similar to: Impact of the Debian OpenSSL vulnerability

Send CentOS-announce mailing list submissions to centos-announce at centos.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.centos.org/mailman/listinfo/centos-announce or, via email, send a message with subject or body 'help' to centos-announce-request at centos.org You can reach the person managing the list at centos-announce-owner at centos.org When

Asterisk Project Security Advisory - AST-2008-007 +------------------------------------------------------------------------+ | Product | Asterisk | |--------------------+---------------------------------------------------| | Summary | Asterisk installations using cryptographic keys | | | generated

[please CC me on replies] On Thu, May 15, 2008 at 08:08:39PM +0200, Daniel de Kok wrote: > Questions on how this may affect CentOS users should be directed to > the CentOS users list. List subscription information is available > from: In addition to the fixed OpenSSL packages, Debian also released an update to OpenSSH that includes a blacklist of the weak keys. With this update, any

Ralph Angenendt <ra+centos at br-online.de> wrote: >> I don't think the OpenSSH devels really do care about that - there is no discussion whatsoever on the secureshell list or on the devel list. No idea about our upstream, but I don't think so either. << Correct: all that needs to be said was said years ago, by Dr. Robert E. Coveyou, of Oak Ridge National Laboratory

Hi, Sorry, It comes by fetching ENVELOPE, not BODYSTRUCTURE. For example: A01 UID FETCH 24 (ENVELOPE) * 4 FETCH (UID 24 ENVELOPE ("Fri, 08 Dec 2017 09:44:35 +0900" "test2" ((NIL NIL "service" "paypal.com")) (("dev1" NIL "dev1-bounces" "example.com")) ((NIL NIL "service" "paypal.com")) (("user1"

Hi, Additionally, I just tried bellow: From: service at paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0 at mailsploit.com Reply-To: service at paypal.com<iframe onload=alert(document.cookie) src=https://www.hushmail.com style="display:none"\n\0 at mailsploit.com Thanks ----- Original Message ----- > Hi, >

Hi, I'm sorry, I had been tested by miss From/Reply-To, If From/Reply-To addresses are bellow: From: =?utf-8?b?c2VydmljZUBwYXlwYWwuY29tPGlmcmFtZSBvbmxvYWQ9YWxlcnQoZG9jdW1lbnQuY29va2llKSBzcmM9aHR0cHM6Ly93d3cuaHVzaG1haWwuY29tIHN0eWxlPSJkaXNwbGF5Om5vbmUi?==?utf-8?Q?=0A=00?=@mailsploit.com Reply-To:

HD Moore from MetaSploit has noted that, given a pubkey (and not the corresponding private key, as might be found in authorized_keys), he can determine if he'd be able to log into an account. It's a small thing, but he's using it for very interesting recon/deanonymization. He'll be releasing a paper shortly, not overplaying the characteristic, but certainly showing it can be used

Is it true that (dynamic) binaries are vulnerable if and only if they are linked with libssl.so.3, not with libcrypt or libcrypto? Thanks for your help. Andrew.

http://www.cert.org/advisories/CA-2002-27.html -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net

Are there any portions of OpenSSH which utilize vulnerable parts of OpenSSL? I need to know if recompiling against 0.9.6e is necessary. --Eric

We have OpenSSH built against a static version of the OpenSSL library. Do the recent OpenSSL vulnerabilities necessitate a rebuild of OpenSSH? http://www.openssl.org/news/secadv_20030930.txt >From the description of the four bugs, I'm inclined to think not. -- albert chin (china at thewrittenword.com)

Hello. FYI a very serious OpenSSL flaw was made public today. It has implications for existing OpenSSL key material though no direct impact on OpenSSH. For those interested, here's a good description: http://heartbleed.com/ --mancha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 819 bytes Desc: not

Dear openssh developers, can you please check, whether the vulnerability of openSSL (CVE-2014-0224): http://www.openssl.org/news/secadv_20140605.txt openssh affects? Many thanks Van Cu Truong Tel.: +49 (211) 399 33598 Mobile: +49 (163) 1651728 cu.truongl at atos.net<mailto:cu.truongl at atos.net> Otto-Hahn-Ring 6 81739 M?nchen, Deutschland de.atos.net

Centos 5 is not affected by this bug, so fix is not available. Eero 31.3.2015 9.48 ap. kirjoitti "Venkateswara Rao Dokku" <dvrao.584 at gmail.com>: > Hi All, > > I wanted to fix the openssl vulnerabilities (CVE-2014-3569, CVE-2014-3570, > CVE-2014-3571, CVE-2014-3572) in my CentOS 5.5 and found out that 0.9.8zd > has the fixes I am looking for (from the >

Hi, I'm currently at CentOS 5.8. I'm using openssl version openssl-0.9.8e-22.el5. The following vulnerability was reported by a Nessus security scan: "SSL/ TLS Renegotion Handshakes MiTm Plaintext Data Injection" As per following link, Redhat has introduced openssl-0.9.8m which fixes this specific issue:

Hi All, I wanted to fix the openssl vulnerabilities (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572) in my CentOS 5.5 and found out that 0.9.8zd has the fixes I am looking for (from the https://www.openssl.org/news/vulnerabilities.html link). But, When I tried to find the openssl-0.9.8zd rpm package, I did not find it in http://mirror.centos.org/centos/5/updates/x86_64/RPMS/. The

On Fri, Dec 08, 2017 at 18:47:37 +0900, TACHIBANA Masashi wrote: > Hi, > > I tried to see a mail that have a strange From header in bellow URL: > > https://www.mailsploit.com/index > > Then, I got BODYSTRUCTURE response contain next: > > ((NIL NIL "service" "paypal.com")) > > Are this problem already founded by anyone? > So already

Do we know if dovecot is vulnerable to the heartbleed SSL problem? I'm running dovecot-2.0.9 and openssl-1.01, the latter being intrinsically vulnerable. An on-line tool says that my machine is not affected on port 993 but it would be nice to know for sure if we were vulnerable for a while. (Naturally I've blocked it anyway!). Thanks John

For two days now I've tried for two days now to get cifs working on a redhat 9.0 2.4.20 based linux box. I followed the instructions given at http://de.samba.org/samba/Linux_CIFS_client.html, i.e. compiling cifs-0.6.8 and mount.cifs rev. 1.2.2.1. I successfully loaded the cifs.o as a module and following the given examples I tried: [root@r151-101 cifs]# /sbin/mount.cifs //raid/demo