Secunia Security Advisory - Debian has issued an update for python-crypto. This fixes a weakness, which can be exploited by malicious people to conduct brute force attacks.
1da34bccbc972e9e82edbd3e546f7e6ed908bd526a4ef4849070525b4e3c5e6aCodetective is an analysis tool to determine the crypto/encoding algorithm used according to traces of its representation. It can be used as a standalone version or as a volatility plugin for memory analysis. Written in Python.
6d7f7c9929411d71f8f8d633c69a2b0aff2ad298c1c55d04b73f89278231eda8Mandriva Linux Security Advisory 2012-038 - The implementation of Cryptographic Message Syntax and PKCS #7 in OpenSSL before 0.9.8u and 1.x before 1.0.0h does not properly restrict certain oracle behavior, which makes it easier for context-dependent attackers to decrypt data via a Million Message Attack adaptive chosen ciphertext attack. The mime_param_cmp function in crypto/asn1/asn_mime.c in OpenSSL before 0.9.8u and 1.x before 1.0.0h allows remote attackers to cause a denial of service via a crafted S/MIME message, a different vulnerability than CVE-2006-7250. The updated packages have been patched to correct these issues.
39adc297298f941be7a71d3df5bf4130fda4950b19b1987d86909215135fc84eCodetective is a simple tool to determine the crypto/encoding algorithm used according to traces of its representation. Written in Python.
cbaf97c8b1ea47226eb5fa662a8442645b216ebfcc9373d0676a59eafd9816a9The cryptographic algorithm called INCrypt32 is a MAC algorithm to authenticate participants, RFID cards and readers, in HID Global's iCLASS systems. HID's iCLASS cards are widely used contactless smart cards for physical access control. Although INCrypt32 is a heart of the security of HID's iCLASS systems, its security has not been evaluated yet since the specification has not been open to public. In this paper, they reveal the specification of INCrypt32 by reverse engineering an iCLASS card and investigate the security of INCrypt32. As a result, we show that the secret key of size 64 bits can be recovered using only 218 MAC queries if the attacker can request MAC for chosen messages of arbitrary length. If the length of messages is limited to pre-determined values by the authentication protocol, the required number of MAC queries grows to 242 to recover the secret key.
cb8784c8a30a60fd5be4ccee3a92361bbb9b0c25e831d60269f418117ec0e6b6Debian Linux Security Advisory 2374-1 - The information security group at ETH Zurich discovered a denial of service vulnerability in the crypto helper handler of the IKE daemon pluto.
2e3b194b94bdc4f7f0091e298a2cc51c679c239928c746db286a6f2f132d600bMandriva Linux Security Advisory 2011-137 - The elliptic curve cryptography subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation. crypto/x509/x509_vfy.c in OpenSSL 1.0.x before 1.0.0e does not initialize certain structure members, which makes it easier for remote attackers to bypass CRL validation by using a nextUpdate value corresponding to a time in the past. The ephemeral ECDH ciphersuite functionality in OpenSSL 0.9.8 through 0.9.8s and 1.0.x before 1.0.0e does not ensure thread safety during processing of handshake messages, which allows remote attackers to cause a denial of service via out-of-order messages that violate the TLS protocol.
83fe8b76f3683d9eb0fcf02ef6b3ea18f900160bf76d8b38af1184c342723125Debian Linux Security Advisory 2309-1 - Several fraudulent SSL certificates have been found in the wild issued by the DigiNotar Certificate Authority, obtained through a security compromise of said company. After further updates on this incident, it has been determined that all of DigiNotar's signing certificates can no longer be trusted. Debian, like other software distributors and vendors, has decided to distrust all of DigiNotar's CAs. In this update, this is done in the crypto library (a component of the OpenSSL toolkit) by marking such certificates as revoked. Any application that uses said component should now reject certificates signed by DigiNotar. Individual applications may allow users to override the validation failure. However, making exceptions is highly discouraged and should be carefully verified.
c9d8a375c0399f2af9207a01a9c3c4cccc9e6f2240cc36adbbc69c96b87db9bbDebian Linux Security Advisory 2300-2 - Several unauthorized SSL certificates have been found in the wild issued for the DigiNotar Certificate Authority, obtained through a security compromise with said company. Debian, like other software distributors, has as a precaution decided to disable the DigiNotar Root CA by default in the NSS crypto libraries.
a8523c0d5511a75e62c5239ae7c4ac1bb144833ea9aad42fd23ec3b7b56f7d06Debian Linux Security Advisory 2300-1 - Several unauthorised SSL certificates have been found in the wild issued for the DigiNotar Certificate Authority, obtained through a security compromise with said company. Debian, like other software distributors, has as a precaution decided to disable the DigiNotar Root CA by default in the NSS crypto libraries.
88447320d17198b74f9bc3124e1ce5f1ee288bf0f1bc1bce82542640bc3bad22This whitepaper describes a timing attack vulnerability in OpenSSL's ladder implementation for curves over binary fields. They use this vulnerability to steal the private key of a TLS server where the server authenticates with ECDSA signatures. Using the timing of the exchanged messages, the messages themselves, and the signatures, they mount a lattice attack that recovers the private key. Finally, they describe and implement an effective countermeasure.
a639445448cf4d50a71d847a0554fa7ab0640e8c63cc63998bd97f803f5b3b40pycryptopp provides a few useful cryptography algorithms for Python programmers, based on the excellent Crypto++ library (which is written in C++).
d504775b73d30fb05a3237f83c4e9e1ff3312cbba90a4a23e6cbb7d32219502bOpenCT implements driver and middle-ware for smart card readers. OpenCT drivers can be used via the ct-api interface, the ifdhandler interface, or its own interface/middle-ware. It implements drivers for several USB crypto tokens, USB smart card readers, serial smart card readers, and PCMCIA smart card readers.
