ProHoster > Blog > internet nhau > Kugona kugadzira dummy ECDSA siginecha muJava SE. Kusagadzikana muMySQL, VirtualBox uye Solaris

Kugona kugadzira dummy ECDSA siginecha muJava SE. Kusagadzikana muMySQL, VirtualBox uye Solaris

Oracle yakaburitsa yakarongwa kuburitswa kwezvigadziriso kune zvigadzirwa zvayo (Critical Patch Update), ine chinangwa chekubvisa matambudziko akanyanya uye kusasimba. Iyo Kubvumbi yekuvandudza yakagadzirisa huwandu hwe520 kusasimba.

Mamwe matambudziko:

  • 6 Chengetedzo Nyaya muJava SE. Kusagadzikana kwese kunogona kushandiswa kure pasina humbowo uye kunokanganisa nharaunda dzinobvumira kuitwa kwekodhi isingavimbike. Nyaya mbiri dzakapihwa mwero wekuomarara we7.5. Kusagadzikana kwakagadziriswa muJava SE 18.0.1, 11.0.15, uye 8u331 kuburitswa.

    Rimwe rematambudziko (CVE-2022-21449) rinokutendera kuti ugadzire manyepo ECDSA siginecha yedhijitari uchishandisa zero curve paramita paunenge uchigadzira (kana maparamendi ari zero, ipapo curve inoenda ku infinity, saka zero values ​​zvinorambidzwa zvakajeka mukati. iyo yakatarwa). Maraibhurari eJava haana kutarisa zvisizvo zveECDSA paramita, saka pakugadzirisa masiginecha ane null paramita, Java yaiona seanoshanda muzviitiko zvese).

    Pakati pezvimwe zvinhu, kusazvibata kunogona kushandiswa kugadzira zvitupa zveTLS zvekunyepedzera izvo zvinozogamuchirwa muJava sezvazviri, pamwe nekunzvenga huchokwadi kuburikidza neWebAuthn uye kugadzira manyepo eJWT masiginecha uye maOIDC tokeni. Nemamwe manzwi, kusazvibata kunoita kuti ugadzire zvitupa zvese nemasiginicha ayo anogamuchirwa uye anoonekwa seakarurama muJava handlers anoshandisa java.security.* makirasi ekuongorora. Dambudziko rinoonekwa mumapazi eJava 15, 16, 17 uye 18. Muenzaniso wekugadzira zvitupa zvemanyepo unowanikwa. jshell> import java.security.* jshell> var keys = KeyPairGenerator.getInstance("EC").generateKeyPair() keys ==> java.security.KeyPair@626b2d4a jshell> var blankSignature = new byte[64] => blankSign byte[64] {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ... , 0, 0, 0, 0, 0, 0, 0, 0} jshell > var sig = Signature.getInstance("SHA256WithECDSAInP1363Format") sig ==> Siginicha chinhu: SHA256WithECDSAInP1363Format jshell> sig.initVerify(keys.getPublic()) jshell> sig.update("Mhoro, Nyika".getBytes()) jshell> sig.verify(blankSignature) $8 ==> chokwadi

  • 26 kusagadzikana muMySQL server, maviri ayo anogona kushandiswa kure. Matambudziko akakomba ane chekuita nekushandiswa kweOpenSSL uye protobuf anopihwa mwero wekuomarara we7.5. Kusanyanya kusimba kunokanganisa optimizer, InnoDB, kudzokorora, PAM plugin, DDL, DML, FTS uye kutema miti. Nyaya dzakagadziriswa muMySQL Community Server 8.0.29 uye 5.7.38 yakabudiswa.
  • 5 kusagadzikana muVirtualBox. Nyaya idzi dzakapihwa mwero wekuomarara kubva pa7.5 kusvika 3.8 (iyo yakanyanya njodzi yekusagadzikana inoonekwa chete paWindows platform). Izvo zvinokanganisa zvakagadziriswa muVirtualBox 6.1.34 update.
  • 6 kusagadzikana muSolaris. Matambudziko anokanganisa kernel uye zvishandiso. Dambudziko rakanyanya kuoma muzvishandiso rinopihwa mwero wengozi we8.2. Kusagadzikana kunogadziriswa muSolaris 11.4 SRU44 update.

Source: opennet.ru

Voeg