(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Oracle Java SE and JRockit CVE-2016-3427 Remote Security Vulnerability
 
phpMyAdmin Security Bypass Vulnerability
 
Oracle Java SE CVE-2016-0636 Remote Security Bypass Vulnerability
 
Oracle Java SE CVE-2016-3426 Remote Security Vulnerability
 
mod_nss Module CVE-2015-5244 Security Bypass Vulnerability
 
Oracle Java SE and JRockit CVE-2016-0466 Remote Security Vulnerability
 
IBM Java SDK CVE-2015-5041 Security Bypass Vulnerability
 
Linux kernel CVE-2013-7446 Use After Free Denial of Service Vulnerability
 
[security bulletin] HPSBHF03613 rev.1 - HPE Network Products including iMC, VCX, and Comware using OpenSSL, Remote Denial of Service (DoS), Unauthorized Access
 

Apache released an important update today to fix a vulnerability that affects servers that have http/2 enabled and use TLS client certificates for authentication.

Apache 2.4.18-20 are vulnerable if:

- TLS certificates are used for authenticating clients (look for the SSLVerifyClient require directive in your configuration file)

- http/2 is enabled. (see if the Protocols line includes h2 and/or h2c).">tshark -Y ssl.handshake.extensions_alpn_str == h2 -n -i en0 \
-T fields -e ip.src -e ip.dst -e ssl.handshake.type -e ssl.handshake.extensions_server_name \
-e ssl.handshake.extensions_alpn_str ">10.5.1.12 216.58.192.66 1 cm.g.doubleclick.net h2,spdy/3.1,http/1.1
216.58.192.66 10.5.1.12 2 h2

In this handshake, the client offers http/2, spdy/3.1 as well as http/1.1 to cm.g.doubleclick.net . The server then selects http/2 (h2).

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Apple Safari for Mac OS X SVG local XXE
 
Putty (beta 0.67) DLL Hijacking Vulnerability
 
[slackware-security] mozilla-thunderbird (SSA:2016-187-01)
 
Syslog Server "npriority" field remote Denial of Service vulnerability
 
[CVE-2016-6136] Double-Fetch Vulnerability in Linux-4.6/kernel/auditsc.c
 
Internet Storm Center Infocon Status