Full Disclosure: opensshd - user enumeration When SSHD tries to authenticate a non-existing user, it will pick up a fake password structure hardcoded in the SSHD source code. On this hard coded password structure the password hash is based on BLOWFISH ($2) algorithm. If real users passwords are hashed using SHA256/SHA512, then sending large passwords (10KB) will result in shorter response time fro
å¤é¨ããç°¡åã«HTTP_PROXYã¨ããç°å¢å¤æ°ãã»ããã§ãããµã¼ãééä¿¡ãå¤é¨ãµã¤ãã¨é£æºãã¦ããå ´åã«å½±é¿ããããããããªãèå¼±æ§ã§ãã(HTTPoxy. CVE-2016-5385) PHPã®å ´åã¯php-fpm, mod_php, Guzzle4以ä¸ãããã¤ãã®ã©ã¤ãã©ãªã§å½±é¿ããã¾ãã 対å¿æ¹æ³ã¯ç°¡åã§ãã Apacheå´ã§å¯¾å¿ããå ´åã¯ãmod_headerã使ããç¶æ³ã§ããã°ãconfãã¡ã¤ã«ã«ä¸è¨ã®1è¡ã追å ã RequestHeader unset Proxy FastCGIã®å ´åã¯ä¸è¨ã®1è¡ã追å ã fastcgi_param HTTP_PROXY ""; Guzzleã¯6.2.1ã§å¯¾å¿ãããããã§ãã Release 6.2.1 release · guzzle/guzzle · GitHub ã³ããããã°ãè¦ãã¨ãCLIã®æã®ã¿ãgetenv('HTTP_PROXY
以åæªè¸ã½ããã¦ã§ã¢äºæ¥ã«æ¡æããããã®ã®ããã°ããæ¾ç½®ããã¦ããWindowsç¨SSHã¯ã©ã¤ã¢ã³ãPoderosaãããªãªã¸ãã«ã®ä½è ã®è¨ç«ããä¼ç¤¾ã§ããã©ã¬ã«ãã»ãã¯ããã¸ã¼ç¤¾èªèº«ã«ãã£ã¦å¤§å¹ ã«ãªãã¥ã¼ã¢ã«ããã¦å ¬éããããç¾å¨Î²çãå ¬éããã¦ããã ãªã¼ãã³ã½ã¼ã¹ã½ããã¦ã§ã¢ã§ã¯ãªããªã£ã¦åç¨è£½åã«ãªã£ããã®ã®ã試ç¨ã¯ç¡æéã«ã§ããã¨ã®ãã¨ãæ©è½é¢ã§ã¯æç»ãOpenGLåããã»ããOS XãiOSãAndroidã¨ãã£ãWindows以å¤ã®ãã©ãããã©ã¼ã ã¸ã®ç§»æ¤ãçã£ã¦ãã模æ§ã çããã¯Windowsããã®SSHæ¥ç¶ã¯ã©ãããç°å¢ã«ãã¦ããã ãããï¼ãOS Xã¯ã¨ããããiOSãAndroidãHMDç°å¢çããã®ã·ã§ã«ã¢ã¯ã»ã¹ã¯ã©ã®ãããéè¦ãããã®ã ãããï¼
大容éãã¡ã¤ã«è»¢éãµã¼ãã¹ãtenpuãã¨ã¯ï¼ ä»äºã§æ±ããã¡ã¤ã«ãåå¼å ã«éã£ãããæ è¡å ã§æ®ã£ãåçãåéã«éã£ããããã¨ãããã¡ã¤ã«ãµã¤ãºã大ãããã¦éãã®ã«è¦å´ããçµé¨ã¯ããã¾ãããï¼ ã大容éãã¡ã¤ã«è»¢éãµã¼ãã¹ãã¯æ°å¤ããªãªã¼ã¹ããã¦ãã¾ããããã®å¤ãï¼ç¡æçï¼ã¯ãã¼ã¸ãåºåã ããã§éãæ¹ãåãããªãã£ãããåãåã£ãå´ã«ãã¦ãã©ã®ããã«ãã¦ã³ãã¼ãããã®ãåããã¥ããã£ããã§ãã¹ãã¼ããªãã®ã¯ãªããªãè¦ã¤ãããã¾ããã§ããã ãããããtenpuãã使ãã¨ãã®æ©ã¿ã¯ä¸æ°ã«è§£æ±ºã§ããããããã¾ããã ãtenpuãã¯ä¸è¬ã®æ¹ã¯ãã¡ããã大容éãã¡ã¤ã«ãæ±ããã¨ã®å¤ãã¯ãªã¨ã¤ã¿ã¼ããã人æ°ãéãã¦ãã大容éãã¡ã¤ã«è»¢éãµã¼ãã¹ã§ãã ãã®äººæ°ã®çç±ã¯ãè¶ ã·ã³ãã«ãªUIããã®é©ãã®ä½¿ããããã§ãã ç¡æçã¨ææçï¼Pro/Businessï¼ããªãªã¼ã¹ããã¦ãã¾ãããææçã¯ãã¡ãã
