VMware Security Advisory 2010-0019 - ESX 3.x Console OS (COS) updates for samba, bzip2, and openssl packages.
53508d995bd3ee7696e115312bf6f130857171310cf94855d6fe67fca9362f8a
VMware Security Advisory 2010-0015 - ESX 4.0 Console OS (COS) updates for NSS_db, OpenLDAP, cURL, sudo OpenSSL, GnuTLS, NSS and NSPR packages.
fdad8c6c91e0eabfe81a21d19d5f5d5ed52fdc1c4de978eea683eae1e3131b79
Mandriva Linux Security Advisory 2010-084 - Multiple Java OpenJDK security vulnerabilities have been identified and fixed. Packages for 2009.0 are provided due to the Extended Maintenance Program.
312b3c1da3613bba6dee3a18734818e0ba9d2e9be62220fe962af073b0b2a26f
VMware Security Advisory - Service console packages for Network Security Services (NSS) and NetScape Portable Runtime (NSPR) are updated to versions nss-3.12.3.99.3-1.2157 and nspr-4.7.6-1.2213 respectively. This patch fixes several security issues in the service console packages for NSS and NSPR.
750bfc5b2e28a67af487861fbcc96e099b1881a6cbe999078d4626cf32cfde37
Mandriva Linux Security Advisory 2009-310 - Multiple security vulnerabilities has been identified and fixed in OpenSSL.
0dacbc11230717ec843f94df0a14966959ed125db03db8ada5edb5032c784039
Mandriva Linux Security Advisory 2009-197 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. Packages for 2008.0 are being provided due to extended support for Corporate products.
ecd423cda5abf43a8f153f67b66965b14d04a924ca31a32378cc5c2e7e74b029
Gentoo Linux Security Advisory 200912-1 - Multiple vulnerabilities in OpenSSL might allow remote attackers to conduct multiple attacks, including the injection of arbitrary data into encrypted byte streams. Versions less than 0.9.8l-r2 are affected.
705697817c46700fc9df1cb06e10cefe0c615f48bbabe02cd0b7328b880af2b6
Debian Linux Security Advisory 1935-1 - Dan Kaminsky and Moxie Marlinspike discovered that gnutls, an implementation of the TLS/SSL protocol, does not properly handle a '\\0' character in a domain name in the subject's Common Name or Subject Alternative Name (SAN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. In addition, with this update, certificates with MD2 hash signatures are no longer accepted since they're no longer considered cryptograhically secure.
f865f82f07d73c848ba941571d0b49f816946149bd8f70b4226dc437168d8570
Ubuntu Security Notice 859-1 - Dan Kaminsky discovered that SSL certificates signed with MD2 could be spoofed given enough time. It was discovered that ICC profiles could be identified with ".." pathnames. Peter Vreugdenhil discovered multiple flaws in the processing of graphics in the AWT library. Multiple flaws were discovered in JPEG and BMP image handling. Multiple flaws were discovered in ASN.1 parsing. It was discovered that the graphics configuration subsystem did not correctly handle arrays.
3a2e680a13f977b81a1d37e61bc6bdfa08463e69eae900c81456f8f673c77864
Mandriva Linux Security Advisory 2009-239 - Use-after-free vulnerability in the dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL 1.0.0 Beta 2 allows remote attackers to cause a denial of service (openssl s_client crash) and possibly have unspecified other impact via a DTLS packet, as demonstrated by a packet from a server that uses a crafted server certificate. The dtls1_retrieve_buffered_fragment function in ssl/d1_both.c in OpenSSL before 1.0.0 Beta 2 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via an out-of-sequence DTLS handshake message, related to a fragment bug. The NSS library library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spoof certificates by using MD2 design flaws the scope of this issue is currently limited because the amount of computation required is still large. This update provides a solution to these vulnerabilities.
93d724150f498b44ab15ee712c7c6741e7048e4a11d86450fd84461bd468cda1
Mandriva Linux Security Advisory 2009-238 - Multiple vulnerabilities was discovered and corrected in openssl. This update provides a solution to these vulnerabilities.
31c2e4db2c4d9a59061c28ba43c171388869223dfecb57fc075078cb0b97baed
Mandriva Linux Security Advisory 2009-237 - ssl/s3_pkt.c in OpenSSL before 0.9.8i allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a DTLS ChangeCipherSpec packet that occurs before ClientHello. The NSS library library before 3.12.3, as used in Firefox; GnuTLS before 2.6.4 and 2.7.4; OpenSSL 0.9.8 through 0.9.8k; and other products support MD2 with X.509 certificates, which might allow remote attackers to spooof certificates by using MD2 design flaws the scope of this issue is currently limited because the amount of computation required is still large. This update provides a solution to these vulnerabilities.
6b72823540faf713afc600893f4b4f73da01b097b7de2809c1b8a8f80d4521e0
Debian Security Advisory 1888-1 - Certificates with MD2 hash signatures are no longer accepted by OpenSSL, since they're no longer considered cryptographically secure.
88d5f8e0192f0be8665ed90a45aa84ccb48c9ed00b752dea60a8068421209f01
Ubuntu Security Notice USN-830-1 - Dan Kaminsky discovered OpenSSL would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site. This update handles this issue by completely disabling MD2 for certificate validation.
3ab93642b1ff6aff7e138b954ee6771e4310dab3371fdcb7b7084820c3fdcb87
Mandriva Linux Security Advisory 2009-197-2 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks. This update also provides fixed packages for Mandriva Linux 2008.1 and fixes mozilla-thunderbird error messages.
394905da2291d3fb11814cfdd3fb15394407e4aae6c16a48e8e81df3b42b194f
Debian Security Advisory 1874-1 - Several vulnerabilities have been discovered in the Network Security Service libraries.
c3c145e663c0e41608a4517f6698e23ceea9427cb81c0b2b53641a715105c451
Mandriva Linux Security Advisory 2009-216 - A number of security vulnerabilities have been discovered in the NSS and NSPR libraries and in Mozilla Thunderbird.
e8e619c27abfa1ea866f6d756a974aa55669f6f2b6b85c33173163bb95017751
Ubuntu Security Notice USN-809-1 - Multiple vulnerabilities in gnutls12, gnutls13, and gnutls26 have been addressed.
b92205b37169716ba97e50429020fd3909591b35ccbe74027c607e8e62403c93
Mandriva Linux Security Advisory 2009-197 - Security issues in nss prior to 3.12.3 could lead to a man-in-the-middle attack via a spoofed X.509 certificate and md2 algorithm flaws, and also cause a denial-of-service and possible code execution via a long domain name in X.509 certificate. This update provides the latest versions of NSS and NSPR libraries which are not vulnerable to those attacks.
bd0fc6956d963e958bc33f7098949780b68da008df3fe89a2bb4d9f2af528903
Ubuntu Security Notice USN-810-1 - Moxie Marlinspike discovered that NSS did not properly handle regular expressions in certificate names. A remote attacker could create a specially crafted certificate to cause a denial of service (via application crash) or execute arbitrary code as the user invoking the program. Moxie Marlinspike and Dan Kaminsky independently discovered that NSS did not properly handle certificates with NULL characters in the certificate name. An attacker could exploit this to perform a man in the middle attack to view sensitive information or alter encrypted communications. Dan Kaminsky discovered NSS would still accept certificates with MD2 hash signatures. As a result, an attacker could potentially create a malicious trusted certificate to impersonate another site.
551f75cb720ebd7eaa1e942d3bd0085543b035e372926a826f94e7e0b94f1eb5