openSUSE-SU-2016:3215-1

Опубликовано: 21 дек. 2016

Источник: suse-cvrf

Описание

Security update for shellinabox

shellinabox was updated to version 2.20 to fix the following security issues:

It was possible to fallback to the HTTP protocol even when configured for HTTPS. (CVE-2015-8400, boo#957748)
Disable secure client-initiated renegotiation
Set SSL options for increased security (disable SSLv2, SSLv3)
Protection against large HTTP requests

non security fixes:

Includes some MSIE and iOS rendering fixes

Список пакетов

openSUSE Leap 42.1

shellinabox-2.20-12.1

openSUSE Leap 42.2

shellinabox-2.20-12.1

Ссылки

https://lists.opensuse.org/opensuse-updates/2016-12/msg00128.html
E-Mail link for openSUSE-SU-2016:3215-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings

Описание

The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the "/plain" URL.

Затронутые продукты

openSUSE Leap 42.1:shellinabox-2.20-12.1

openSUSE Leap 42.2:shellinabox-2.20-12.1

Ссылки

https://www.suse.com/security/cve/CVE-2015-8400.html
CVE-2015-8400
https://bugzilla.suse.com/957748
SUSE Bug 957748

openSUSE-SU-2016:3215-1

Описание

Список пакетов

openSUSE Leap 42.1

openSUSE Leap 42.2

Ссылки

Уязвимость: CVE-2015-8400

Описание

Затронутые продукты

Ссылки