GoogleãOculus Rift対æã®æ¬æ ¼çãªVRã´ã¼ã°ã«éçºè¨ç»ãä¸æ¢ãã決å®ãä¸ãããã¨ãæããã¨ãªã£ãã Googleã¯VRé¢é£äºæ¥ã«é¢ãã¦ã¯ãé¢é£ãµã¼ãã¹ãå å®ãããæ¹ãé«é¡ãªè²»ç¨ãããããã¼ãã¦ã§ã¢ã®éçºãé²ãããããå¾çã¨ãã£ãçµå¶å¤æãåããã¨recodeã¯ãé¢ä¿è ããã®æ å ±ã¨ãã¦ä¼ãã¦ããã Googleã¯ä»å¹´ã®5æã«éå¬ããæ°è£½åçºè¡¨ä¼ã®å¸ä¸ã§ããDaydreamãã¨ããæ¢åã®ãã³ãâã«ç´è£½ã®VRãããã»ããããããCardboardãã«ä»£ããããæ¬æ ¼çãªVRã´ã¼ã°ã«ããªãªã¼ã¹ãã¨ãçºè¡¨ãã¦ããã ä»åå ±éããã決å®å 容ããã¼ãã¦ã§ã¢çã®Daydreamã®éçºä¸å¿ã«é¢ãããã®ããªã©ã®è©³ç´°ã¯ä¸æã¨ãªã£ã¦ããã æ¬æ ¼çãªVRã´ã¼ã°ã«ã«é¢ãã¦ã¯æ¢ã«ãOculus Riftã¨HTC Viveã製åçã®çºå£²ãéå§ãå¹´æ«ã¯SonyãPS4対å¿ã®PlayStation VRï¼Pro
å²ã¨æ°ããã®ã«ã¼ãã«ã§ãããããã¼ãã£ã¹ã¯1æã«åã¾ãLinuxãã£ã¹ããªãã¥ã¼ã·ã§ã³ãä½ãæ¹æ³ã解説ãã¾ã
ãããããå ¨è£¸ã«ãããããè¸ãé ãã¦ãããã¾ã£ãç§ã®èéãå²ãã°ãã§ã¤ã¤ããé°é¨ã«ãã©ã¤ã¤ã¼ã®é¢¨ãå¹ãããããç¬ããªããèä¸ãããããããè¹´ãããããããæ³£ãã¦ããç§ã«é¦¬ä¹ãã«ãªãããã¹ãããä¸ã馬ä¹ãã®å§¿å¢ã®ã¾ã¾ã«ããã©ã¼ã¡ã³ãé£ã¹ãè¸ã«éººãè½ã¨ããªã©ãããï¼è¢«å®³è 女æ§ã®ä¾è¿°èª¿æ¸ï¼ é ã飲ã¾ãã女æ§ï¼äºä»¶å½æï¼ï¼ï¼ï¼ï¼ã«ãããã¤ãªè¡çºãããã¨ãã¦ãå¼·å¶ãããã¤ç½ªãªã©ã«åãããæ±å¤§çãæ±å¤§å¤§å¦é¢çãï¼äººã®å ¬å¤ãï¼æãæ±äº¬å°è£ã§å§ã¾ã£ãã被害ã«ãã£ã女æ§ã¯è¢«åã®ä¸äººã«å¥½æãå¯ãã¦ããã¨ãããæ³å»·ã§æããã«ãããã®ã¯ãåå·®å¤çã«ã¯æ¥æ¬æé«ã®ã¨ãªã¼ãã§ãããªããã女æ§ã®æ°æã¡ããã¦ããã³ã女æ§ãâã¢ãæ±ãâãã¦ãã被åãã¡ã®ç¥æ§ãçããããããªææ¥ã ã£ãã â ãµã¼ã¯ã«ã®è£ã®é¡ã¯âãããã¤ç®çâ å罪ãªã©ã§èµ·è¨´ãããã®ã¯ãæ±å¤§çãæ¾è¦è¬ä½ï¼ããããï¼è¢«åï¼ï¼ï¼ï¼â½æ±å¤§é¢çãæ¾æ¬æ樹ï¼ãããï¼
