Wednesday, May 11, 2016

System Status: File Server Maintenance

System Status: File Server Maintenance

The file server is temporarily down for maintenance.

- wong chee tat :)

Blog Updates:

Blog Updates:

Minor updates:

- Update labels on some old posts

Will continue to make minor improvements for this blog!

- wong chee tat :)

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

- wong chee tat :)

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Microsoft Security Advisory 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Microsoft Security Advisory 3123479

Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Published: January 12, 2016

Version: 1.0

On this page

Executive Summary

Microsoft has released a SHA-1 code sign deprecation change effective January 1, 2016, focused on client activity that can only occur when a customer downloads files from the Internet. This change is specific to a new default setting for Windows and customers can override or augment the default settings in their environment.

For customers running either Internet Explorer or Microsoft Edge who download a SHA-1 signed file from the Internet that is timestamped and released on January 1, 2016, or later, SmartScreen will mark the file as not trusted. This status does not prevent customers from downloading the file or running these browsers on their computers. But customers are warned of the not trusted status of the file.

This change only affects Mark-of-the-Web (MOTW) files downloaded from the Internet. Files timestamped before January 1, 2016, will continue to be trusted. Drivers with signatures verified by Code Integrity are not affected by this change. To conform to the latest requirements for driver signing, see the Windows Hardware Certification blog.

Advisory Details

Issue References

For more information about this issue, see the following references:

References	References
General Information	Windows Enforcement of Authenticode Code Signing and Timestamping
Technical Requirements	Protecting Against Weak Cryptographic Algorithms

Affected Software

This advisory applies to the following operating systems:

Windows 7

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows Server 2012

Windows Server 2012

Windows 8.1

Windows 8.1 for 32-bit Systems

Windows 8.1 for x64-based Systems

Windows Server 2012 R2

Windows Server 2012 R2

Windows 10

Windows 10 for 32-bit Systems[1]

Windows 10 for x64-based Systems[1]

Windows 10 Version 1511 for 32-bit Systems[1]

Windows 10 Version 1511 for x64-based Systems[1]

Server Core installation option

Windows Server 2008 R2 for x64-based Systems (Server Core installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

[1]The Windows 10 update is cumulative. In addition to containing non-security updates, it also contains all of the security fixes for all of the Windows 10-affected vulnerabilities shipping with given month’s security release. The update is available via the Windows Update Catalog. See Microsoft Knowledge Base Article 3097617 for more information and download links.

Advisory FAQ

What is the scope of the advisory?
This advisory aims to assist customers in assessing the risk of certain applications that use X.509 digital certificates that are signed using the SHA-1 hashing algorithm and to recommend that administrators and certificate authorities begin using SHA-2 in place of SHA-1 as an algorithm for signing digital certificates.

Is this a security vulnerability that requires Microsoft to issue a security update?
No. A signing mechanism alternative to SHA-1 has been available for some time, and the use of SHA-1 as a hashing algorithm for signing purposes has been discouraged and is no longer a best practice. Microsoft will however evaluate any opportunities to strengthen technologies to detect fraudulent certificates. Although this is not a vulnerability in a Microsoft product, Microsoft is issuing this advisory to help clarify the actual risk involved to customers.

What causes this threat? The root cause of the problem is a known weakness of the SHA-1 hashing algorithm that exposes it to collision attacks. Such attacks could allow an attacker to generate additional certificates that have the same digital signature as an original. These issues are well understood and the use of SHA-1 certificates for specific purposes that require resistance against these attacks has been discouraged. At Microsoft, the Security Development Lifecycle has required Microsoft to no longer use the SHA-1 hashing algorithm as a default in Microsoft software. For more information about SHA-1 collision weakness, see The SHAppening: freestart collisions for SHA-1.

What is a digital certificate? In public key cryptography, one of the keys, known as the private key, must be kept secret. The other key, known as the public key, is intended to be shared with the world. However, there must be a way for the owner of the key to tell the world who the key belongs to. Digital certificates provide a way to do this. A digital certificate is an electronic credential used to certify the online identities of individuals, organizations, and computers. Digital certificates contain a public key packaged together with information about it - who owns it, what it can be used for, when it expires, and so forth. For more information, see Understanding Public Key Cryptography and Digital Certificates.

