available in more detail on my blog at
http://blog.skylined.nl/20161220001.html. There you can find a repro
that triggered this issue in addition to the information below, as well
as a Proof-of-Concept exploit that attempts to prove exploitability.
If you find these releases...
[SYSS-2016-115] Cisco Expressway: Security Bypass Vulnerability (CWE-20)
Micha Borrmann (Dec 19)
Advisory ID: SYSS-2016-115
Product: Expressway
Manufacturer: Cisco
Affected Version(s): below X8.9
Tested Version(s): X8.8.1
Vulnerability Type: Improper Input Validation (CWE-20)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2016-11-10
Solution Date: 2016-12-05
Public Disclosure: 2016-12-14
CVE Reference: CVE-2016-9207
Author of Advisory: Micha Borrmann, SySS GmbH...
[SECURITY] [DSA 3738-1] tomcat7 security update
Sebastien Delafond (Dec 19)
-------------------------------------------------------------------------
Debian Security Advisory DSA-3738-1 security () debian org
https://www.debian.org/security/ Sebastien Delafond
December 18, 2016 https://www.debian.org/security/faq
-------------------------------------------------------------------------
Package : tomcat7
CVE ID : CVE-2016-6816 CVE-2016-8735...
Samsung DVR credentials encoded in base64 in cookie header
Jacobo Avariento (Dec 19)
Product: Samsung DVR
Impact: High
Intro
~~~~~~~~~~~~~~~
Samsung DVR Web Viewer is by default using HTTP (port 80) and transmits
the credentials encoded in the Cookie header using very bad security
practice, just encoding the login and password in BASE64 codification.
It is trivial to decode those values and gain access to Samsung DVR web
interface to monitor and control IP cameras, if the default credentials
have been changed.
Vulnerable code...
More Lists
Dozens of other network security lists are archived at
SecLists.Org.
| 
Current Month
RSS Feed
About List
All Lists