Security
Headlines
HeadlinesLatestCVEs

Tag

#ssl

GHSA-8xw6-9h78-c89j: Ylianst MeshCentral Missing SSL Certificate Validation

Ylianst MeshCentral 1.1.16 is vulnerable to Missing SSL Certificate Validation.

ghsa
#git#ssl
GHSA-xvq9-4vpv-227m: Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature

### Summary The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/api/certificate/certificate.go#L72 ``` func AddCert(c *gin.Context) { var json struct { Name string `json:"name"` SSLCertificatePath string `json:"ssl_certificate_path" binding:"required"` SSLCertificateKeyPath string `json:"ssl_certificate_key_path" binding:"required"` SSLCertificate string `json:"ssl_certificate"` SSLCertificateKey string `json:"ssl_certificate_key"` ChallengeMethod string `json:"challenge_method"` DnsCredentialID int `json:"dns_credential_id"` } if !api.BindAndValid(c, &json) { return } certModel := &model.Cert{ Name: json.Name, SSLCertificatePath: json.SSLCertificatePath, SSLCer...

Control D Launches Control D for Organizations: Democratizing Cybersecurity

By cyberwire Toronto, Canada, January 29th, 2024, Cyberwire – In an era where online threats no longer discriminate by business… This is a post from HackRead.com Read the original post: Control D Launches Control D for Organizations: Democratizing Cybersecurity

10 things to do to improve your online privacy

It's Data Privacy Week so here are 10 tips from our VP of Consumer Privacy, Oren Arar, about how to stay private online.

Red Hat Security Advisory 2024-0500-03

Red Hat Security Advisory 2024-0500-03 - An update for openssl is now available for Red Hat Enterprise Linux 9.2 Extended Update Support.

China-Linked Blackwood APT Deploys Advanced NSPX30 Backdoor in Cyberespionage

By Deeba Ahmed The NSPX30 backdoor, initially uncovered in 2005 as a simple form of malware, has evolved over time into an advanced threat. This is a post from HackRead.com Read the original post: China-Linked Blackwood APT Deploys Advanced NSPX30 Backdoor in Cyberespionage

GHSA-gr79-9v6v-gc9r: Dex discarding TLSconfig and always serves deprecated TLS 1.0/1.1 and insecure ciphers

### Summary Dex 2.37.0 is serving HTTPS with insecure TLS 1.0 and TLS 1.1. ### Details While working on https://github.com/dexidp/dex/issues/2848 and implementing configurable TLS support, I noticed my changes did not have any effect in TLS config, so I started investigating. https://github.com/dexidp/dex/blob/70d7a2c7c1bb2646b1a540e49616cbc39622fb83/cmd/dex/serve.go#L425 is seemingly setting TLS 1.2 as minimum version, but the whole tlsConfig is ignored after "TLS cert reloader" was introduced in https://github.com/dexidp/dex/pull/2964. Configured cipher suites are not respected either, as seen on the output. ### PoC Build Dex, generate certs with `gencert.sh`, modify `config.dev.yaml` to run on https, using generated certs. ```console issuer: http://127.0.0.1:5556/dex storage: type: sqlite3 config: file: dex.db web: https: 127.0.0.1:5556 tlsCert: examples/k8s/ssl/cert.pem tlsKey: examples/k8s/ssl/key.pem <rest as default> ``` Run dex `bin/dex serve config.dev...

Debian Security Advisory 5607-1

Debian Linux Security Advisory 5607-1 - Multiple security issues were discovered in Chromium, which could result in the execution of arbitrary code, denial of service or information disclosure.

Red Hat Security Advisory 2024-0399-03

Red Hat Security Advisory 2024-0399-03 - An update for gnutls is now available for Red Hat Enterprise Linux 8.8 Extended Update Support.

Red Hat Security Advisory 2024-0397-03

Red Hat Security Advisory 2024-0397-03 - An update for the squid:4 module is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include buffer over-read, denial of service, and null pointer vulnerabilities.