Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Kutha kupanga ma siginecha a dummy ECDSA ku Java SE. Zowopsa mu MySQL, VirtualBox ndi Solaris

Kutha kupanga ma siginecha a dummy ECDSA ku Java SE. Zowopsa mu MySQL, VirtualBox ndi Solaris

Oracle yatulutsa zosintha zomwe zidakonzedwa kuzinthu zake (Critical Patch Update), zomwe zikufuna kuthetsa mavuto akulu ndi ziwopsezo. Kusintha kwa Epulo kunakonza zovuta zonse za 520.

Mavuto ena:

  • 6 Nkhani Zachitetezo ku Java SE. Zowopsa zonse zitha kugwiritsidwa ntchito kutali popanda kutsimikizika ndikukhudza malo omwe amalola kukhazikitsidwa kwa code yosadalirika. Nkhani ziwiri zapatsidwa mulingo wovuta wa 7.5. Zowopsa zathetsedwa mu Java SE 18.0.1, 11.0.15, ndi 8u331 zotulutsidwa.

    Limodzi mwamavuto (CVE-2022-21449) limakupatsani mwayi wopanga siginecha ya digito ya ECDSA pogwiritsa ntchito magawo a zero poipanga (ngati magawowo ndi ziro, ndiye kuti mapindikira amapita ku infinity, kotero ziro ndizoletsedwa mwatsatanetsatane specifications). Malaibulale a Java sanayang'ane zachabechabe zamagawo a ECDSA, kotero pokonza siginecha zokhala ndi magawo opanda pake, Java amawona kuti ndizovomerezeka nthawi zonse).

    Mwa zina, chiwopsezocho chingagwiritsidwe ntchito kupanga ziphaso zabodza za TLS zomwe zidzalandiridwa ku Java ngati zolondola, komanso kudutsa kutsimikizika kudzera pa WebAuthn ndikupanga siginecha zabodza za JWT ndi ma tokeni a OIDC. Mwa kuyankhula kwina, kusatetezeka kumakupatsani mwayi wopanga ziphaso ndi siginecha zapadziko lonse lapansi zomwe zingavomerezedwe ndikuzindikiridwa kuti ndizolondola mu ma Java omwe amagwiritsa ntchito makalasi a java.security.* kuti atsimikizire. Vuto limapezeka mu nthambi za Java 15, 16, 17 ndi 18. Chitsanzo cha kupanga ziphaso zabodza chilipo. jshell> lowetsani java.security.* jshell> var keys = KeyPairGenerator.getInstance("EC").generateKeyPair() makiyi ==> java.security.KeyPair@626b2d4a jshell> var blankSignature = byte yatsopano[64] =>osalemba kanthu byte[64] {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, … , 0, 0, 0, 0, 0, 0, 0, 0} jshell > var sig = Signature.getInstance("SHA256WithECDSAInP1363Format") sig ==> Siginecha chinthu: SHA256WithECDSAInP1363Format jshell> sig.initVerify(keys.getPublic()) jshell> sig.update("Moni, Dziko".getBytes()) jshell> sig.verify(osalembapoSiginecha) $8 ==> zoona

  • 26 zofooka mu seva ya MySQL, ziwiri zomwe zitha kugwiritsidwa ntchito kutali. Mavuto owopsa kwambiri okhudzana ndi kugwiritsa ntchito OpenSSL ndi protobuf amapatsidwa mulingo wovuta wa 7.5. Zofooka zochepa kwambiri zimakhudza optimizer, InnoDB, kubwereza, PAM plugin, DDL, DML, FTS ndi kudula mitengo. Nkhanizi zidathetsedwa mu MySQL Community Server 8.0.29 ndi 5.7.38 kutulutsidwa.
  • Zowopsa 5 mu VirtualBox. Nkhanizi zimayikidwa mulingo wovuta kuyambira 7.5 mpaka 3.8 (chiwopsezo chowopsa kwambiri chimangowoneka papulatifomu ya Windows). Zowonongeka zimakhazikika muzosintha za VirtualBox 6.1.34.
  • Zowopsa za 6 ku Solaris. Mavuto amakhudza kernel ndi zofunikira. Vuto lalikulu kwambiri pazothandizira limapatsidwa gawo lowopsa la 8.2. Zowopsa zimathetsedwa pakusinthidwa kwa Solaris 11.4 SRU44.

Source: opennet.ru

Kuwonjezera ndemanga