6cd3e2933d29eb1f875c838ee58b8071fd61f0ec8ed5922a86c01c805d181a68Debian Linux Security Advisory 2100-1 - George Guninski discovered a double free in the ECDH code of the OpenSSL crypto library, which may lead to denial of service and potentially the execution of arbitrary code.
3909f527b897a5b897e023ce44d7c8ead354203ce693f5c7850f56715487e780Mandriva Linux Security Advisory 2010-022 - Memory leak in the zlib_stateful_finish function in crypto/comp/c_zlib.c in OpenSSL 0.9.8l and earlier and 1.0.0 Beta through Beta 4 allows remote attackers to cause a denial of service (memory consumption) via vectors that trigger incorrect calls to the CRYPTO_free_all_ex_data function, as demonstrated by use of SSLv3 and PHP with the Apache HTTP Server, a related issue to CVE-2008-1678. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct thies issue.
5fab82dded984f2d28a43ce0b364ecbb0af960fb9cd65d21a63b32da93c43922Mandriva Linux Security Advisory 2010-006 - Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid. Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers. The updated packages have been patched to correct this issue.
9f70ce78c2c0b634beeb98136eb345b2a70b61ec35ea940051ea6afab678304cDebian Linux Security Advisory 1969-1 - It was discovered that krb5, a system for authenticating users and services on a network, is prone to integer underflow in the AES and RC4 decryption operations of the crypto library. A remote attacker can cause crashes, heap corruption, or, under extraordinarily unlikely conditions, arbitrary code execution.
c4c0487c3ec908e26276616469e2ceb5a694e1905319464efe1257fe6f2cb47eMIT krb5 Security Advisory 2009-004 - Integer underflow bugs in the AES and RC4 decryption operations of the crypto library of the MIT Kerberos software can cause crashes, heap corruption, or, under extraordinarily unlikely conditions, arbitrary code execution. Only releases krb5-1.3 and later are vulnerable, as earlier releases did not contain the functionality implemented by the vulnerable code.
193c3366049395667e47d23e4b590c4d4d8774883250a735de92418983d0d6ecNettle is a cryptographic library that is designed to fit easily in more or less any context: in crypto toolkits for object-oriented languages (C++, Python, Pike, etc.), in applications like LSH or GNUPG, or even in kernel space. In most contexts, you need more than the basic cryptographic algorithms; you also need some way to keep track of available algorithms and their properties and variants. You often have some algorithm selection process, often dictated by a protocol you want to implement. And as the requirements of applications differ in subtle and not so subtle ways, an API that fits one application well can be a pain to use in a different context, which is why there are so many different cryptographic libraries around. Nettle tries to avoid this problem by doing one thing, the low-level crypto stuff, and providing a simple but general interface to it. In particular, Nettle doesn't do algorithm selection. It doesn't do memory allocation. It doesn't do any I/O. The idea is that one can build several application- and context-specific interfaces on top of Nettle and share the code, testcases, benchmarks, documentation, etc.
65b9e230b953bfb075f10473917e216df9b825fc325b88f69cdf756ffa17cbd6Debian Security Advisory 1763-1 - It was discovered that insufficient length validations in the ASN.1 handling of the OpenSSL crypto library may lead to denial of service when processing a manipulated certificate.
67833f7e6d6fa9214058e01bf4e7eb29a005fff8160d3ee5e1e99b4396c1e949Secunia Security Advisory - Ubuntu has issued an update for python-crypto. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system.
f88628f5290931e2e7271e667baf2daee87099f96b72f3da6c28de0df64458b6Ubuntu Security Notice USN-729-1 - Mike Wiacek discovered that the ARC2 implementation in Python Crypto did not correctly check the key length. If a user or automated system were tricked into processing a malicious ARC2 stream, a remote attacker could execute arbitrary code or crash the application using Python Crypto, leading to a denial of service.
36546a44c4b9b05f4b704008fb59bbae4c28fc388c90a10ecf4b3f3eb77bfdd3Secunia Security Advisory - Debian has issued an update for python-crypto. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system.
ab9ab455d2633d543a9f1edfb0effdcc1f34b8ad6e0a8716999a85d43a25bdf7Secunia Security Advisory - Fedora has issued an update for python-crypto. This fixes a vulnerability, which can be exploited by malicious people to compromise a vulnerable system.
89ae4bc899bcb3dd0eef3549b121dc821d744876fa289584da7fe6f4444ac0e0Debian Security Advisory 1726-1 - Mike Wiacek discovered that a buffer overflow in the ARC2 implementation of Python Crypto, a collection of cryptographic algorithms and protocols for Python allows denial of service and potentially the execution of arbitrary code.
ba165e0a0e50093403abd4d48c8645ca1d66ff27f61ea2a6a3e92f78fb2caa4d
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed