ã¡ã³ãã©å¥³åã¨ã®äº¤åçµé¨ãªãå¤ãããã¯ã ããããããä¸å®æã§ãã¡ã³ãã©å¥³åã¤ã³ã¿ãã¥ã¼ãããã£ã¦ãããã¨æãã¾ããä¼ç»ã¯å人ã§ããèãçããªããããªä¼ç»ã§ãããé¢ç½ãããªã®ã§é å¼µãã¾ãããªããåºåã¨ãã®åé¡ã§ããã©ã表ç¾ã¯ããã«ãããè¾ããã¦ããã®ã§ããããã ä½äººãã®ã¡ã³ãã©å¥³åããã¨è©±ããã¦ãããã°OKã§ãã®ãæ°åããã®ä¸ã§ãä¸çªãããããªã®ãæµ®æ°ãåå ã§å¥ããï¼äººã®å ã«ãã®ãã¡ã®ï¼äººã§ãããæ©éèã«ç©´ãéãæ¼¢åã®æç« ãæ¸ããªãã¨ãããªãã®ã⦠å人ç¹å®ãé¿ããããã«ãã¤ä»ãåã£ã¦ãããã¨ããããããæ å ±ã¯å ¨é¨ä¼ãããã¦ãããã¾ãã ã¡ãªã¿ã«å¸°é·ãããå«è¶åºã§ã°ã£ããä¼ã£ã¦è©±ããã¨ã«ãªãã¾ãããåã®å¥½ããªå«è¶åºã®å¸¸é£ã«ãªã£ã¦ããã®ãâ¦â¦ã æ®éã®ä¼è©±ãè½ã¡çãããäºãæ°ããæ人ãã§ãã¦ãã ãã¾ãã®ãªããã¨ã確èªããã®ã§ãã®ä¼ç»ã®è©±é¡ã«ãå¿«ããªãã±ã¼ãã¦ããã£ãã®ã§ãã£ããã¶ã£ã¡ããã¦è²°
é£ã¹ãã°ã§ã¯ãå®éã«ãåºãå©ç¨ããã¦ã¼ã¶ã¼ã®çæ§ã®æè¦ãææ³ãå£ã³ãæ å ±ã¨ãã¦æ²è¼ãããåºãç¬èªã®ã©ã³ãã³ã°é ã«æ¢ããããã«ãããã¨ã§ããã確å®ã«å¥½ã¿ã®ãåºãæ¢ãåºããã°ã«ã¡ãµã¤ããç®æãã¦ãã¾ããããã¦ããããå£ã³ããã©ã³ãã³ã°ãçæ§ã«ã¨ã£ã¦ä¿¡é ¼ã§ããæ å ±ã§ããããã«ãé£ã¹ãã°ã§ã¯ä»¥ä¸ã®ï¼ã¤ãéè¦ãã¦éå¶ãã¦ããã¾ãã
2014å¹´4æã«ãªãªã¼ã¹ãããClosure Templates 2.4ã§ã¯ãããã¤ãé¢ç½ãæ°æ©è½ã追å ããã¦ãã¾ãã åè¨äºã§ã¯ãã©ã¡ã¼ã¿ã®åãã§ãã¯æ©è½ã«ã¤ãã¦ç´¹ä»ããã®ã§ãä»åã¯Strict Autoescapingã«ã¤ãã¦ç´¹ä»ãã¾ãã Contextual Autoescapingã®å»æ¢ Closure Templatesã«ã¯ãCotextual Autoescapingã¨ããå¼·åãªãªã¼ãã¨ã¹ã±ã¼ãæ©è½ãããã¾ãã Closure Templatesã®ãªã¼ãã¨ã¹ã±ã¼ããæå¼·ããã件 詳ããã¯ä¸è¨ã®è¨äºãåç §ãã¦ããããã¨ããã®ã§ãããè¦ã¯åºåå ãHTMLã§ããã®ããJavaScriptãªã®ããCSSãªã®ãã¨ããã³ã³ããã¹ããèªåçã«å¤å¥ãã¦ãæé©ãªã¨ã¹ã±ã¼ãããããªã£ã¦ãããæ©è½ã§ãã ããããã®Contextual Autoescapingã¯ãClosure Templates