ã¡ãã£ã¨ãã話ã ã£ãã®ã ããå人çã«é¢ç½ãã£ãã®ã§ç´¹ä»ããã å æãä¸ç·ã«é£²ãã ç¥äººãããããªãã¨ãè¨ã£ã¦ããã ã人ã®å¤±æãäºè¨ããã¤ãã£ã¦ããã¸ç¡è½ã ããªãã ãä½ã®è©±ï¼ã ããããæ°è¦äºæ¥ã¨ããæ°ååã¨ããããããã¯å¤±æãããã£ã¦ãã¤é¡ã§ããã¤ããããããªããã ããããæ¨æ¥ãè¦ãããããã¯ãã¾ãè¡ãã¾ããããã£ã¦è¨ã人ãã¡ã§ãããï¼ã ãããã ãããã¡ãããã ããªãã§ï¼ã ãå½ããåã®ãã¨ãè¨ã£ã¦ã人ã®æ°åãæªããããã ãã ãããã å½¼ã¯å°ãé ã£ã¦ããã®ã§ãé¥èã ã£ãã ç§ã¯èããã ãæªæ¥ã®äºè¨ã¯ãããªã£ã¦ãã¨ï¼ã ãã¾ãèãããããã¯äºè¨ãã¡ããããªããªãã¦ãä¸è¨ãè¨ã£ã¦ãªããã ããããä½ï¼ã ã失æãäºè¨ããã®ã¯ãã¹ãã²ã¼ç°¡åãã£ã¦ãã¨ãã ããã£ã¨ãå ·ä½ä¾ãæãã¦ãããªãï¼ã ãä¾ãã°ãApple Watchã®å¤±æãäºè¨ãããã¤ããããã¯å£²ããªããã¨ãè¡ã£ã¦ãè©è«å®¶ãä¿¡
Recommended reading Summary What Is Affected Immediate Mitigation Prevention Interesting, but once youâve mitigated How It Works Why It Happened History of httpoxy CVEs A CGI application vulnerability (in 2016) for PHP, Go, Python and others httpoxy is a set of vulnerabilities that affect application code running in CGI, or CGI-like environments. It comes down to a simple namespace conflict: RFC 3
nishio hirokazu @nishio @kmizu ã©ãããåçãæ±ãã¦ãããã主観çãªè³ªåããã¦ããã®ããããããã¾ãããå¸è²©ã®ã¬ã¢ã³ã°ã©ã¹ãã£ã¼ã¯ç®ã«ã¤ããã®ã¯å ¨é¨é£²ãã ä¸ã§ãèªå®¶æ ½å¹ãå§ãã¦äºå¹´ç®ãã¨ããã®ã客観çãªäºå®ã§ãã 2016-07-17 20:20:40
1. 大ä¼æ¥ç ã®æææº åªç§ãªäººãã¡ã°ããã®ä¼ç¤¾ã§ãã人æ°ãå¢ããã°å¤§ä¼æ¥ç ã«ãããæãããããåªç§ãªäººããæ¡ããªãããã«ãã¦ããç¡è½ãªäººã¯å°ãªãããå ¥ã£ã¦ãã¦ãã¾ãããã ãç¡è½ãªäººãããã°ãå½ç¶ä»äºã®é²ã¿ã«éããçãããç¡è½ãªäººã¨ä¸ç·ã«ä»äºããããã¨ã«å«æ°ããããåªç§ãªäººã¯ã©ããããããã«ã¼ã«ããä½ãã誰ã§ãä»äºãã¹ã ã¼ãºã«ã¾ãããããæ確ã§ããããããã«ã¼ã«ãä½ãããã®ã«ã¼ã«ãããä¸æçã«äºæ¥ãåã¸æ¼ãé²ãããã®ã®ãå¾ã ã大ä¼æ¥ç ããçºçãããåå ãªã®ã§ããã 2. 大ä¼æ¥ç ã®çºç ç¡è½ãªäººã¯ã«ã¼ã«ã«åºå·ããããããã«ã¼ã«ã ãããã¨çªãæ¾ããé ã使ã£ã¦èãããã¨ãããªãã æ¬æ¥ã¯ãä»äºãã¹ã ã¼ãºã«ãæ£ç¢ºã«é²ããããã«ä½ãããã«ã¼ã«ããã¤ã®ã¾ã«ã足æ·ã«ãªãããªããªããã©ããªã±ã¼ã¹ã§ãæé©ãªã«ã¼ã«ã¨ãããã®ã¯ã»ã¨ãã©åå¨ããªãããã ããã®ã¨ãã®ç¶æ³ã«ãã£ã¦ããæ代ã«ãã£ã¦ãæé©è§£ã¨ããã®ã¯
ãªãªã¼ã¹ãé害æ å ±ãªã©ã®ãµã¼ãã¹ã®ãç¥ãã
ææ°ã®äººæ°ã¨ã³ããªã¼ã®é ä¿¡
j次ã®ããã¯ãã¼ã¯
kåã®ããã¯ãã¼ã¯
lãã¨ã§èªã
eã³ã¡ã³ãä¸è¦§ãéã
oãã¼ã¸ãéã
{{#tags}}- {{label}}
{{/tags}}