Security Alerts & News
by Tymoteusz A. Góral

History
#694 OpenSSL patches two high-severity vulnerabilities
The latest batch of OpenSSL security patches were released today, with a pair of high-severity flaws and four low-severity issues addressed in OpenSSL 1.0.1t and OpenSSL 1.0.2h.

One of the high-severity flaws, CVE-2016-2107, opens the door to a padding oracle attack that can allow for the decryption of traffic if the connection uses an AES CBC cipher and the server supports AES-NI.

“The AES issue is interesting. If you can [man-in-the-middle] then you can inject packets, look at the error codes, and then eventually figure out the AES key,” said Rich Salz, a member of the OpenSSL development team and an engineer at Akamai. “So it’s for national-scale attackers who can force DNS or BGP routes, or small hackers who can hack Wi-Fi in Starbucks.”
Read more
#697 Linux foundation badge program to boost open source security
#696 Microsoft SHA-1 deprecation final countdown begins
#695 Ubuntu founder pledges no back doors in Linux
#694 OpenSSL patches two high-severity vulnerabilities
#693 FBI reaffirms stance not to pay ransomware attackers
#692 LG's new fingerprint sensor doesn't need a button
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12