Re: [FD] ODR violation in Redis Raft

On Wed, Jan 17, 2024 at 3:29 PM Meng Ruijie wrote: > > [Suggested description] > Redis raft master-1b8bd86 to master-7b46079 was discovered to contain an ODR > violation via the component hiredisAllocFns at > /opt/fs/redisraft/deps/hiredis/alloc.c. > > [VulnerabilityType Other] > AddressSanitize

Re: [FD] Anomaly in Fedora `dnf update`: md5 mismatch of result

On Tue, Aug 15, 2023 at 1:25 PM Georgi Guninski wrote: > > In short, I found anomaly in Fedora 37 and would like to > know if it is vulnerability. > > As root type in terminal: > dnf update > > If there is kernel update, watch stdout and stderr for: > > ##On Mon Aug 14 05:33:29 AM UTC 2023 > (2/6)

Re: [FD] Citrix Gateway & Cloud MFA - Insufficient Session Validation Vulnerability

On Sun, Jul 16, 2023 at 7:39 PM Jens Timmerman wrote: > > On 03/07/2023 16:59, i...@esec-service.de wrote: > > Document Title: > > === > > Citrix Gateway&Cloud MFA - Insufficient Session Validation Vulnerability > > > > > > Technical Details & Description: > > =

Re: [FD] Spammers Using storage[.]googleapis[.]com ?!!?

On Tue, Aug 3, 2021 at 1:35 PM Nick Boyce wrote: > > I notice that among the spam in my Gmail spam folder, there are a > number of "address-check" type messages (i.e. that just seek > confirmation my address exists), which attempt to get their response > by performing a scripted redirect via a web

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak wrote: > Hi @ll, > > since about two or three years now, Microsoft offers Skype as > optional update on Windows/Microsoft Update. > > JFTR: for Microsoft's euphemistic use of "update" see > > > On

Re: [FD] Banknotes Misproduction security & biometric weakness

On Tue, Jan 30, 2018 at 4:08 AM, Vulnerability Lab wrote: > Document Title: > === > Banknotes Misproduction security & biometric weakness > ... > > Technical Details & Description: > > In the last months we reviewed the new 20€ & 50€ Banknotes of the Eu

Re: [FD] Follow-up on CVE-2017-8769 - WhatsApp Issues with Media Files

On Tue, Dec 5, 2017 at 5:27 PM, Nightwatch Cybersecurity Research wrote: > [https://wwws.nightwatchcybersecurity.com/2017/05/17/advisory-whatsapp-for-android-privacy-issues-with-handling-of-media-files-cve-2017-8769/] > > We reported an issue earlier this year to WhatsApp / Facebook, where > after

Re: [FD] Security contact @ Gigabyte

> Yeah, the general FD list policy is to reject requests for vendor contacts > unless they also include full disclosure of the bug details: > > https://secwiki.org/w/FD_Moderation#Requests_for_vendor_security_contacts > > It's not that there is anything wrong with the more limited disclosure and >

Re: [FD] Security contact @ Gigabyte

On Wed, Mar 9, 2016 at 4:15 PM, Gustavo Sorondo wrote: > Hi list, > > I'd like to know if anyone here know someone working on security at > Gigabyte (http://www.gigabyte.com/), since we are trying to responsibly > report a high risk security flaw we found. > > We opened a ticket asking to be cont

Re: [FD] Grandstream VoIP phone: SSH key backdoor and multiple vulnerabilities leading to RCE as root (David Jorm

> A final issue I've reported to them in the past that's not resolved is the > SSH host key being shared across all phones of the same firmware version. > > The authenticity of host '10.150.117.57 (10.150.117.57)' can't be established. > RSA key fingerprint is 7f:83:e8:5c:0b:fb:d1:47:c7:f1:33:60:b

Re: [FD] Safari Address Spoofing (How We Got It)

On Fri, May 29, 2015 at 1:47 AM, David Leo wrote: > Proof of concept: > http://www.deusen.co.uk/items/iwhere.9500182225526788/ > It works on fully patched versions of iOS and OS X. > How it works: > Just keep trying to load the web page of target domain. > > How We Got It: > Safari changes address

[FD] CVE for Apple's ECDHE-ECDSA SecureTransport bug?

