what you don't know can hurt you
Showing 1 - 13 of 13 RSS Feed

CVE-2012-4929

Status Candidate

Overview

The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, Qt, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack.

Related Files

Debian Security Advisory 3253-1
Posted May 8, 2015
Authored by Debian | Site debian.org

Debian Linux Security Advisory 3253-1 - Pound, a HTTP reverse proxy and load balancer, had several issues related to vulnerabilities in the Secure Sockets Layer (SSL) protocol.

tags | advisory, web, vulnerability, protocol
systems | linux, debian
advisories | CVE-2009-3555, CVE-2012-4929, CVE-2014-3566
MD5 | 95e303d41fabd615cbb012bafdfebb67
Red Hat Security Advisory 2014-0416-01
Posted Apr 17, 2014
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2014-0416-01 - Red Hat Enterprise Virtualization Manager provides access to virtual machines using SPICE. These SPICE client packages provide the SPICE client and usbclerk service for both Windows 32-bit operating systems and Windows 64-bit operating systems. The rhevm-spice-client package includes the mingw-virt-viewer Windows SPICE client. OpenSSL, a general purpose cryptography library with a TLS implementation, is bundled with mingw-virt-viewer. The mingw-virt-viewer package has been updated to correct the following issues: An information disclosure flaw was found in the way OpenSSL handled TLS and DTLS Heartbeat Extension packets. A malicious TLS or DTLS client or server could send a specially crafted TLS or DTLS Heartbeat packet to disclose a limited portion of memory per request from a connected client or server. Note that the disclosed portions of memory could potentially include sensitive information such as private keys.

tags | advisory, info disclosure
systems | linux, redhat, windows
advisories | CVE-2012-4929, CVE-2013-0169, CVE-2013-4353, CVE-2014-0160
MD5 | 11512b6f2ee60d28099ef8fec81c28ec
Gentoo Linux Security Advisory 201309-12
Posted Sep 23, 2013
Authored by Gentoo | Site security.gentoo.org

Gentoo Linux Security Advisory 201309-12 - Multiple vulnerabilities have been discovered in Apache HTTP Server, possibly allowing remote attackers to execute arbitrary code, cause a Denial of Service condition or perform man-in-the-middle attacks. Versions less than 2.2.25 are affected.

tags | advisory, remote, web, denial of service, arbitrary, vulnerability
systems | linux, gentoo
advisories | CVE-2007-6750, CVE-2012-4929, CVE-2013-1862, CVE-2013-1896
MD5 | 3bd400e0ab251b33c56a2a76c27ff19d
Ubuntu Security Notice USN-1898-1
Posted Jul 5, 2013
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1898-1 - The TLS protocol 1.2 and earlier can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext content by observing length differences during a series of guesses in which a provided string potentially matches an unknown string in encrypted and compressed traffic. This is known as a CRIME attack in HTTP. Other protocols layered on top of TLS may also make these attacks practical. This update disables compression for all programs using SSL and TLS provided by the OpenSSL library. To re-enable compression for programs that need compression to communicate with legacy services, define the variable OPENSSL_DEFAULT_ZLIB in the program's environment. Various other issues were also addressed.

tags | advisory, web, protocol
systems | linux, ubuntu
advisories | CVE-2012-4929
MD5 | e91d77a40497225c8f494207c70a3478
Apple Security Advisory 2013-06-04-1
Posted Jun 6, 2013
Authored by Apple | Site apple.com

Apple Security Advisory 2013-06-04-1 - OS X Mountain Lion version 10.8.4 and Security Update 2013-002 is now available and addresses over 30 security issues.

tags | advisory
systems | apple, osx
advisories | CVE-2012-2131, CVE-2012-2333, CVE-2012-4929, CVE-2012-5519, CVE-2013-0155, CVE-2013-0276, CVE-2013-0277, CVE-2013-0333, CVE-2013-0975, CVE-2013-0982, CVE-2013-0983, CVE-2013-0984, CVE-2013-0985, CVE-2013-0986, CVE-2013-0987, CVE-2013-0988, CVE-2013-0989, CVE-2013-0990, CVE-2013-1024, CVE-2013-1854, CVE-2013-1855, CVE-2013-1856, CVE-2013-1857
MD5 | e580e5e26cf89895585ddc931abcf7b1
HP Security Bulletin HPSBUX02866 SSRT101139
Posted Apr 16, 2013
Authored by HP | Site hp.com

HP Security Bulletin HPSBUX02866 SSRT101139 - Potential security vulnerabilities have been identified with HP-UX Running Apache. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to execute arbitrary code and other vulnerabilities. Revision 1 of this advisory.