What is the purpose of a digital certificate? Digital certificates are used primarily to verify the identity of a person or device, authenticate a service, or encrypt files. Normally, there is no need to think about certificates at all, aside from the occasional message stating that a certificate is expired or invalid. In such cases, one should follow the instructions provided in the message.

What is a certification authority (CA)? Certification authorities are the organizations that issue certificates. They establish and verify the authenticity of public keys that belong to people or other certification authorities, and they verify the identity of a person or organization that asks for a certificate.

Suggested Actions

Review Microsoft Root Certificate Program Policy Changes
Customers who are interested in learning more about the topic covered in this advisory should review Windows Enforcement of Authenticode Code Signing and Timestamping.
Update from SHA-1 to SHA-2
Certificate authorities should no longer sign newly generated certificates using the SHA-1 hashing algorithm. Customers should ensure that their certificate authorities are using the SHA-2 hashing algorithm to obtain SHA-2 certificates from their certificate authorities. To sign code with SHA-2 certificates, see the guidance on this topic at Windows Enforcement of Authenticode Code Signing and Timestamping.

Impact of action: Older hardware-based solutions may require upgrading to support these newer technologies.
Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.

Other Information

Feedback

You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.

Support

Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (January 12, 2016): Advisory published.

Page generated 2016-01-06 11:24-08:00.

- wong chee tat :)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

=============================================================================
FreeBSD-SA-16:17.openssl                                    Security Advisory
                                                          The FreeBSD Project

Topic:          Multiple OpenSSL vulnerabilities

Category:       contrib
Module:         openssl
Announced:      2016-05-04
Credits:        OpenSSL Project
Affects:        All supported versions of FreeBSD.
Corrected:      2016-05-03 18:54:20 UTC (stable/10, 10.3-STABLE)
                2016-05-04 15:25:47 UTC (releng/10.3, 10.3-RELEASE-p2)
                2016-05-04 15:26:23 UTC (releng/10.2, 10.2-RELEASE-p16)
                2016-05-04 15:27:09 UTC (releng/10.1, 10.1-RELEASE-p33)
                2016-05-04 06:53:02 UTC (stable/9, 9.3-STABLE)
                2016-05-04 15:27:09 UTC (releng/9.3, 9.3-RELEASE-p41)
CVE Name:       CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109,
                CVE-2016-2176

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit .

I.   Background

FreeBSD includes software from the OpenSSL Project.  The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II.  Problem Description

The padding check in AES-NI CBC MAC was rewritten to be in constant time
by making sure that always the same bytes are read and compared against
either the MAC or padding bytes. But it no longer checked that there was
enough data to have both the MAC and padding bytes. [CVE-2016-2107]

An overflow can occur in the EVP_EncodeUpdate() function which is used for
Base64 encoding of binary data. [CVE-2016-2105]

An overflow can occur in the EVP_EncryptUpdate() function, however it is
believed that there can be no overflows in internal code due to this problem.
[CVE-2016-2106]

When ASN.1 data is read from a BIO using functions such as d2i_CMS_bio()
a short invalid encoding can casuse allocation of large amounts of memory
potentially consuming excessive resources or exhausting memory.
[CVE-2016-2109]

ASN1 Strings that are over 1024 bytes can cause an overread in applications
using the X509_NAME_oneline() function on EBCDIC systems. [CVE-2016-2176]
FreeBSD does not run on any EBCDIC systems and therefore is not affected.

III. Impact

A MITM attacker can use a padding oracle attack to decrypt traffic
when the connection uses an AES CBC cipher and the server support
AES-NI. [CVE-2016-2107]

If an attacker is able to supply very large amounts of input data then a
length check can overflow resulting in a heap corruption. [CVE-2016-2105]

Any application parsing untrusted data through d2i BIO functions are vulnerable
to memory exhaustion attack. [CVE-2016-2109]  TLS applications are not affected.

