2016-04-12
ALT-BU-2016-2687-1
Branch sisyphus update bulletin.
Closed vulnerabilities
Published: 2013-10-18
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2013-6169
The TLS driver in ejabberd before 2.1.12 supports (1) SSLv2 and (2) weak SSL ciphers, which makes it easier for remote attackers to obtain sensitive information via a brute-force attack.
Severity: MEDIUM (4.3)
References:
Published: 2014-10-25
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2014-8760
ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption.
Severity: MEDIUM (5.0)
References:
- http://advisories.mageia.org/MGASA-2014-0417.html
- http://advisories.mageia.org/MGASA-2014-0417.html
- [Operators] 20141013 ejabberd: compression allows circumvention of encryption
- [Operators] 20141013 ejabberd: compression allows circumvention of encryption
- [oss-security] 20141013 CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required
- [oss-security] 20141013 CVE request: ejabberd compression allows cirucumvention of encryption despite starttls_required
- MDVSA-2014:207
- MDVSA-2014:207
- MDVSA-2015:175
- MDVSA-2015:175
- 70415
- 70415
- https://bugzilla.redhat.com/show_bug.cgi?id=1153839
- https://bugzilla.redhat.com/show_bug.cgi?id=1153839
- https://github.com/processone/ejabberd/commit/7bdc1151b
- https://github.com/processone/ejabberd/commit/7bdc1151b
Closed vulnerabilities
Published: 2016-05-05
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2016-4008
The _asn1_extract_der_octet function in lib/decoding.c in GNU Libtasn1 before 4.8, when used without the ASN1_DECODE_FLAG_STRICT_DER flag, allows remote attackers to cause a denial of service (infinite recursion) via a crafted certificate.
Severity: MEDIUM (5.9)
Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
References:
- http://git.savannah.gnu.org/gitweb/?p=libtasn1.git%3Ba=commit%3Bh=a6e0a0b58f5cdaf4e9beca5bce69c09808cbb625
- http://git.savannah.gnu.org/gitweb/?p=libtasn1.git%3Ba=commit%3Bh=a6e0a0b58f5cdaf4e9beca5bce69c09808cbb625
- http://git.savannah.gnu.org/gitweb/?p=libtasn1.git%3Ba=commit%3Bh=f435825c0f527a8e52e6ffbc3ad0bc60531d537e
- http://git.savannah.gnu.org/gitweb/?p=libtasn1.git%3Ba=commit%3Bh=f435825c0f527a8e52e6ffbc3ad0bc60531d537e
- FEDORA-2016-048ffb6235
- FEDORA-2016-048ffb6235
- FEDORA-2016-383b8250e6
- FEDORA-2016-383b8250e6
- FEDORA-2016-96bfd9e873
- FEDORA-2016-96bfd9e873
- openSUSE-SU-2016:1567
- openSUSE-SU-2016:1567
- openSUSE-SU-2016:1674
- openSUSE-SU-2016:1674
- DSA-3568
- DSA-3568
- [oss-security] 20160411 Infinite loops parsing malicious DER certificates in libtasn1 4.7
- [oss-security] 20160411 Infinite loops parsing malicious DER certificates in libtasn1 4.7
- USN-2957-1
- USN-2957-1
- USN-2957-2
- USN-2957-2
- [help-libtasn1] 20160411 GNU Libtasn1 4.8 released
- [help-libtasn1] 20160411 GNU Libtasn1 4.8 released
- GLSA-201703-05
- GLSA-201703-05
Closed vulnerabilities
Published: 2017-03-21
Modified: 2024-11-21
Modified: 2024-11-21
CVE-2014-9939
ihex.c in GNU Binutils before 2.26 contains a stack buffer overflow when printing bad bytes in Intel Hex objects.
Severity: CRITICAL (9.8)
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
References:
- http://www.openwall.com/lists/oss-security/2015/07/31/6
- http://www.openwall.com/lists/oss-security/2015/07/31/6
- https://sourceware.org/bugzilla/show_bug.cgi?id=18750
- https://sourceware.org/bugzilla/show_bug.cgi?id=18750
- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=7e27a9d5f22f9f7ead11738b1546d0b5c737266b
- https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git%3Bh=7e27a9d5f22f9f7ead11738b1546d0b5c737266b