Aggregator

PagesAboutDidier Stevens SuiteLinksMy Python TemplatesMy SoftwareProfession

你可能错过的新鲜事OPPO A5 Pro 发布12 月 24 日，OPPO 发布主打「耐用」特性的 OPPO A5 Pro。OPPO A5 Pro 在上一代产品 IP6X 级防水等级的基础上，针对

A vulnerability has been found in Anibal Monsalve Salaz sSMTP 2.61/2.62 and classified as problematic. This vulnerability affects the function standardise. The manipulation leads to improper input validation. This vulnerability was named CVE-2008-7258. Attacking locally is a requirement. Furthermore, there is an exploit available. The real existence of this vulnerability is still doubted at the moment. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Ruby 1.8.6/1.8.7/1.9. Affected is the function REXML. The manipulation leads to improper input validation. This vulnerability is traded as CVE-2008-3790. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

Cl0p Ransomware posted the following message for it's victims affected by the Cleo exploit

A vulnerability was found in Electronic Arts Medal Of Honor Allied Assault up to 1.11v9. It has been classified as critical. This affects an unknown part of the component Network Play. The manipulation leads to memory corruption. This vulnerability is uniquely identified as CVE-2004-0735. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. It is recommended to apply a patch to fix this issue.

A vulnerability was found in Sun Solaris 9/10 and classified as critical. This issue affects some unknown processing of the component in.ftpd. The manipulation of the argument ls with the input *** leads to memory corruption. The identification of this vulnerability is CVE-2005-0256. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to apply restrictive firewalling.

A vulnerability was found in MantisBT. It has been classified as problematic. Affected is an unknown function of the file filter_api.php. The manipulation of the argument project_id leads to cross site scripting. This vulnerability is traded as CVE-2011-2938. It is possible to launch the attack remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Linux Kernel 2.6.x/3.10.x/4.14.x. This affects the function create_elf_tables. The manipulation leads to integer overflow. This vulnerability is uniquely identified as CVE-2018-14634. The attack needs to be approached locally. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Mambo up to 4.6.5. It has been classified as critical. This affects an unknown part. The manipulation of the argument zorder leads to sql injection. This vulnerability is uniquely identified as CVE-2011-2917. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability classified as critical was found in Secureideas Basic Analysis and Security Engine 1.4.5. This vulnerability affects unknown code of the file base_ag_main.php. The manipulation of the argument ado_inc_php leads to code injection. This vulnerability was named CVE-2012-1199. The attack can be initiated remotely. Furthermore, there is an exploit available.

A vulnerability was found in Watchguard AP100, AP102, AP200 and AP300 and classified as critical. This issue affects some unknown processing of the component Web Interface. The manipulation leads to unrestricted upload. The identification of this vulnerability is CVE-2018-10577. The attack may be initiated remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Critical Path Injoin Directory Server 4.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality of the component iCon Administrative Web Server. The manipulation of the argument LOCID/OC leads to basic cross site scripting. This vulnerability is known as CVE-2002-0787. The attack can be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in Sun MySQL 5.1.23 Bk and classified as problematic. Affected by this vulnerability is an unknown functionality of the component InnoDB Handler. The manipulation leads to improper input validation. This vulnerability is known as CVE-2007-5925. The attack needs to be initiated within the local network. Furthermore, there is an exploit available. It is recommended to disable the affected component.

