The Heartbleed Challenge was solved, so no more mistery about the
possibility of private key compromise.
https://www.cloudflarechallenge.com/heartbleed
The Heartbleed Challenge
Can you steal the keys from this server?
Has the challenge been solved yet? YES
So far, two people have independently so
It looks like the MP3 file is partially corrupted.
There appears to be extra data between consecutive MPEG frames, which could
have caused mt-daapd to crash. How was the MP3 file generated? Most of the time
this error occurs due to poorly implemented ID3 tag editors which improperly
append data
Hi All,
I don't have much more on this other than I have a installation of
Firefly 0.2.4.2 on a Drobo5N(available for download on all drobo
dashboards currently) and every time it mt-daapd indexes the linked
mp3 "05 Everybody.mp3" it stalls and then exits.
MP3 for download
https://mega.co.nz/#!Jg
On 04/11/2014 06:40 PM, Jeffrey Paul wrote:
> The sad part is that he's been released back under the terms of his original
> pre-trial bail, which includes such things as no non-windows computers
This is inhuman.
___
Sent through the Full Disclosure m
> http://www.bloomberg.com/news/2014-04-11/nsa-said-to-have-used-heartbleed-bug-exposing-consumers.html
Uh huh. And here's a fairly unequivocal rebuttal:
http://icontherecord.tumblr.com/post/82416436703/statement-on-bloomberg-news-story-that-nsa-knew
There's not a whole lot of wiggle room. It's p
The sad part is that he's been released back under the terms of his original
pre-trial bail, which includes such things as no non-windows computers, no
computers without government-chosen spyware/monitoring, and AFAIK they have to
approve in advance any offer of employment he may receive.
The a
Hello list!
In 2011 and beginning of 2012 I wrote about multiple vulnerabilities
(http://securityvulns.ru/docs27440.html,
http://securityvulns.ru/docs27677.html,
http://securityvulns.ru/docs27676.html) in D-Link DAP 1150 (several dozens).
That time I wrote about vulnerabilities in admin panel in
>> As a general rule of thumb for this vulnerability, any binary/service
dynamically linked to libssl.so should be considered compromised.
and you have to add what is statically linked and keep track of every
php/ruby/python/whatever scripts, don't you?
El día jueves, 10 de abril de 2014 15
They are talking about their servers...
And, we have reason to believe based on the data structures used by OpenSSL and
the modified version of NGINX that we use, that it may in fact be impossible.
"modified version of NGINX that we use"
-Original Message-
From: Fulldisclosure [mailto:f
On Fri, Apr 11, 2014 at 01:09:37PM +0200, Reindl Harald wrote:
> interesting, i have until now 3 mail client-IPs triggering that rules on
> 993 and 995 one of them is our own external office, the other two are
> using AppleMail too
>
> anybody an idea why Mail.app is using Heartbeat packets on POP
When I first heard it, I suspected that there was something more behind it.
Thing is - as secret services are not able to actually brute-force encryption,
they needed to find a way around. And the only one way around was to either
use existing bugs/weaknesses, or implant some (as NIST).
http://
http://gawker.com/andrew-weev-auernheimers-conviction-thrown-out-1562223115
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
On Fri, Apr 11, 2014 at 5:29 PM, Michal Zalewski wrote:
> > 1. inclusive of [1..3] above
> > 2. replace all operating systems
> > 3. audit or replace all user data
>
> And also burn the hardware, given that if you're assuming the
> worst-case scenario, all your firmware is now replaced with that
On Thu, Apr 10, 2014 at 11:32:21PM -0700, Paul Vixie wrote:
[...]
really bruce? on a scale of doesn't-matter-at-all to
worst-thing-you-could-have-previously-imagined, a read only exploit is
even worse than that?
With all due respect to your ego Paul, I think you might under-estimate the
long te
Paul,
On 11-04-14 08:32, Paul Vixie wrote:
> no remote file modification, no root shell, no
> non-root shell, no data-modification, no arbitrary file system reads...
> just a read only heap exploit, and it's worse than anything you could
> have previously fucking imagined?
>
9,10,11... whatever i
Cloudfare has also open a challenge about heartbleed. You can found at:
https://www.cloudflarechallenge.com/heartbleed
Regards,
Juan Pablo.