Does anyone know if Apple's ECDHE-ECDSA SecureTransport bug was assigned a CVE? It affected OS X and iOS. Effectively, the bug was an implementation error that cause interoperability failures. To mostly counter it, the cipher suites had to be disabled, which resulted in a loss of security. If the

Re: [FD] several issues in SQLite (+ catching up on several other bugs)

On Sun, Apr 19, 2015 at 8:31 PM, Michal Zalewski wrote: >> Clang and its analyzers found a number of issues a couple of years >> ago. As far as I know, the results were dismissed. See "Clang 3.3 and >> Scan-Build results", > > Well, I can kinda sympathize. Somebody took one of my OSS projects > (p

Re: [FD] several issues in SQLite (+ catching up on several other bugs)

On Sun, Apr 19, 2015 at 8:08 PM, Michal Zalewski wrote: >> Richard and the team certainly have been busy bees: >> https://www.sqlite.org/src/timeline?n=152&y=ci&v=0&ym=2015-04&t=trunk > > Yup. In addition to the crashes, I also sent them probably around > 50-60 assert failures in debug builds, at

[FD] Sony: 22 Breaches and Counting

Now might be a good time to reflect on the past, and recall Sony has had at least 22 breaches in the past. Thanks to Security Curmudgeon for putting this list together: http://attrition.org/security/rant/sony_aka_sownage.html. ___ Sent through the Full

Re: [FD] Cyanogenmod MITM: proven, despite cyanogenmod's public denail

> Re: [FD] Cyanogenmod MITM: proven, despite cyanogenmod's public denail Its not clear to me where its been proven. I think your post is missing some information, like the smoking gun. (It may exist, you just didn't make it clear). > If I understand correctly, the original reporter may have been

Re: [FD] Bitstamp - Possible breach

On Mon, Jul 21, 2014 at 5:00 AM, Duarte Silva wrote: > On Sunday 20 July 2014 22:06:22 Jeffrey Walton wrote: >> Does anyone know someone from Bitstamp? >> >> Someone has posted an alleged partial dump of their user database at >> http://pastebin.com/WmpFfEmn. > &

[FD] Bitstamp - Possible breach

Does anyone know someone from Bitstamp? Someone has posted an alleged partial dump of their user database at http://pastebin.com/WmpFfEmn. Unfortunately, Bitstamp's homepage (http://www.bitstamp.net/) does not list contact information or a link to give them a heads up. __

[FD] Improperly Issued Digital Certificates Could Allow Spoofing

https://technet.microsoft.com/en-us/library/security/2982792.aspx Microsoft is aware of improperly issued SSL certificates that could be used in attempts to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. The SSL certificates were improperly issued by the National In

Re: [FD] [oss-security] Bug in bash <= 4.3 [security feature bypassed]

> 2014-06-03 16:16 GMT+02:00 Hector Marco : > > Hi everyone, > > Recently we discovered a bug in bash. After some time after reporting > it to bash developers, it has not been fixed. > > We think that this is a security issue because in some circumstances > the bash security feature could be bypass

Re: [FD] Computer hackers face life in prison under new Government crackdown on cyber terrorism | Mail Online

On Thu, Jun 5, 2014 at 8:36 PM, Ivan .Heca wrote: > http://www.dailymail.co.uk/news/article-2649452/Computer-hackers-face-life-prison-new-Government-crackdown-cyber-terrorism.html?ITO=1490&ns_mchannel=rss&ns_campaign=1490 > I can see where this could be abused. Its a lot like the Computer Fraud an

Re: [FD] TrueCrypt?

On Fri, May 30, 2014 at 4:02 PM, uname -a wrote: > Really? > https://blog.0xbadc0de.be/archives/155 > "note: I did not break the official algorithm. I do not know the secret value used to compute the Q constant, and thus cannot break the default implementation. Only NSA (and people with access to

Re: [FD] Full disk encryption for OS X alternative to TrueCrypt

On Thu, May 29, 2014 at 5:26 PM, James Lay wrote: > On 2014-05-29 15:18, CIURANA EUGENE (pr3d4t0r - Full Disclosure) wrote: >> >> Greetings. >> >> I'm a happy long-time user of TrueCrypt, and was as >> dismayed as anyone else to see the news. I'm considering starting a full >> disk image encryptio

Re: [FD] TrueCrypt?

