Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [vulnerabilities]

83 questions
42
votes
4 answers

I updated my CentOS 7 system. Why is Meltdown/Spectre only partially mitigated?

Like many of us, I spent yesterday updating a whole lot of systems to mitigate the Meltdown and Spectre attacks. As I understand it, it is necessary to install two packages and…
Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
29
votes
3 answers

What kinds of security vulnerabilities does providing DNSSEC expose?

I was planning to sign my DNS zone with DNSSEC. My zone, the registrar and my DNS server (BIND9) all support DNSSEC. The only one who doesn't support DNSSEC is my secondary nameserver provider (namely buddyns.com). On their website, they state this…
Johann Bauer
  • 402
  • 4
  • 9
13
votes
4 answers

How to convince my Administrator that Java ON A SERVER is not insecure per se?

The Application We have a small Java application which uses some Camel routes to pick up uploaded files from a webserver, process them and send out some e-mails with the results. The server on which this application was running has been…
lajuette
  • 761
  • 6
  • 16
12
votes
2 answers

Meltdown & Spectre - Does patching the guest kernel of an unpatched hypervisor prevent cross-VM memory leaks?

24 hours after the wide scale release of the vulnerabilities, Rackspace is silent about Spectre and Meltdown. They do not have a plan for patching all of their Xen hypervisors. All their newer platform servers are HVM servers, which are vulnerable.…
Danny F
  • 488
  • 3
  • 10
10
votes
5 answers

How did Matasano get hacked?

from: http://seclists.org/fulldisclosure/2009/Jul/0388.html If I understand it best from the posts from: http://news.ycombinator.com/item?id=723798 the Matasano guys left sshd internet accessible - any proposed solutions for this (from a programming…
user14898
  • 225
  • 5
  • 10
9
votes
5 answers

How to check that a known Windows Vulnerability has been patched?

Is there a way in Windows to check that say Security Bulletin MS**-*** or CVE-****-***** has been patched? e.g. something akin to RedHat's rpm -q --changelog service Windows 2008 R2 SP1
frogstarr78
  • 475
  • 7
  • 17
8
votes
5 answers

How to patch CVE-2015-0235 (GHOST) on debian 7 (wheezy)?

This vulnerability was found in glibc, see this hacker news post for more info. As described in the debian bug tracker, the vulnerability was already patched in testing and unstable. I'd like to patch it as early as possible, so is it possible to…
twall
  • 183
  • 1
  • 5
8
votes
2 answers

In response to the OpenSSL Poodle vulnerability should I disable SSLv3?

OpenSSL just announced another new vulnerability in it's memory routines. You can read all about it here: https://www.openssl.org/news/secadv_20141015.txt The workaround is to disable SSLv3. Will this disable HTTPS on our website completely? What…
Oxon
  • 265
  • 2
  • 6
6
votes
8 answers

(200 ok) ACCEPTED - Is this a hacking attempt?

I assume this is some type of hacking attempt. I've try to Google it but all I get are sites that look like they have been exploited already. I'm seeing requests to one of my pages that looks like…
Byran Zaugg
  • 337
  • 1
  • 2
  • 10
5
votes
5 answers

How to patch CVE-2015-0235 (GHOST) on Debian Lenny and Squeeze?

There is a right way to patch GHOST on Debian Lenny and Squeeze? According to this link there are no plans to patch Lenny https://security-tracker.debian.org/tracker/CVE-2015-0235 Thanks!
user200799
  • 63
  • 1
  • 3
5
votes
7 answers

Web Application Vulnerability Scanner suggestions?

I'm looking for a new tool for the ol' admin toolkit and would value some suggestions. I would like to do some "automated" testing of handful of websites for XSS (cross site scripting) vulns, along with checking for SQL injection opportunities. I…
Chris_K
  • 3,434
  • 6
  • 41
  • 45
5
votes
4 answers

Preventing vulnerability scripts from scanning apache server

Quick question for you all - fairly frequently in my httpd logs I see things like this: 66.11.122.194 - - [29/Jan/2010:11:06:44 +0000] "GET HTTP/1.1 HTTP/1.1" 400 418 "-" "Toata dragostea mea pentru diavola" 66.11.122.194 - - [29/Jan/2010:11:06:44…
user32616
4
votes
6 answers

I can't enable the Meltdown/Spectre mitigations in Windows Server 2008 R2

I have installed the patch released today as detailed here and then set the two registry keys as mentioned: reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management" /v FeatureSettingsOverride /t REG_DWORD /d 0…
Darren
  • 311
  • 3
  • 4
  • 13
4
votes
2 answers

Shellshock - "pkg upgrade bash" doesn't update bash to latest 4.3.25

I'm using FreeBSD-9.1-p5. My security run output: Checking for packages with security vulnerabilities: Database fetched: Wed Sep 24 23:01:24 EDT 2014 bash-4.3.24 pkg info bash: # pkg info bash bash-4.3.24 Name : bash Version :…
alexus
  • 12,342
  • 27
  • 115
  • 173
4
votes
1 answer

Is apache 2.2.15 vulnerable on CentOS 6.3?

My server has scanned for vulnerabilities and they are asking that upgrade your Apache server but the CentOS repositories does not provide Apache > 2.2.15. If this version is vulnerable then why CentOS does not provide a newer version to upgrade in…
sunlight
  • 75
  • 2
  • 6
1
2 3 4 5 6