A vulnerability classified as critical has been found in Openbravo Openbravo ERP up to 2.50. This affects an unknown part of the component Interfaces. The manipulation leads to improper access controls. This vulnerability is uniquely identified as CVE-2013-3617. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in MySQL up to 5.0.35. It has been classified as problematic. Affected is the function filesort. The manipulation leads to denial of service. This vulnerability is traded as CVE-2007-1420. It is possible to launch the attack on the local host. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

SDL是一个体系化的大工程，需要业务方增加人员投入进行配合，很可能影响业务系统发布节奏，所以会遇到不少阻力。 不过从为“业务保驾护航，安全服务业务”的切入点出发，保持“结合实际定制，轻柔融入”的原则，会增大成功的概率。在推进时可以： 1、找案例：纵观行业，介绍在SDL方面做得好的公司以及取得的成效； 2、讲好处：可以获得及早发现安全风险、满足法规要求、全面提高产品安全性、增强客户信任等收益； 3、先试点：找重视安全有意愿的、安全问题比较多的业务开始小范围推进，最开始可以是1个业务跑通流程、持续优化； 4、再全面：有了小范围的试点之后，以此为先进代表、在公司公开晒取得的成果，产生一定影响力，与此同时可以直接将SDL写成安全规范，然后在全公司推广。 更多软件安全内容，可以访问： 1、SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 设计阶段应开展哪些安全活动？ 有哪些不错的安全设计参考资料？ 安全设计要求怎么做才能落地？ 有哪些威胁建模方法论？ 如何选择开源组件安全扫描(SCA)工具？ SCA工具扫描出很多漏洞，如何处理？ SCA工具识别出高风险协议，如何处理？ 应该如何选型代码安全扫描工具？ 白盒检测工具存在局限性，如何进行补偿？ SCA用什么系统做，自研还是外购？ 有没有好用的SDL平台？ Sonar是否好用以及误报率咋样？ 如何推进有问题的jar包更新？ SCA工具的误报率怎样？ 在研发安全流程落地方面，有何经验？ 如何说服业务完成checklist自检？ sdl会对项目变更代码做review吗？ 如何展示SDL的成果或效果？ 怎么解决源代码两张皮导致安全失效？ 2、SDL创新实践系列 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点

SDL是一个体系化的大工程，需要业务方增加人员投入进行配合，很可能影响业务系统发布节奏，所以会遇到不少阻力。 不过从为“业务保驾护航，安全服务业务”的切入点出发，保持“结合实际定制，轻柔融入”的原则，会增大成功的概率。在推进时可以： 1、找案例：纵观行业，介绍在SDL方面做得好的公司以及取得的成效； 2、讲好处：可以获得及早发现安全风险、满足法规要求、全面提高产品安全性、增强客户信任等收益； 3、先试点：找重视安全有意愿的、安全问题比较多的业务开始小范围推进，最开始可以是1个业务跑通流程、持续优化； 4、再全面：有了小范围的试点之后，以此为先进代表、在公司公开晒取得的成果，产生一定影响力，与此同时可以直接将SDL写成安全规范，然后在全公司推广。 更多软件安全内容，可以访问： 1、SDL100问：我与SDL的故事 SAST误报太高，如何解决？ SDL需要哪些人参与？ 设计阶段应开展哪些安全活动？ 有哪些不错的安全设计参考资料？ 安全设计要求怎么做才能落地？ 有哪些威胁建模方法论？ 如何选择开源组件安全扫描(SCA)工具？ SCA工具扫描出很多漏洞，如何处理？ SCA工具识别出高风险协议，如何处理？ 应该如何选型代码安全扫描工具？ 白盒检测工具存在局限性，如何进行补偿？ SCA用什么系统做，自研还是外购？ 有没有好用的SDL平台？ Sonar是否好用以及误报率咋样？ 如何推进有问题的jar包更新？ SCA工具的误报率怎样？ 在研发安全流程落地方面，有何经验？ 如何说服业务完成checklist自检？ sdl会对项目变更代码做review吗？ 如何展示SDL的成果或效果？ 怎么解决源代码两张皮导致安全失效？ 2、SDL创新实践系列 首发！“ 研发安全运营 ” 架构研究与实践 DevSecOps实施关键：研发安全团队 DevSecOps实施关键：研发安全流程 DevSecOps实施关键：研发安全规范 从安全视角，看研发安全 数字化转型下的研发安全痛点