ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukwazi ukuvelisa iisiginitsha ze-ECDSA ze-dummy kwiJava SE. Ubuthathaka kwiMySQL, VirtualBox kunye neSolaris

Ukukwazi ukuvelisa iisiginitsha ze-ECDSA ze-dummy kwiJava SE. Ubuthathaka kwiMySQL, VirtualBox kunye neSolaris

I-Oracle ipapashe ukukhutshwa okucwangcisiweyo kohlaziyo kwiimveliso zayo (i-Critical Patch Update), ejolise ekupheliseni iingxaki ezinzima kunye nobuthathaka. Uhlaziyo luka-Epreli lususe ubuthathaka obuyi-520.

Ezinye iingxaki:

  • 6 Imiba yoKhuseleko kwiJava SE. Bonke ubuthathaka bunokusetyenziswa ukude ngaphandle kokuqinisekiswa kwaye kuchaphazela iimeko ezivumela ukuphunyezwa kwekhowudi engathembekanga. Imiba emibini inikwe inqanaba lobunzima be-7.5. Ubuthathaka buye basonjululwa kwiJava SE 18.0.1, 11.0.15, kunye nokukhutshwa kwe-8u331.

    Enye yeengxaki (i-CVE-2022-21449) ikuvumela ukuba uvelise utyikityo lwedijithali lwe-ECDSA usebenzisa iparamitha zero curve xa uyivelisa (ukuba iiparamitha ziyi-zero, ke ijika liya ku-infinity, ngoko ke ixabiso le-zero lithintelwe ngokucacileyo iinkcukacha). Amathala eencwadi eJava awakhange ajonge amaxabiso angenanto eeparamitha ze-ECDSA, ke xa kusetyenzwa utyikityo ngeeparamitha ezingezizo, iJava yazithatha njengezisebenzayo kuzo zonke iimeko).

    Phakathi kwezinye izinto, ubuthathaka bunokusetyenziswa ukuvelisa izatifikethi ze-TLS ezingeyonyani eziya kwamkelwa kwiJava njengezichanekileyo, kunye nokudlula ukuqinisekiswa nge-WebAuthn kunye nokuvelisa iisiginitsha ezingeyonyani ze-JWT kunye neethokheni ze-OIDC. Ngamanye amazwi, ukuba sesichengeni kukuvumela ukuba uvelise izatifikethi zehlabathi jikelele kunye nezityikityo eziya kwamkelwa kwaye zibonwe njengezichanekile kwiziphatho zeJava abasebenzisa i-java.security.* iiklasi zokuqinisekisa. Ingxaki ibonakala kumasebe eJava 15, 16, 17 no-18. Umzekelo wokuvelisa izatifikethi zomgunyathi uyafumaneka. jshell> ngenisa i-java.security.* jshell> var keys = KeyPairGenerator.getInstance("EC").generateKeyPair() amaqhosha ==> java.security.KeyPair@626b2d4a jshell> var blankSignature = byte entsha[64] =>Isiginali byte[64] {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, … , 0, 0, 0, 0, 0, 0, 0, 0} jshell > var sig = Utyikityo.getInstance("SHA256WithECDSAInP1363Format") sig ==> Umsayino wento: SHA256WithECDSAInP1363Format jshell> sig.initVerify(izitshixo.getPublic()) jshell> sig.update("Molo, Ihlabathi".getBytes()) jshell> sig.verify(iSiginitsha engenanto) $8 ==> yinyani

  • 26 ubuthathaka kwiseva ye-MySQL, ezimbini zazo ezinokuxhatshazwa ukude. Ezona ngxaki zinzima ezinxulumene nokusetyenziswa kwe-OpenSSL kunye neprotobuf zabelwe inqanaba lobunzima be-7.5. Ubuthathaka obuncinci buchaphazela isilungisi, i-InnoDB, ukuphindaphinda, iplagi ye-PAM, i-DDL, i-DML, i-FTS kunye nokuloga. Imiba yasonjululwa kwi-MySQL Community Server 8.0.29 kunye nokukhutshwa kwe-5.7.38.
  • 5 ubuthathaka kwiVirtualBox. Imiba inikwe inqanaba lobunzima ukusuka kwi-7.5 ukuya kwi-3.8 (owona mngcipheko unobungozi ubonakala kuphela kwiqonga leWindows). Ubuthathaka bulungisiwe kuhlaziyo lweVirtualBox 6.1.34.
  • 6 ubuthathaka eSolaris. Iingxaki zichaphazela i-kernel kunye nezinto eziluncedo. Eyona ngxaki inzima kakhulu kwizinto eziluncedo zinikwe inqanaba lengozi ye-8.2. Ubuthathaka busonjululwe kuhlaziyo lweSolaris 11.4 SRU44.

umthombo: opennet.ru

Yongeza izimvo