similar to: OpenSSL vulnerability

Hello. Subramanian Moonesamy has gotten the ball rolling to include Ed25519 in IANA's registry for SSHFP key types [1]. I've opened a bug report [2] that includes a patch that adds the needed support code and provisionally assigns Ed25519 a value of 4 (values 1,2,3 reserved for RSA, DSA, and ECDA, respectively) [3]. The enhancement request/bug is meant to keep the issue on the radar.

Do we know if dovecot is vulnerable to the heartbleed SSL problem? I'm running dovecot-2.0.9 and openssl-1.01, the latter being intrinsically vulnerable. An on-line tool says that my machine is not affected on port 993 but it would be nice to know for sure if we were vulnerable for a while. (Naturally I've blocked it anyway!). Thanks John

For even more information about "Heartbleed". -Connie Sieh ---------- Forwarded message ---------- Date: Wed, 9 Apr 2014 12:27:54 -0500 From: The SANS Institute <NewsBites at sans.org> Subject: FLASH NewsBites - Heartbleed Open SSL Vulnerability FLASH NewsBites - Heartbleed Open SSL Vulnerability FLASH NewsBites are issued only when a security event demands global and immediate

https://bugzilla.mindrot.org/show_bug.cgi?id=2223 Bug ID: 2223 Summary: Ed25519 support in SSHFP DNS resource records Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

Dear NUT users, I recently came across a MAJOR potential flaw in the network server (upsd), that results, when exploited, in a crash of this server [1] This is the first security flaw in this software, since it's very beginning (~15 years)! It is still potential, and not actual, since Sebastian's report is a first-timer. But it should be very seriously considered, and you should take all

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Earlier in the day today, we were made aware of a serious issue in openssl as shipped in CentOS-6.5 ( including updates issued since CentOS-6.5 was released ); This issue is addressed in detail at http://heartbleed.com/ Upstream have not released a patched version of openssl, although we are reliably informed that there is quite a bit of effort

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Earlier in the day today, we were made aware of a serious issue in openssl as shipped in CentOS-6.5 ( including updates issued since CentOS-6.5 was released ); This issue is addressed in detail at http://heartbleed.com/ Upstream have not released a patched version of openssl, although we are reliably informed that there is quite a bit of effort

Dear openssh developers, can you please check, whether the vulnerability of openSSL (CVE-2014-0224): http://www.openssl.org/news/secadv_20140605.txt openssh affects? Many thanks Van Cu Truong Tel.: +49 (211) 399 33598 Mobile: +49 (163) 1651728 cu.truongl at atos.net<mailto:cu.truongl at atos.net> Otto-Hahn-Ring 6 81739 M?nchen, Deutschland de.atos.net

Hi, I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus security scan: "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:

FYI On the ISN vulnerability I found a really good article on Initial Sequence Numbers (ISN) vulnerability and according to this article all Linux Kernels after 1996 are not affected by this vulnerability. http://www.linuxsecurity.com/articles/security_sources_article-2968.html I found another article that stated : Operating systems that have been reported to be safe from practical attacks

On Wed, May 27, 2015 at 05:08:25PM -0400, Daniel Kahn Gillmor wrote: > On Tue 2015-05-26 15:39:49 -0400, Mark D. Baushke wrote: > > Hi Folks, > > > > The generator value of 5 does not lead to a q-ordered subgroup which > > is needed to pass tests in > > > > http://csrc.nist.gov/publications/nistpubs/800-56A/SP800-56A_Revision1_Mar08-2007.pdf > > I

Thanks for clarification. One question though: As far as I have tested openssh, it logs every unsuccessful authentication attempt on the very moment it becomes unsuccessful, not after the connection is closed (after timeout or when reaching max auth attempts). Is this true or not even for this attack or not? Because if it is true, if there is a IDS system that bans IP after X failed logins,

https://bugzilla.mindrot.org/show_bug.cgi?id=2220 Bug ID: 2220 Summary: Add uuid-style identifier for use with ControlPath Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs

FYI ----- Forwarded message from RbN <r.b.n at riseup.net> ----- > Date: Mon, 05 May 2014 19:40:02 +0200 > From: RbN <r.b.n at riseup.net> > To: oss-security at lists.openwall.com > Subject: [oss-security] *Possible* ssh vulnerability > User-Agent: mutt (compatible Hurd 3.11/Windows 0.5) > > Looks like a fake, but I prefer to post it here anyway: >

https://bugzilla.mindrot.org/show_bug.cgi?id=2197 Bug ID: 2197 Summary: Add ED25519 support to SSHFP dns record Product: Portable OpenSSH Version: -current Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at

On 23 April 2014 21:43, mancha <mancha1 at zoho.com> wrote: > On Wed, Apr 23, 2014 at 12:26:58PM -0700, Iain Morgan wrote: >> A slightly better solution would be a PAM module that uses the same >> syntax as libwrap. Possibly someone has already written such a module. > > Possibly, but only for platforms which use for PAM. Pam is executed so late in the chain that any

Subject: Heartbleed Toolkit | Secure, Detect, & Repair Date: Thu, 10 Apr 2014 18:12:16 -0400 From: Red Hat <email at engage.redhat.com> View in a Web Browser <http://app.engage.redhat.com/e/es.aspx?s=1795&e=352069&elq=852ad1748d834dbeac7f2adf6f4b1679> "Follow us on Twitter"

Hi, Please advice me about the below reported vulnerability. High OpenSSH X Connections Session Hijacking Vulnerability Risk: High Application: ssh Port: 22 Protocol: tcp ScriptID: 100584 Overview: OpenSSH is prone to a vulnerability that allows attackers to hijack forwarded X connections. Successfully exploiting this issue may allow an attacker run arbitrary shell commands with the privileges

I think they are being vague to give people a time to upload to the latest version. Cheers, Dean > -----Original Message----- > From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users- > bounces@lists.digium.com] On Behalf Of Brian West > Sent: Thursday, 23 June 2005 11:45 AM > To: Asterisk Users Mailing List - Non-Commercial Discussion > Subject: Re:

Hello, Cc'ing Apollon in hopes he might have some insight here. When upgrading on Debian Stretch with the security fix packages all dovecot processes get killed and then restarted despite having "shutdown_clients = no" set. My guess would be a flaw in the upgrade procedure and/or unit files doing a stop and start when the new imapd package is installed. Can anybody think of a