AngularJSã1.0ç³»ãã1.2ç³»ã«ã¢ããã°ã¬ã¼ãããæã«ããããã¡ãªã®ãSCE(Strict Contextual Escaping)ã§ã¯ãªãã§ããããã AngularJS 1.2ã§ã¯SCEãããã©ã«ãã§æå¹ã«ãªã£ããããã¢ããã°ã¬ã¼ãããã«ããããã¾ã§åãã¦ããã¢ããªãåããªããªãå¯è½æ§ãããã¾ãã ä¾ãã°ããng-bind-htmlã«ãã¤ã³ããã¦ããHTMLã表示ãããªããªã£ããã¨ããiframeã®å 容ã表示ãããªããªã£ãããªãã¦ãã¨ãèµ·ããããã¾ãã¯console.logãè¦ã¦ã¿ã¾ãããã ä¸è¨ã®ãããªãã°ãåºåããã¦ããã°ãSCEãæå¹ã«ãªã£ããã¨ãåå ã§è¦ç´ ã表示ããã¦ããªãã¨èãããã¾ãã Attempting to use an unsafe value in a safe context. Blocked loading resource from url not
CentOS7ã§ééãããã©ãã«ã æ¬æ¥è©±é¡ã®GHOSTèå¼±æ§ã«yum updateã§ããããå½ã¦ãã¨ãã SSHãã°ã¤ã³ã§ããªããªã£ã¦ãã¾ã£ã ã¨ãããã®ã§ãã root権éã§yum update â ãã¡ããæå (ãã®æç¹ã§ /root/.ssh/authorized_keys ã空ãã¡ã¤ã«ã«ãªã£ã¦ãã¾ã£ããã) ãªãã¼ããã¦SSHã§åãã°ã¤ã³ã試ã¿ããå ¬ééµèªè¨¼ãéããªãã ãã¹ã¯ã¼ãèªè¨¼ã§SSHãã°ã¤ã³ã試ã¿ããããããã¹ã¯ã¼ãèªè¨¼ã¯åã£ã¦ãã£ãï¼ VPSã®ãªã¢ã¼ãã³ã³ã½ã¼ã«ã§ãã°ã¤ã³ãç¶æ³ç¢ºèªã試ã¿ãããã®æç¹ã§ã/root/.ssh/authorized_keys ã空ã«ãªã£ã¦ãããã¿ã¤ã ã¹ã¿ã³ããã¢ãããã¼ãä½æ¥ããé ã«ãªã£ã¦ããã®ã確èªã ãã¹ã¯ã¼ããã°ã¤ã³ã§å ¥ãããããsshdã®è¨å®ãã¡ã¤ã«ãä¿®æ£ï¼ãã ãããªã¢ã¼ãã³ã³ã½ã¼ã«ããã®è¦å´ãããããããã¼ãã¼ãé åããããã
æ¥æ¬å ±ç£å ã®æ± å ãããè¡é¢è°å¡ã¯2015å¹´1æ26æ¥ããããã®åç»çªçµã§èªæ°å ããæ¥æ¬çããªãããã¨è¡¨ç¾ããã æ± å æ°ã¯ãã®ããããã£ã¨TVãã«åºæ¼ãé²è¡å½¹ã®ã¸ã£ã¼ããªã¹ãå®ç°æµ©ä¸æ°ã¨ã¨ãã«èªæ°å ã¨ã¬ã¤ã·ãºã ã®é¢ä¿ã«ã¤ãã¦èªãããèªæ°å ã«1票ãæãããã¨ã¯æ¥æ¬çããªããã«æ票ãããã¨ã¨åããã¨è¿°ã¹ããå®åæä¸é¦ç¸ãæ¦å¾70å¹´è«è©±ãåºããã¨ã«ã¤ãã¦ã¯ãæ´å²å½é ã®ã¦ã«ãã©å³ç¿¼ã¨ãã®å°é ã許ããªããã¦ã«ãã©å³ç¿¼æ¿æ¨©ã1æ¥ã§ãæ©ãçµããããããã«æ¦ããã¨ããã æ± å æ°ã¯14å¹´è¡é¢é¸ã§åå½é¸ãã¤ã¹ã©ã å½ã®æ¥æ¬äººææäºä»¶ããããæ¿æ¨©æ¹å¤ãã¤ã¼ããæ¹å¤ãããè¬ç½ªããã°ãããéå»ã«ã¯ã赤æã¾ã¤ããã§å®åé¦ç¸ã®é¡ã«ããã©ã¼ã模ãã¦ã²ããæãå ããåçãè²¼ã£ããã©ã ãå©ãã¦ç©è°ãããããã
glibcã®gethostbynameç³»é¢æ°ã«èå¼±æ§ã®åå ã¨ãªããã°ãçºè¦ããCVE-2015-0235(GHOST)ã¨å½åãããããã§ããæ¾ç½®ããå ´åã¯ç¸å½å¤ãã®ã¢ããªã±ã¼ã·ã§ã³ããã®èå¼±æ§ã®å½±é¿ãåãããã¨ãäºæ³ããã¾ãã glibc㯠libcã®GNUãã¼ã¸ã§ã³ã§ããlibcã¯ã¢ããªã±ã¼ã·ã§ã³ã§ã¯ãªããäºå®ä¸å ¨ã¦ã®ã¢ããªã±ã¼ã·ã§ã³ãå©ç¨ãã¦ããã©ã¤ãã©ãªã§ããOSã®ä¸ã§ã¯ã«ã¼ãã«ã«æ¬¡ãã§éè¦ãªé¨åã¨è¨ãã¾ããLinuxã·ã¹ãã ã§ã¯(ãã¨ãµã¼ãã¼ç¨éã«ããã¦ã¯)ä¾å¤ãªã glibcã使ããã¦ãã¾ãã ãã® glibcã«å«ã¾ãã gethostbynameç³»é¢æ°ã®å®è£ ã« 2000å¹´é ããåå¨ãããã°ãä»ã«ãªã£ã¦çºè¦ãããCVE-2015-0235 é称 GHOSTã¨å½åããã¾ããããããã¯ã¼ã¯ã§ä½ããã®éä¿¡ãè¡ãã¢ããªã±ã¼ã·ã§ã³ã¯å¿ ãâ»ãã®é¢æ°ã使ç¨ãã¾ãã â»è¿½è¨: åå解決ããµãã¼ã
å ã«ã¾ã¨ã ç¾å¨ã®å¤åå ãéè·ãããã¨ã«ãã¾ãããæ¬æ¥ãæçµåºç¤¾æ¥ã§ãã 次ã¯ã¾ã 決ã¾ã£ã¦ãã¾ãããã¨ããããã©ãã¨ãå ·ä½çãªè©±ã¯ã¾ã ãã¦ããªããã¨ãã段éã§ããé¢ç½ãããªè·å ´ã¯ã©ãã«ããããªã¨æ¢ãã¦ãã段éã§ãã®ã§ãé åçãªã¨ããã«å¿å½ãããããæ¹ã¯ãã²ãé£çµ¡ãã ãããè²ã ãªäººã¨è©±ãã§ããã¨ãããªãã¨æã£ã¦ãã¾ãã ç¾è·ã«ã¤ã㦠11æåã°ãããã¾ã§ã¯è»¢è·ã¯ã¾ã£ããèãã¦ãã¾ããã§ããããããã®é ã®ä¸éã®æè¡çãªæµããªã©ãè¦ã¦ãã¦ãã¡ãã£ã¨æè¡çã«ç°ãªããã¨ããããããªããã¨èããã®ãç´æ¥çãªçç±ã§ããä»å¾ã©ãããããèããã¨ãããã£ãããªãåãç°å¢ãªã©ãå¤ãã¦ãã¾ã£ãæ¹ãããããã®äººçãåºæ¿ã®å¤ããã®ã«ãªãããã ã¨ãããã¨ã§ãç¾è·ãéè·ãããã¨ã決ãã¾ããã ãããããã¨ãå¤ããã ããªã社å ã§ããã°ããã ãããã¨ãã話ãä¼ç¤¾å´ããã¯ããã¾ãããããã£ã¨ããªãã¨ã§ãããã®ã§ãããåæã«å
Steven J. Vaughan-Nichols ï¼Special to ZDNET.comï¼Â ç¿»è¨³æ ¡æ£ï¼Â ç·¨éé¨ 2015-01-28 10:04 ã¯ã©ã¦ãã»ãã¥ãªãã£ä¼æ¥Qualysã®ç 究è ããLinux GNU Cã©ã¤ãã©ãªï¼glibcï¼ã«æ·±å»ãªã»ãã¥ãªãã£ãã¼ã«ã§ãããGHOSTãï¼CVE-2015-0235ï¼ãçºè¦ããããã®èå¼±æ§ãå©ç¨ããã¨ãããã«ã¼ã¯IDããã¹ã¯ã¼ããç¥ããªãã¦ãã·ã¹ãã ããªã¢ã¼ãããä¹ã£åããã¨ãã§ããã Qualysã¯ãã ã¡ã«ãã®ã»ãã¥ãªãã£ãã¼ã«ã«ã¤ãã¦ä¸»ãªLinuxã®é å¸å ã«è¦åãéããå¤ãã®é å¸å ããã§ã«ããããå ¬éãã¦ããã ãã®ã»ãã¥ãªãã£ãã¼ã«ã¯ãglibc-2.2ï¼2000å¹´11æ10æ¥ã«ãªãªã¼ã¹ï¼ã使ç¨ãã¦ãã«ãããããã¹ã¦ã®Linuxã·ã¹ãã ã«åå¨ãããQualysã«ããã°ããã®ãã°ã¯å®éã«ã¯ã2013å¹´5æ21æ¥ã«ãªãªã¼ã¹ããããgl
ãªãªã¼ã¹ãé害æ å ±ãªã©ã®ãµã¼ãã¹ã®ãç¥ãã
ææ°ã®äººæ°ã¨ã³ããªã¼ã®é ä¿¡
j次ã®ããã¯ãã¼ã¯
kåã®ããã¯ãã¼ã¯
lãã¨ã§èªã
eã³ã¡ã³ãä¸è¦§ãéã
oãã¼ã¸ãéã
{{#tags}}- {{label}}
{{/tags}}