On Fri, Apr 11, 2014 at 10:21 AM, Ricardo Iramar dos Santos <
rira...@gmail.com> wrote:
> I think that I found the answer for my question on the RFCs 652
Am 10.04.2014 11:01, schrieb Reindl Harald:
> __
>
> iptables --list --numeric --verbose
>
> 0 0 LOGtcp -- !lo* 0.0.0.0/00.0.0.0/0
>
https://gist.github.com/chapmajs/10473815
Apparently some MRI build scripts copy only the OpenSSL version at time of
build, so the provided test is not necessarily 100% accurate. PoC confirmed
with RVM on OS X 10.9, Arch Linux, Slackware 14.1
-- glitch
_
Details
Software: Twitget
Version: 3.3.1
Homepage: http://wordpress.org/plugins/twitget/
Advisory ID: dxw-1970-435
CVE: CVE-2014-2559
CVSS: 6.4 (Medium; AV:N/AC:L/Au:N/C:P/I:P/A:N)
Description
CSRF/XSS vulnerability in Twitget 3.3.1
Vulnerability
Details
Software: Quick Page/Post Redirect Plugin
Version: 5.0.3
Homepage: http://wordpress.org/plugins/quick-pagepost-redirect-plugin/
Advisory ID: dxw-1970-1091
CVE: CVE-2014-2598
CVSS: 6.8 (Medium; AV:N/AC:M/Au:N/C:P/I:P/A:P)
Description
CSRF and stored XSS in
Listen up, we need your help!
As you may already know. we're developing an Android App to detect IMSI-Catcher
attacks: https://github.com/SecUpwN/Android-IMSI-Catcher-Detector. The project
is fully Open Source and has been making progress in the last few days and the
Android IMSI-Catcher Detec
I think that I found the answer for my question on the RFCs 6520 on page 5 (
https://tools.ietf.org/html/rfc6520#page-5) and 6066 page 8 (
https://tools.ietf.org/html/rfc6066#page-8).
Take a look on the RFC6520 on page 5:
The total length of a HeartbeatMessage MUST NOT exceed 2^14 or
max_frag
Also, yeah, it is only read-only.
I think the most dangerous thing about this is the fact that it is
seemingly undetectable.
Codenomicon obviously was more concerned about the press than they were
about this issue.
On Fri, Apr 11, 2014 at 4:20 AM, Ivan .Heca wrote:
> to be fair to Bruce, here
Hello participants of Mailing List.
Since 2006 I publish security reports about hackers activity in Uanet and
since 2012 I begun publishing reports about web applications at infected web
sites (among all my reports). About which I wrote in WASC Mailing List.
In my publication The state of infect
Hi,
CloudFlare has a very interesting article on their attempts to get a SSL
private key, explaining why they find it very unlikely to be able to get
it. Here it is:
http://blog.cloudflare.com/answering-the-critical-question-can-you-get-private-ssl-keys-using-heartbleed
On Fri, Apr 11, 2014 at 1
Most people here don't read Chinese, so please, post in English, and link
only to English materials.
And for those who don't read Chinese, this post doesn't worth reading at
all, it's highly likely to be copy-pasted from several Weibo(Twitter in
China). I, as a native Chinese speaker, can't figur
to be fair to Bruce, here is his entire post on the subject
https://www.schneier.com/blog/archives/2014/04/heartbleed.html
On Fri, Apr 11, 2014 at 4:32 PM, Paul Vixie wrote:
>
>
> Paul Vixie wrote:
> > Michal Zalewski wrote:
> >>>
> http://m.smh.com.au/it-pro/security-it/man-who-introduced-ser
Vulnerability title: Invalid Pointer Dereference in VMware Workstation
and Player
CVE: CVE-2014-2384
Vendor: VMware
Product: Workstation, Player
Affected version: VMware WorkStation v10.0.1 build-1379776 and VMware
Player v6.0.1 build-1379776
Fixed version: N/A
Reported by: Kyriakos Economou
Detai
> 1. inclusive of [1..3] above
> 2. replace all operating systems
> 3. audit or replace all user data
And also burn the hardware, given that if you're assuming the
worst-case scenario, all your firmware is now replaced with that of
Roomba.
I mean, it's a very cool bug. I'm jealous of Neel.
But
Document Title:
===
Woltlab Burning Board 3.9.1 - Persistent Web Vulnerability & Editor Reverse
Encoding Issue
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1256
Video: http://www.vulnerability-lab.com/get_content.php?id=1257
Release
SEC Consult Vulnerability Lab Security Advisory < 20140411-0 >
===
title: Multiple vulnerabilities
product: Plex Media Server
vulnerable version: confirmed in 0.9.9.10
fixed version
Juergen Christoffel wrote:
> On Thu, Apr 10, 2014 at 11:32:21PM -0700, Paul Vixie wrote:
>> [...]
>> really bruce? on a scale of doesn't-matter-at-all to
>> worst-thing-you-could-have-previously-imagined, a read only exploit is
>> even worse than that?
>
> With all due respect to your ego Paul, I
32 matches
Mail list logo
