漏洞类别：CGI 漏洞等级： 漏洞信息 LxCenter Kloxo (formerly known as Lxadmin) is a free, opensource web hosting control panel for the Red Hat and CentOS Linux distributions. The vulnerability exists because an implemented /lbin/webcommand.php source file fails to properly sa…

漏洞类别：Ubuntu 漏洞等级： 漏洞信息 It was discovered that Nettle incorrectly mitigated certain timing side-channel attacks. 漏洞危害 A remote attacker could possibly use this flaw to recover private keys. 解决方案 Refer to Ubuntu advisory USN-3193-1 for affected packages and patc…

漏洞类别：Ubuntu 漏洞等级： 漏洞信息 It was discovered that Squid incorrectly handled processing HTTP conditional requests. It was discovered that Squid incorrectly handled certain HTTP Request headers when using the Collapsed Forwarding feature. 漏洞危害 A remote attacker coul…

漏洞类别：Ubuntu 漏洞等级： 漏洞信息 A large number of security issues were discovered in the WebKitGTK+ Web and JavaScript engines. 漏洞危害 If a user were tricked into viewing a malicious website, a remote attacker could exploit a variety of issues related to web browser secu…

漏洞类别：Ubuntu 漏洞等级： 漏洞信息 It was discovered that the asynchronous multibuffer cryptographic daemon (mcryptd) in the Linux kernel did not properly handle being invoked with incompatible algorithms. It was discovered that the ICMP implementation in the Linux kernel…

漏洞类别：Ubuntu 漏洞等级： 漏洞信息 It was discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. 漏洞危害 A remote attacker could use this to cause a denial of service (system crash). 解决方案 Refer to Ubuntu advisory USN-3188-…

漏洞类别：Ubuntu 漏洞等级： 漏洞信息 It was discovered that the SCTP implementation in the Linux kernel improperly handled validation of incoming data. It was discovered that multiple memory leaks existed in the XFS implementation in the Linux kernel. 漏洞危害 A remote attacker…

漏洞类别：RedHat 漏洞等级： 漏洞信息 The Red Hat Virtualization Manager is a centralized management platform that allows system administrators to view and manage virtual machines. The Manager provides a comprehensive range of features including search capabilities, resource…

漏洞类别：RedHat 漏洞等级： 漏洞信息 The Simple Protocol for Independent Computing Environments (SPICE) is a remote display protocol for virtual environments. SPICE users can access a virtualized desktop or server from the local system or any system with network access to t…

漏洞类别：RedHat 漏洞等级： 漏洞信息 The Network Time Protocol (NTP) is used to synchronize a computer's time with another referenced time source. These packages include the ntpd service which continuously adjusts system time and utilities used to query and configure the nt…

漏洞类别：Fedora 漏洞等级： 漏洞信息 Fedora has released security update for gnome-boxes to fix the vulnerability. Affected OS: Fedora 25 漏洞危害 Successful exploitation allows attacker to compromise the system. 解决方案 Fedora has issued updated packages to fix this vulnerability…

漏洞类别：Fedora 漏洞等级： 漏洞信息 Fedora has released security update for opensslk to fix the vulnerability. Affected OS: Fedora 25 漏洞危害 Successful exploitation may be lead to DOS attacks. Attacks against RSA and DSA possible on x86_64 due to a carry propagating bug. 解决方…

漏洞类别：OEL 漏洞等级： 漏洞信息 Oracle Enterprise Linux has released security update for unbreakable enterprise kernel to fix the vulnerabilities. Affected Products: Oracle Linux 7 Oracle Linux 6 漏洞危害 Successful exploitation will cause information leakage and denial of se…

漏洞类别：OEL 漏洞等级： 漏洞信息 Oracle Enterprise Linux has released security update for ntp to fix the vulnerabilities. Affected Products: Oracle Linux 7 Oracle Linux 6 漏洞危害 Successful exploitation may lead to a denial of service attack. Other attacks also possible. 解决方案…

漏洞类别：Fedora 漏洞等级： 漏洞信息 Fedora has released security update for kernel to fix the vulnerability. Affected OS: Fedora 24 漏洞危害 Successful exploitation may allow a denial of service. 解决方案 Fedora has issued updated packages to fix this vulnerability. Updates can be…

漏洞类别：Fedora 漏洞等级： 漏洞信息 Fedora has released security update for phpmyadmin to fix the vulnerability. Affected OS: Fedora 24 Fedora 25 漏洞危害 Successful exploitation allows attacker to compromise the system. 解决方案 Fedora has issued updated packages to fix this vuln…