> Based on my Alice and Bob comment above, it’s reasonable > to assume that the encryption itself is 100% fine, so as long > as you believe that Bob will never divulge the information > you’ve disclosed. Ask Bradley Manning how well that worked. Lamo could not keep his mouth shut as a priest or a

Re: [FD] TrueCrypt?

On Wed, May 28, 2014 at 10:21 PM, Anthony Fontanez wrote: > I'm surprised I haven't seen any discussion about the recent issues with > TrueCrypt. Links to current discussions follow. > > /r/sysadmin: > http://www.reddit.com/r/sysadmin/comments/26pxol/truecrypt_is_dead/ > /r/netsec: > http://ww

Re: [FD] What do you think of Trollc?

On Tue, May 27, 2014 at 3:32 PM, Jeffrey Walton wrote: > On Tue, May 27, 2014 at 3:04 PM, Brandon Perry > wrote: >> Not even sure when the last vulnerability that caused any fluctuation in >> the stock markets was. > +!. I'm not sure it ever hurt Sony, and they

Re: [FD] What do you think of Trollc?

On Wed, May 28, 2014 at 8:12 AM, Roberto Martelloni wrote: > Among other according to > www.sfgate.com/business/article/Investors-undeterred-by-data-breaches-5505309.php > seems > that also after data breaches like the Targets one there aren'tlong term > impact on stock markets. Selling short is p

Re: [FD] What do you think of Trollc?

On Tue, May 27, 2014 at 3:04 PM, Brandon Perry wrote: > Not even sure when the last vulnerability that caused any fluctuation in > the stock markets was. +!. I'm not sure it ever hurt Sony, and they've had over 40 documented problems [0, 1, 2, et al]. Some of them were very serious from a data sec

Re: [FD] Beginners error: iTunes for Windows runs rogue program C:\Program.exe when opening associated files

> the current version of iTunes for Windows (and of course older versions > too) associates the following vulnerable command lines with some of the > supported file types/extensions: They also install Bonjour and a couple of other services as NT Authorty/SYSTEM, don't drop privileges, and open lis

Re: [FD] AOL confirms compromise

On Tue, Apr 29, 2014 at 11:30 AM, Daniel Hadfield wrote: > http://blog.aol.com/2014/04/28/aol-security-update/ > Ouch... Have any details of the "encryption" been analyzed or discussed? Its always interesting to see what a company considers "best practice". Jeff AOL's investigation is still und

Re: [FD] Should openssl accept weak DSA/DH keys with g = +/- 1 ?

On Thu, Apr 17, 2014 at 12:50 PM, Pavel Kankovsky wrote: > Does anyone use non-safe primes for DH? Afaik any well-known moduli are > safe. And openssl dhparam generates safe primes only. g = 2 is not a generator though its often used. Its possible to leak information depending on parameter select

Re: [FD] Legality of Open Source Tools

On Sun, Apr 6, 2014 at 4:24 AM, Henri Salo wrote: > On Sat, Apr 05, 2014 at 01:23:51PM +0300, Toni Korpela wrote: >> Greetings from Finland. >> >> I know that here it is illegal to import, manufacture, sell >> or otherwise distribute such machine or software which >> are designed to endanger or ha

Re: [FD] [Full-disclosure] Bank of the West security contact?

On Wed, Apr 2, 2014 at 4:42 PM, Eric Rand wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > BoA has no incentive to switch, as the customers have not demanded > more secure ATMs, and it's cheaper to have 'hacking insurance' to > cover any losses than it would be to replace all their ATM

Re: [FD] Security flaw in Full Disclosure mailing list

On Wed, Apr 2, 2014 at 4:25 PM, Ron wrote: > That doesn't change the fact that it's storing the passwords in > plaintext, though, it just hides the 'your passwords are completely > insecure' issue a little bit. Mailman 3 might be changing that behavior. See "Password handling in MM3", https://mai

Re: [FD] CBS Sports/CBS Interactive Security Contacts?

You have the well known email addresses of RFC 2142 - secure@, security@, hostmaster@, webmaster@, etc. Their WHOIS record shows domainad...@cbsig.net for registration, administration and technical contacts. On Tue, Apr 1, 2014 at 1:16 PM, wrote: > Does anyone have contacts or email addresses f