-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01525562
Version: 1
HPSBUX02356 SSRT080051 rev.1 - HP-UX Running ftpd, Remote Privileged Access
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.
Rel
Say hello to a new security tool called Surf Jack which demonstrates a
security flaw found in various public sites. The proof of concept tool allows
testers to steal session cookies on HTTP and HTTPS sites that do not set the
Cookie secure flag.
Tool: http://surfjack.googlecode.com/
Short p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- "Paul Ferguson" <[EMAIL PROTECTED]> wrote:
>-- Gadi Evron <[EMAIL PROTECTED]> wrote:
>
>>In the last days news and government web sites in Georgia suffered DDoS
>>attacks. While these attacks seem to affect the Georgian Internet, it is
>>still t
Hal Finney wrote:
I thought of one possible mitigation that can protect OpenID end users
against remote web sites which have not patched their DNS. OpenID
providers who used weak OpenSSL certs would have to change their URLs
so that their old X.509 CA certs on their old URLs no longer work on the
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
- -- Gadi Evron <[EMAIL PROTECTED]> wrote:
>In the last days news and government web sites in Georgia suffered DDoS
attacks. While these attacks seem to affect the Georgian Internet, it is
still
there.
>
Also, I wish to say:
"It is clear that ther
Title: CA Host-Based Intrusion Prevention System SDK kmxfw.sys
Multiple Vulnerabilities
CA Advisory Date: 2008-08-11
Reported By:
CVE-2008-2926 - Tobias Klein
CVE-2008-3174 - Elazar Broad
Impact: A remote attacker can cause a denial of service or
possibly execute arbitrary code.
Summary
[Sorry for duplicates, but I got multiple requests for a non-HTML
version, and I didn't want to fork the thread. Also sorry for
initially sending HTML; I didn't realize it was so abhorrent these
days. ]
On Fri, Aug 8, 2008 at 1:43 PM, Dan Kaminsky <[EMAIL PROTECTED]> wrote:
>>
>> It's easy to comp
[I feel a little uncomfortable replying with such a wide distribution!]
Getting browsers, or OpenID installations, to check CRLs or use OCSP to
check for freshness is likely to be slow going. At this point I think
the momentum still favors fixing the remaining DNS systems that are
vulnerable to ca
rPath Security Advisory: 2008-0253-1
Published: 2008-08-12
Products:
rPath Linux 2
Rating: Minor
Exposure Level Classification:
Indirect Non-deterministic Denial of Service
Updated Versions:
[EMAIL PROTECTED]:2/1.5.6.4-1-0.1
[EMAIL PROTECTED]:2/1.5.6.4-1-0.1
rPath Issue Tracking S
| > You can get by with a lot less than 64 bits. People see problems
| > like this and immediately think "birthday paradox", but there is no
| > "birthday paradox" here: You aren't look for pairs in an
| > ever-growing set, you're looking for matches against a fixed set.
| > If you use 30-bit has
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
VMware Security Advisory
Advisory ID: VMSA-2008-0012
Synopsis: Updated VirtualCenter addresses User Account
Disclosure Vulne
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
-
VMware Security Advisory
Advisory ID: VMSA-2008-0013
Synopsis: Updated ESX packages for OpenSSL, net-snmp, perl
Issue date:2008-08-12
In the last days news and government web sites in Georgia suffered DDoS
attacks. While these attacks seem to affect the Georgian Internet, it is still
there.
Facts:
1. There are botnet attacks against .ge websites.
2. These attacks affect the .ge Internet infrastructure, but it's reachable.
3.
Eric Rescorla wrote:
To be concrete, we have 2^15 distinct keys, so, the
probability of a false positive becomes (2^15)/(2^b)=2^(b-15).
To get that probability below 1 billion, b+15 >= 30, so
you need about 45 bits. I chose 64 because it seemed to me
that a false positive probability of 2^{-48}
* Eric Rescorla:
> Why do you say a couple of megabytes? 99% of the value would be
> 1024-bit RSA keys. There are ~32,000 such keys.
There are three sets of keys, for big-endian 32-bit, little-endian
32-bit and little-endian 64-bit. On top of that, "openssl genrsa"
generates different keys depen
Dan Kaminsky wrote:
>
>
> Eric Rescorla wrote:
>> At Fri, 8 Aug 2008 17:31:15 +0100,
>> Dave Korn wrote:
>>
>>> Eric Rescorla wrote on 08 August 2008 16:06:
>>>
>>>
At Fri, 8 Aug 2008 11:50:59 +0100,
Ben Laurie wrote:
> However, since the CRLs will almost certain
iDefense Security Advisory 08.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 04, 2008
I. BACKGROUND
The snoop command line utility is installed by default on Solaris. It is
used to capture and display network traffic, similar to the widely used
tcpdump program. Server Message B
Synopsis
hMailServer is vulnerable to resource exhaustion attacks that can
cause a denial-of-service (DoS). The IMAP server crashes when
processing too many IMAP commands as it quickly exhaust its resources.
Pr
iDefense Security Advisory 08.04.08
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 04, 2008
I. BACKGROUND
The snoop command line utility is installed by default on Solaris. It is
used to capture and display network traffic, similar to the widely used
tcpdump program. Server Message B
Hello BugtraQ, I tried to reproduce this advisory.
And found out that its impossible.
When you create a index.php file, executing admin.template_engine.php,
This index.php contains
require_once("lib/template.class.php");
but this is wrong file path and executing index.php stop with error
Warni
On Tue, Aug 12, 2008 at 9:55 AM, Clausen, Martin (DK - Copenhagen)
<[EMAIL PROTECTED]> wrote:
> You could use the SSL Blacklist plugin
> (http://codefromthe70s.org/sslblacklist.asp) for Firefox or heise SSL
> Guardian
> (http://www.heise-online.co.uk/security/Heise-SSL-Guardian--/features/11
> 1039
On Tue, Aug 12, 2008 at 9:55 AM, Clausen, Martin (DK - Copenhagen)
<[EMAIL PROTECTED]> wrote:
> You could use the SSL Blacklist plugin
> (http://codefromthe70s.org/sslblacklist.asp) for Firefox or heise SSL
> Guardian
> (http://www.heise-online.co.uk/security/Heise-SSL-Guardian--/features/11
> 1039
You could use the SSL Blacklist plugin
(http://codefromthe70s.org/sslblacklist.asp) for Firefox or heise SSL
Guardian
(http://www.heise-online.co.uk/security/Heise-SSL-Guardian--/features/11
1039/) for IE to do this. If presented with a Debian key the show a
warning.
The blacklists are implemented
==
Layered Defense Research Advisory 12 August 2008
==
1) Affected Product
Alcatel-Lucent OmniSwitch products
OS7000
OS6600
OS6800
OS6850
OS9000
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The DBA role in Oracle Database is not the same as SYSDBA privilege,
which is granted to SYS. There are many things that a user granted the
DBA role can't do - the most important being the ability to alter SYS
owned objects. This is true on databases
25 matches
Mail list logo