漏洞类别：Fedora 漏洞等级： 漏洞信息 Fedora has released security update for calibre to fix the vulnerability. Affected OS: Fedora 24 Fedora 25 漏洞危害 Successful exploitation allows attacker to compromise the system. 解决方案 Fedora has issued updated packages to fix this vulnera…

漏洞类别：Local 漏洞等级： 漏洞信息 A BIG-IP virtual server configured with a Client SSL profile that has the non-default Session Tickets option enabled may leak up to 31 bytes of uninitialized memory. The vulnerability exists in the implementation of the TLS SessionTicket …

漏洞类别：Local 漏洞等级： 漏洞信息 Node.js is a platform built on Chrome's JavaScript runtime for easily building fast, scalable network applications. Node.js is exposed to a root path disclosure vulnerability in send Module. Affected Products: Send module prior to 0.11.1 …

0x00 前言 二进制分析框架提供给我们强大的自动化分析的方法。本文中，我们将看下Angr，一个python实现的用于静态和动态分析的分析框架。它基于Valgrind的VEX中间层语言。使用一个精简的加载器“CLE Loads Everything”，这个加载器不是完全精确的，但是能够加载ELF/ARM的可执行文件，因此对于处理Android的原生库有帮助。 我们的目标程序是一个授权验证程序。虽然在应用商店中不会总是发现类似的东西，但是用来描述基本的符号分析是足够的。您可以在混淆的Android二进制文件中以许多创…

Ticketbleed是F5 BIG-IP设备的TLS / SSL堆栈中的软件漏洞，允许远程攻击者一次提取高达31字节的未初始化内存。 这部分内存中可能包含来自其他连接的密钥或敏感数据。 它在情形和影响类似于Heartbleed漏洞。它的不同之处在于，它一次暴露31个字节，而不是64k，需要多次轮询执行攻击，并且它影响专有的F5 TLS堆栈，而不是OpenSSL。 测试 你可以在下面的网址中进行测试服务器是否受Ticketbleed影响（eg: example.com:443） https://filippo.io…

据外媒 softpedia 报道，早些时候 Steam 游戏平台玩家被警告：暂不要点击查看个人主页，该页面存在漏洞可被攻击者恶意利用，进行网络钓鱼、盗用 Steam 账户余额买东西套现。幸运的是，目前官方已经修补了这个漏洞。 起初，有粉丝在 reddit 论坛上提出该漏洞利用方式，这是一个基于 Steam 配置文件的注入漏洞。此漏洞影响所有浏览器的 Steam 桌面和移动版本。建议用户不要去点击他人 Steam 个人主页链接并在浏览器上禁用 JavaScript 。 当用户访问其他 Steam 用户的个人资料页面查…

美国国土安全部长 John Kelly 周二表示，美国大使馆可能会在将来要求签证申请人提供社交媒体帐户及密码。 Kelly 称此举可加强背景审查，筛选出可能对安全构成威胁的人，尤其是七个来自穆斯林国家的游客：伊朗，伊拉克，利比亚，索马里，苏丹，叙利亚和也门。这些国家对人员的背景审查很松，美国希望通过此举增加些额外的筛查，了解申请人的社交状况。此举对真正来美国旅游的人来说，他们会积极配合工作。 此举也和此前特朗普 1 月 27 日发布的移民和难民禁令有关。 本文由 HackerNews.cc 翻译整理，封面来源于网络…

安全公司 Dr.Web 发现一种 Windows 木马 Trojan.Mirai.1 。黑客正在使用它传播恶意软件 Mirai、感染物联网设备进行大规模 DDoS 攻击。 Windows 木马传播恶意软件 Mirai 该 Windows 木马被称为 Trojan.Mirai.1 ，其最重要的功能就是帮助 Mirai 感染更多的设备。木马使用 C ++ 语言编写，用于扫描指定范围 IP 地址的 TCP 端口，以便执行命令、传播恶意软件。木马启动后将连接命令和控制服务器下载配置文件（ wpd.dat ）、提取 IP 地…

某流行毒品和被盗信用卡交易黑市刚刚弄了个安全漏洞奖励项目，给报告漏洞的黑客支付报酬。该“Hansa”黑市于上周启动了奖励项目，邀请安全研究人员揭露可能泄露用户、供货商或管理员的漏洞，金额高至10比特币（约合1万美元）。 这点钱，比起黑客通过传统方式利用漏洞进行勒索什么的，当然赚得少多了。2015年被捕的非法网络黑市“丝路”老板罗斯·乌布里奇，就不得不支付能对该网站发起DDoS攻击的黑客每周$50,000的薪水。据称，他还支付了暗地里威胁要曝光他身份的黑客大量现金。 在Hansa网，不能用于揭露用户、供货商和管理员身…