what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 25 of 90 RSS Feed

Files

OpenSSL Security Advisory 20160301
Posted Mar 1, 2016
Site openssl.org

OpenSSL Security Advisory 20160301 - A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). Other issues were also addressed.

tags | advisory, imap, protocol
advisories | CVE-2015-0293, CVE-2015-3197, CVE-2016-0702, CVE-2016-0703, CVE-2016-0704, CVE-2016-0705, CVE-2016-0797, CVE-2016-0798, CVE-2016-0799, CVE-2016-0800
SHA-256 | 01a1884d87908b83b7d1ea8457725884e3808b62f9b3c4b5d54e2a07a55e9dd8

Related Files

OpenSSL Security Advisory 20240125
Posted Jan 25, 2024
Site openssl.org

OpenSSL Security Advisory 20240125 - Processing a maliciously formatted PKCS12 file may lead OpenSSL to crash leading to a potential Denial of Service attack

tags | advisory, denial of service
advisories | CVE-2024-0727
SHA-256 | 122bc2210b0d7b2b8983382412d0e712d4d63cfd3b44a579f3f8053a9415b2a2
OpenSSL Security Advisory 20240115
Posted Jan 15, 2024
Site openssl.org

OpenSSL Security Advisory 20240115 - Checking excessively long invalid RSA public keys may take a long time.

tags | advisory
advisories | CVE-2023-6237
SHA-256 | 176c18b9e5ea6214b9abf1fe76a21e3e5746b145cd308a603d8dc4b895b269ff
OpenSSL Security Advisory 20240109
Posted Jan 9, 2024
Site openssl.org

OpenSSL Security Advisory 20240109 - The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications running on PowerPC CPU based platforms if the CPU provides vector instructions.

tags | advisory
advisories | CVE-2023-6129
SHA-256 | 96d61a8c58cb14bf75cc794f7eb487fcc526fb0873fe97c3c9779d86fc65cb31
OpenSSL Security Advisory 20231106
Posted Nov 6, 2023
Site openssl.org

OpenSSL Security Advisory 20231106 - Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or parameters may be very slow.

tags | advisory
advisories | CVE-2023-3817, CVE-2023-5678
SHA-256 | 571f986ddee0d0a3c6499ab09f34a768ad263d9979a6441ec9fe524febb124a3
OpenSSL Security Advisory 20231024
Posted Oct 24, 2023
Site openssl.org

OpenSSL Security Advisory 20231024 - A bug has been identified in the processing of key and initialisation vector (IV) lengths. This can lead to potential truncation or overruns during the initialisation of some symmetric ciphers.

tags | advisory, overflow
advisories | CVE-2023-5363
SHA-256 | f4d3485a23985abf9c4d8cc118c959af0f23c7e3e3cd388642bad93425715bd6
OpenSSL Security Advisory 20230908
Posted Sep 8, 2023
Site openssl.org

OpenSSL Security Advisory 20230908 - The POLY1305 MAC (message authentication code) implementation contains a bug that might corrupt the internal state of applications on the Windows 64 platform when running on newer X86_64 processors supporting the AVX512-IFMA instructions.

tags | advisory
systems | windows
advisories | CVE-2023-4807
SHA-256 | d6e94a3126e644bbaa13389ba335ceeae5306ba99c3e42bf3217ce69144d0f9c
OpenSSL Security Advisory 20230731
Posted Jul 31, 2023
Site openssl.org

OpenSSL Security Advisory 20230731 - Checking excessively long DH keys or parameters may be very slow.

tags | advisory
advisories | CVE-2023-3446, CVE-2023-3817
SHA-256 | b497bf3e1c45020f0f227205c740557918c2fef680976bc3d389ede0493cb6b1
OpenSSL Security Advisory 20230719
Posted Jul 19, 2023
Site openssl.org

OpenSSL Security Advisory 20230719 - Checking excessively long DH keys or parameters may be very slow.

tags | advisory
advisories | CVE-2023-3446
SHA-256 | 317d782978ef6b0abc3f22eb5afa9d3557d2e60a10438b7019257e55a88ad3b0
OpenSSL Security Advisory 20230714
Posted Jul 14, 2023
Site openssl.org

OpenSSL Security Advisory 20230714 - The AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries which are unauthenticated as a consequence.

tags | advisory
advisories | CVE-2023-2975
SHA-256 | 533eb47fbd60f88ad1ad3c18b56350b6804b9be10b8c81fe9a8f322433dad421
OpenSSL Security Advisory 20230530
Posted May 30, 2023
Site openssl.org

OpenSSL Security Advisory 20230530 - Processing some specially crafted ASN.1 object identifiers or data containing them may be very slow. Applications that use OBJ_obj2txt() directly, or use any of the OpenSSL subsystems OCSP, PKCS7/SMIME, CMS, CMP/CRMF or TS with no message size limit may experience notable to very long delays when processing those messages, which may lead to a denial of service.

tags | advisory, denial of service
advisories | CVE-2023-2650
SHA-256 | b6e55e05830de14ac3c49c8cd590cf768a53232601f6b368a7e7f5592107d724
OpenSSL Security Advisory 20230420
Posted Apr 20, 2023
Site openssl.org

OpenSSL Security Advisory 20230420 - The AES-XTS cipher decryption implementation for 64 bit ARM platform contains a bug that could cause it to read past the input buffer, leading to a crash.

tags | advisory
advisories | CVE-2023-1255
SHA-256 | aafe0dcb9955f2ea6be0373a336c5f4cdd6794acce536fbb2b3c3d6df1f2a3bc
OpenSSL Security Advisory 20230328
Posted Mar 28, 2023
Site openssl.org

OpenSSL Security Advisory 20230328 - Applications that use a non-default option when verifying certificates may be vulnerable to an attack from a malicious CA to circumvent certain checks. Other issues were also addressed.

tags | advisory
advisories | CVE-2023-0465, CVE-2023-0466
SHA-256 | 45f093de13d28951a80600fc57f75878cc0706b4029a8f138eace8cbf3ce7b22
OpenSSL Security Advisory 20230322
Posted Mar 22, 2023
Site openssl.org

OpenSSL Security Advisory 20230322 - A security vulnerability has been identified in all supported versions of OpenSSL related to the verification of X.509 certificate chains that include policy constraints. Attackers may be able to exploit this vulnerability by creating a malicious certificate chain that triggers exponential use of computational resources, leading to a denial-of-service (DoS) attack on affected systems.

tags | advisory
advisories | CVE-2023-0464
SHA-256 | 7b03359b9fc8f357f8b0fd5e0e7a05a04c2c8ac49b1018bb2ee2e59b2b1927b3
OpenSSL Security Advisory 20230207
Posted Feb 7, 2023
Site openssl.org

OpenSSL Security Advisory 20230207 - Security issues addressed in OpenSSL include X.400 address type confusion in X.509 GeneralName, a timing oracle in RSA decryption, a X.509 Name Constraints read buffer overflow, a use-after-free following BIO_new_NDEF, a double-free after calling PEM_read_bio_ex, an invalid pointer dereference in d2i_PKCS7 functions, a NULL dereference validating DSA public key, and a NULL dereference during PKCS7 data verification.

tags | advisory, overflow
advisories | CVE-2022-4203, CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0216, CVE-2023-0217, CVE-2023-0286, CVE-2023-0401
SHA-256 | 16370d8b2cce80bd47b575da9533d376c1ce8d49fd8cfdffe9f131d46a43f157
OpenSSL Security Advisory 20221101
Posted Nov 1, 2022
Site openssl.org

OpenSSL Security Advisory 20221101 - A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution. Other issues were also addressed.

tags | advisory, remote, denial of service, overflow, code execution
advisories | CVE-2022-3602, CVE-2022-3786
SHA-256 | f5b2b5456475218f21e11c204399e21895e40c447a1a4638df485d020701c36b
OpenSSL Security Advisory 20221011
Posted Oct 11, 2022
Site openssl.org

OpenSSL Security Advisory 20221011 - OpenSSL supports creating a custom cipher via the legacy EVP_CIPHER_meth_new() function and associated function calls. This function was deprecated in OpenSSL 3.0 and application authors are instead encouraged to use the new provider mechanism in order to implement custom ciphers.

tags | advisory
advisories | CVE-2022-3358
SHA-256 | aadb390fbd7e2bcc00d540add897aa39dfdb2d092990e9cefb0734a56be6270e
OpenSSL Security Advisory 20220705
Posted Jul 5, 2022
Site openssl.org

OpenSSL Security Advisory 20220705 - The OpenSSL 3.0.4 release introduced a serious bug in the RSA implementation for X86_64 CPUs supporting the AVX512IFMA instructions. This issue makes the RSA implementation with 2048 bit private keys incorrect on such machines and memory corruption will happen during the computation. As a consequence of the memory corruption an attacker may be able to trigger a remote code execution on the machine performing the computation. Other issues were also addressed.

tags | advisory, remote, code execution
advisories | CVE-2022-2097, CVE-2022-2274
SHA-256 | 77cb83743e1a820453bd06ea0f03f1f8f2401440b4f893084cdc8d178540f4c6
OpenSSL Security Advisory 20220621
Posted Jun 21, 2022
Site openssl.org

OpenSSL Security Advisory 20220621 - In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection were found by code review.

tags | advisory, shell
advisories | CVE-2022-1292, CVE-2022-2068
SHA-256 | a632f42aad9bc1de330d7aef358f76b215a0921218449031cf1f2077b68dff3a
OpenSSL Security Advisory 20220503
Posted May 3, 2022
Site openssl.org

OpenSSL Security Advisory 20220503 - The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This script is distributed by some operating systems in a manner where it is automatically executed. On such operating systems, an attacker could execute arbitrary commands with the privileges of the script. Other issues were also addressed.

tags | advisory, arbitrary, shell
advisories | CVE-2022-1292, CVE-2022-1343, CVE-2022-1434, CVE-2022-1473
SHA-256 | da0a32c3df546638b4876fba11798d7c64bce5b0a32daab04ad8becaec7a0d51
OpenSSL Security Advisory 20220315
Posted Mar 15, 2022
Site openssl.org

OpenSSL Security Advisory 20220315 - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli.

tags | advisory, root
advisories | CVE-2022-0778
SHA-256 | 97c5904876a905acc4d7f195f7788f52cfa359a5eeadd2582d509cff8719fac6
OpenSSL Security Advisory 20220128
Posted Jan 28, 2022
Site openssl.org

OpenSSL Security Advisory 20220128 - There is a carry propagation bug in the MIPS32 and MIPS64 squaring procedure. Many EC algorithms are affected, including some of the TLS 1.3 default curves. Impact was not analyzed in detail, because the pre-requisites for attack are considered unlikely and include reusing private keys. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant. However, for an attack on TLS to be meaningful, the server would have to share the DH private key among multiple clients, which is no longer an option since CVE-2016-0701.

tags | advisory
advisories | CVE-2016-0701, CVE-2021-4160
SHA-256 | 9383b0cde7f5a7a29255898a505a908a2012ed0523afb1a778544fce277e37da
OpenSSL Security Advisory 20211214
Posted Dec 14, 2021
Site openssl.org

OpenSSL Security Advisory 20211214 - Internally libssl in OpenSSL calls X509_verify_cert() on the client side to verify a certificate supplied by a server. That function may return a negative return value to indicate an internal error (for example out of memory). Such a negative return value is mishandled by OpenSSL and will cause an IO function (such as SSL_connect() or SSL_do_handshake()) to not indicate success and a subsequent call to SSL_get_error() to return the value SSL_ERROR_WANT_RETRY_VERIFY. This return value is only supposed to be returned by OpenSSL if the application has previously called SSL_CTX_set_cert_verify_callback(). Since most applications do not do this the SSL_ERROR_WANT_RETRY_VERIFY return value from SSL_get_error() will be totally unexpected and applications may not behave correctly as a result. The exact behaviour will depend on the application but it could result in crashes, infinite loops or other similar incorrect responses.

tags | advisory
advisories | CVE-2021-4044
SHA-256 | 78db018aae32942c3ccf7373e8c51e9595c7602b17e7724cf67f204ce2089d36
OpenSSL Security Advisory 20210824
Posted Aug 24, 2021
Site openssl.org

OpenSSL Security Advisory 20210824 - In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. Other issues were also addressed.

tags | advisory
advisories | CVE-2021-3711, CVE-2021-3712
SHA-256 | 66334c85ddd9c930da8fe00ca3eaff4182ef23553e0a3eadf85842e9a513e5bb
OpenSSL Security Advisory 20210325
Posted Mar 25, 2021
Site openssl.org

OpenSSL Security Advisory 20210325 - The X509_V_FLAG_X509_STRICT flag enables additional security checks of the certificates present in a certificate chain. It is not set by default. Other issues were also addressed.

tags | advisory
advisories | CVE-2021-3449, CVE-2021-3450
SHA-256 | 55d25269ba150b01444f96b032ec37fee3669c70ad7324bb78b23f604cf1aed7
OpenSSL Security Advisory 20210216
Posted Feb 16, 2021
Site openssl.org

OpenSSL Security Advisory 20210216 - The OpenSSL public API function X509_issuer_and_serial_hash() attempts to create a unique hash value based on the issuer and serial number data contained within an X509 certificate. However it fails to correctly handle any errors that may occur while parsing the issuer field (which might occur if the issuer field is maliciously constructed). This may subsequently result in a NULL pointer deref and a crash leading to a potential denial of service attack. Other issues were also addressed.

tags | advisory, denial of service
advisories | CVE-2021-23839, CVE-2021-23840, CVE-2021-23841
SHA-256 | 30fecce45189fbb6c13d7b9ef464c081530b0c13a73687a10fc90f4689b57bd1
Page 1 of 4
Back1234Next

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close