tags | advisory, denial of service, arbitrary, vulnerability
systems | hpux
advisories | CVE-2007-6750, CVE-2012-2687, CVE-2012-2733, CVE-2012-3499, CVE-2012-3546, CVE-2012-4431, CVE-2012-4534, CVE-2012-4557, CVE-2012-4558, CVE-2012-4929, CVE-2012-5885
MD5 | 68b2f8bb3e9e36c2788256913e850100
Red Hat Security Advisory 2013-0636-01
Posted Mar 13, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0636-01 - The rhev-hypervisor6 package provides a Red Hat Enterprise Virtualization Hypervisor ISO disk image. A flaw was found in the way QEMU-KVM emulated the e1000 network interface card when the host was configured to accept jumbo network frames, and a guest using the e1000 emulated driver was not. A remote attacker could use this flaw to crash the guest or, potentially, execute arbitrary code with root privileges in the guest.

tags | advisory, remote, arbitrary, root
systems | linux, redhat
advisories | CVE-2012-4929, CVE-2012-6075, CVE-2013-0166, CVE-2013-0169, CVE-2013-1619
MD5 | 88beca4dd1c8934b33bc0e3bb7709c10
Red Hat Security Advisory 2013-0587-01
Posted Mar 4, 2013
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2013-0587-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength, general purpose cryptography library. It was discovered that OpenSSL leaked timing information when decrypting TLS/SSL and DTLS protocol encrypted records when CBC-mode cipher suites were used. A remote attacker could possibly use this flaw to retrieve plain text from the encrypted packets by using a TLS/SSL or DTLS server as a padding oracle. A NULL pointer dereference flaw was found in the OCSP response verification in OpenSSL. A malicious OCSP server could use this flaw to crash applications performing OCSP verification by sending a specially-crafted response.

tags | advisory, remote, protocol
systems | linux, redhat
advisories | CVE-2012-4929, CVE-2013-0166, CVE-2013-0169
MD5 | 1267aad3a2846b9905245b92447e8580
Debian Security Advisory 2627-1
Posted Feb 18, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2627-1 - Juliano Rizzo and Thai Duong discovered a weakness in the TLS/SSL protocol when using compression. This side channel attack, dubbed 'CRIME', allows eavesdroppers to gather information to recover the original plaintext in the protocol. This update to nginx disables SSL compression.

tags | advisory, protocol
systems | linux, debian
advisories | CVE-2012-4929
MD5 | fd19209a51b2dfdd97a8814cced80aca
Debian Security Advisory 2626-1
Posted Feb 18, 2013
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2626-1 - Several vulnerabilities were discovered in the TLS/SSL protocol. This update addresses these protocol vulnerabilities in lighttpd.

tags | advisory, vulnerability, protocol
systems | linux, debian
advisories | CVE-2009-3555, CVE-2012-4929
MD5 | 4c47aa4a11db2234e2e435c63140bd1c
Debian Security Advisory 2579-1
Posted Nov 30, 2012
Authored by Debian | Site debian.org

Debian Linux Security Advisory 2579-1 - A vulnerability has been found in the Apache HTTPD Server.

tags | advisory
systems | linux, debian
advisories | CVE-2012-4557, CVE-2012-4929
MD5 | 67a85ba61ddfb3f26b1eb9b16db42ffa
Ubuntu Security Notice USN-1628-1
Posted Nov 8, 2012
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1628-1 - Juliano Rizzo and Thai Duong discovered a flaw in the Transport Layer Security (TLS) protocol when it is used with data compression. If an attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information. This update disables TLS data compression in Qt by default.

tags | advisory, protocol
systems | linux, ubuntu
advisories | CVE-2012-4929
MD5 | b1eabd436f8df01f88a6cb94c238c300
Ubuntu Security Notice USN-1627-1
Posted Nov 8, 2012
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1627-1 - It was discovered that the mod_negotiation module incorrectly handled certain filenames, which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. It was discovered that the Apache HTTP Server was vulnerable to the "CRIME" SSL data compression attack. Although this issue had been mitigated on the client with newer web browsers, this update also disables SSL data compression on the server. A new SSLCompression directive for Apache has been backported that may be used to re-enable SSL data compression in certain environments.

tags | advisory, remote, web, vulnerability, xss
systems | linux, ubuntu
advisories | CVE-2012-2687, CVE-2012-4929, CVE-2012-2687, CVE-2012-4929
MD5 | 479f43fd0a4b55159b9574029e2abc02
Page 1 of 1
Back1Next

File Archive:

December 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    1 Files
  • 2
    Dec 2nd
    16 Files
  • 3
    Dec 3rd
    17 Files
  • 4
    Dec 4th
    23 Files
  • 5
    Dec 5th
    11 Files
  • 6
    Dec 6th
    6 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close