#ssl

View CSAF 1. EXECUTIVE SUMMARY CVSS v4 8.5 ATTENTION: Low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure Vulnerability: Uncontrolled Search Path Element 2. RISK EVALUATION Successful exploitation of this vulnerability allows for local privilege escalation, which could lead to the execution of a malicious Dynamic-Link Library (DLL). 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following Schneider Electric EcoStruxure products and versions, which incorporate Revenera FlexNet Publisher, are affected: EcoStruxure Control Expert: Versions prior to V16.1 EcoStruxure Process Expert: All versions EcoStruxure OPC UA Server Expert: All versions EcoStruxure Control Expert Asset Link: Versions prior to V4.0 SP1 EcoStruxure Machine SCADA Expert Asset Link: All versions EcoStruxure Architecture Builder: Versions prior to V7.0.18 EcoStruxure Operator Terminal Expert: All versions Vijeo Designer: Version prior to V6.3SP1 HF1 EcoStruxure Machine Expert including EcoStruxure Machi...

Cheap banking scams are often easier to pull off in a country with older devices, fewer regulations, and experienced fraudsters.

The gaming industry has grown into a massive global market, with millions of players engaging in online multiplayer…

The env option `KC_CACHE_EMBEDDED_MTLS_ENABLED` does not work and the jgroups replication configuration is always used in plain. This option worked before in 24 and 22. More info in public issue https://github.com/keycloak/keycloak/issues/34644.

New research highlights how bad actors could abuse deleted AWS S3 buckets to create all sorts of mayhem, including a SolarWinds-style supply chain attack.

The security startup's autonomous security remediation platform uses off-the-shelf large language models (LLMs) to analyze security alerts and apply the fixes.

The FBI joined authorities across Europe last week in seizing domain names for Cracked and Nulled, English-language cybercrime forums with millions of users that trafficked in stolen data, hacking tools and malware. An investigation into the history of these communities shows their apparent co-founders quite openly operate an Internet service provider and a pair of e-commerce platforms catering to buyers and sellers on both forums.

### Impact `ssl::select_next_proto` can return a slice pointing into the `server` argument's buffer but with a lifetime bound to the `client` argument. In situations where the `server` buffer's lifetime is shorter than the `client` buffer's, this can cause a use after free. This could cause the server to crash or to return arbitrary memory contents to the client. ### Patches `openssl` 0.10.70 fixes the signature of `ssl::select_next_proto` to properly constrain the output buffer's lifetime to that of both input buffers. ### Workarounds In standard usage of `ssl::select_next_proto` in the callback passed to `SslContextBuilder::set_alpn_select_callback`, code is only affected if the `server` buffer is constructed *within* the callback. For example: Not vulnerable - the server buffer has a `'static` lifetime: ```rust builder.set_alpn_select_callback(|_, client_protos| { ssl::select_next_proto(b"\x02h2", client_protos).ok_or_else(AlpnError::NOACK) }); ``` Not vulnerable - the serve...

Security researchers tested 50 well-known jailbreaks against DeepSeek’s popular new AI chatbot. It didn’t stop a single one.