ProHoster > Блог > labaran intanet > Ikon ƙirƙirar sa hannu na ECDSA na ɓarna a cikin Java SE. Rashin lahani a cikin MySQL, VirtualBox da Solaris

Ikon ƙirƙirar sa hannu na ECDSA na ɓarna a cikin Java SE. Rashin lahani a cikin MySQL, VirtualBox da Solaris

Oracle ya wallafa wani shiri na sabuntawa ga samfuran sa (Critical Patch Update), da nufin kawar da matsaloli masu mahimmanci da lahani. Sabuntawar Afrilu ta daidaita jimillar lahani 520.

Wasu matsalolin:

  • 6 Matsalolin Tsaro a Java SE. Ana iya amfani da duk rashin lahani daga nesa ba tare da tantancewa ba kuma yana shafar yanayin da ke ba da izinin aiwatar da lambar da ba ta da amana. An sanya al'amura guda biyu matakin tsanani na 7.5. An warware rashin lafiyar a cikin Java SE 18.0.1, 11.0.15, da 8u331 saki.

    Ɗaya daga cikin matsalolin (CVE-2022-21449) yana ba ku damar samar da sa hannu na dijital ta ECDSA ta amfani da sifili mai lankwasa sigogi lokacin samar da shi (idan sigogi ba su da sifili, to, lanƙwan yana zuwa mara iyaka, don haka an haramta ƙimar sifili a sarari a ciki). bayani dalla-dalla). Dakunan karatu na Java ba su bincika ƙimar mara amfani na sigogi na ECDSA ba, don haka lokacin sarrafa sa hannu tare da sigogi mara kyau, Java yana ɗaukar su inganci a kowane yanayi).

    Daga cikin wasu abubuwa, ana iya amfani da raunin don samar da takaddun shaida na TLS waɗanda za a yarda da su a matsayin inganci a cikin Java, da kuma ketare tantancewa ta hanyar WebAuthn da samar da sa hannun JWT na gaskiya da alamun OIDC. A wasu kalmomi, raunin yana ba ku damar samar da takaddun shaida na duniya da sa hannu waɗanda za a karɓa kuma a gane su daidai a cikin masu sarrafa Java waɗanda ke amfani da daidaitattun java.security.* azuzuwan don tabbatarwa. Matsalar tana bayyana a rassan Java 15, 16, 17 da 18. Akwai misalin samar da takaddun shaida na bogi. jshell> shigo da java.security.* jshell> var maɓallan = KeyPairGenerator.getInstance("EC").generateKeyPair() maɓallan ==> java.security.KeyPair@626b2d4a jshell> var blankSignature = sabon byte[64] blankSa hannu ==> byte[64] {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, … , 0, 0, 0, 0, 0, 0, 0, 0, 256, 1363, 256, 1363} jshell > var sig = Signature.getInstance("SHA8WithECDSAInPXNUMXFormat") alamar ==> Abun sa hannu: SHAXNUMXWithECDSAinPXNUMXFormat jshell> sig.initVerify(keys.getPublic()) jshell> sig.update("Hello, Duniya".getBytes()) jshell> sig.verify(blankSagina) $XNUMX ==> gaskiya

  • Lalacewar 26 a cikin uwar garken MySQL, biyu daga cikinsu ana iya amfani da su daga nesa. Matsalolin da suka fi tsanani da ke da alaƙa da amfani da OpenSSL da protobuf an sanya su matsakaicin matakin 7.5. Ƙananan raunin rauni yana shafar ingantawa, InnoDB, maimaitawa, PAM plugin, DDL, DML, FTS da shiga. An warware matsalolin a cikin MySQL Community Server 8.0.29 da 5.7.38 sakewa.
  • 5 rashin ƙarfi a cikin VirtualBox. An sanya al'amurran da suka shafi matsayi mai tsanani daga 7.5 zuwa 3.8 (mafi yawan haɗari yana bayyana a kan dandalin Windows kawai). An kayyade raunin rauni a cikin sabuntawar VirtualBox 6.1.34.
  • 6 rauni a cikin Solaris. Matsalolin sun shafi kernel da utilities. Matsala mafi tsanani a cikin kayan aiki an sanya shi matakin haɗari na 8.2. An warware raunin raunin a cikin sabuntawar Solaris 11.4 SRU44.

source: budenet.ru

Add a comment