IV.  Workaround

No workaround is available.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or
release / security branch (releng) dated after the correction date.

Restart all daemons that use the library, or reboot the system.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64
platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

Restart all daemons that use the library, or reboot the system.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable
FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 10.x]
# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch
# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-10.patch.asc
# gpg --verify openssl-10.patch.asc

[FreeBSD 9.3]
# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patc
# fetch https://security.FreeBSD.org/patches/SA-16:17/openssl-9.patch.asc
# gpg --verify openssl-9.patch.asc

b) Apply the patch.  Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as
described in .

Restart all daemons that use the library, or reboot the system.

VI.  Correction details

The following list contains the correction revision numbers for each
affected branch.

Branch/path                                                      Revision
- -------------------------------------------------------------------------
stable/9/                                                         r299053
releng/9.3/                                                       r299068
stable/10/                                                        r298999
releng/10.1/                                                      r299068
releng/10.2/                                                      r299067
releng/10.3/                                                      r299066
- -------------------------------------------------------------------------

To see which files were modified by a particular revision, run the
following command, replacing NNNNNN with the revision number, on a
machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:



VII. References













The latest revision of this advisory is available at

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXKjuIAAoJEO1n7NZdz2rneZoP/jqsWr9q5MkCel2aZzfmSVhU
8CjzPwm3t48ibZqrkolAak4dbjJGhidUM/S83BvIcCdtKWyoG8D0fzemB7bBIP2L
fqvd1314vuy82CgZlAyJIqzokckUPfyHhTAz9FPZW46f8A+s8znzJcaaD81tt1Xe
qg9JZ61e2DZJ2NdZSJSjOpBl55gZqQq3tIwGYw027GKjiflJSvOG1n/531R4rppI
x0IZpLor7XBWuiC44hPc4yasC4khWzmdaRpqcUoWVEex8g6Il6xByS2o4AgX7kE/
NBZ0mj4IMYZNQW4VUYbnkmLtWXJYYScboBKh4FRljNCG/t5u/YoSfOY8SbS9LT9K
KVj56C6tQRq+/frKbPt26HbqqRTFNVn3FKxJWNQ9CLzsebobXPUYATTN2NVC8gkj
S0A/lT2xnvA2YqB9HfmHOvlHS2LDv8SivJWNK4dCPOwhVm624H4qH/N+VFcwU7zc
ue+BPvDYU/czsyoJDdQoWxTdkreaOY6eLAWkYAh9dEDIkZSOxgsZR7C4th6THXMu
ybIy544elc3bf9vS4tGR552Wi9VntE0B1/LJ2la8l+MnYE6qZL1hbAYpvNyuPWVP
EDPjOc4inaMpV62fuL1UrKH1g1HMmFUnoWhC70iS+cuLeXWFdvwBFyL420Ixkd5H
zvcsfJCrazlcZ6j83Qfd
=PGTh
-----END PGP SIGNATURE-----

- wong chee tat :)

McAfee DAT version = 8161 (May 09th 2016)

McAfee DAT version = 8161 (May 10th 2016)

Link: here ( Select Yes. And it keeps getting updated daily. Region=US)

- wong chee tat :)

Medicine Master Buddha

- Pic from Internet

- wong chee tat :)

me think :)

Wednesday, May 11, 2016

System Status: File Server Maintenance

Blog Updates:

Om Mani Padme Hum

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Homage to the 36 trillion, 119 thousand, 500 Amitabha Buddhas

Microsoft Security Advisory 3123479 - Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Microsoft Security Advisory 3123479

Deprecation of SHA-1 Hashing Algorithm for Microsoft Root Certificate Program

Executive Summary

Advisory Details

Affected Software

Advisory FAQ

Suggested Actions

Other Information

Feedback

Support

Disclaimer

Revisions

Om Mani Padme Hum

System Status: Fan Maintenance

Om Mani Padme Hum

FreeBSD-SA-16:17.openssl

McAfee DAT version = 8161 (May 09th 2016)

Medicine Master Buddha