TL;DR ãã£ã±ãæ¸ãã¦ãããé·æã«ãªã£ã¦ãã¾ãã¾ããããã¾ãã¡ããã¨æ¨æ²ããæ°åããªãã®ã§ãå¤ãªæç« ã«ãªã£ã¦ããããããã¾ããããäºæ¿ããã ããæ¹ã®ã¿ãèªã¿ãã ããã 1. ã¯ããã« æ¨æ©æªæã«OpenSSL-1.0.2d, 1.0.1pããªãªã¼ã¹ããã¾ãããäºåã«äºåããã¦ããéãæ·±å»åº¦é«ã®èå¼±æ§CVE-2015-1793ãä¿®æ£ããã¦ãã¾ããAdvisoryãè¦ãã¨ããã®èå¼±æ§ãiojs/Nodeã«å½±é¿ãããã¨ãããã¨ãå¤æããã®ã§ç´ã¡ã«iojs/Nodeã®ã¢ãããã¼ããè¡ããä»ææªæã«ç¡äºèå¼±æ§å¯¾å¿çããªãªã¼ã¹ãã¾ããã ä»åãåãã¦ã§ã¯ããã¾ããããæ·±å¤ã«æ¥æ¬§ç±³ã®ã¨ã³ã¸ãã¢ãgithubä¸ã§äºãã«é£æºããªããéããã«ã»ãã¥ãªãã£å¯¾çã®ãªãªã¼ã¹ä½æ¥ãè¡ããã¨ã¯ä½åãã£ã¦ããªããªããã³ããçµé¨ã§ããæå·®ããããªããªãä½åçã«ã¯è¾ããã®ãããã¾ãããä¸çã®è¶ ä¸æµã®ã¨ã³ã¸ãã¢ã¨å ±åã§ãªã¢
GoogleãOpenSSLããã©ã¼ã¯ãããBoringSSLãã¨ãã¦å ¬éãã(ImperialVioletããã°ã®è¨äºã Ars Technicaã®è¨äºã æ¬å®¶/.)ã Googleã¯ä½å¹´ãã®éãOpenSSLã«æ°å¤ãã®ããããå½ã¦ã¦ä½¿ç¨ãã¦ããã¨ãããä¸é¨ã®ãããã¯OpenSSLã®ã¡ã¤ã³ãªãã¸ããªã«åãè¾¼ã¾ãããã大åã¯APIãABIã®å®å®æ§ã®åé¡ããããªã©ã®çç±ã§åãè¾¼ã¾ãã¦ããªãã£ããAndroidãChromeãªã©ã®è£½åã¯ãããã®ä¸é¨ãå¿ è¦ã¨ãããããããã¯70以ä¸ãããããã«ä½æ¥ãè¤éã«ãªã£ã¦ããããã ããã®ãããOpenSSLããã©ã¼ã¯ãã¦ãOpenSSLå´ã®å¤æ´ãã¤ã³ãã¼ãããæ¹å¼ã«å¤æ´ããã¨ãã¦ãããBoringSSLã¯è¿ããã¡ã«Chromiumã®ãªãã¸ããªã«è¿½å ãããäºå®ã§ããããAndroidãå é¨çã«ã使ãããããã«ãªãããã ããBoringSSLã§ã¯APIãABI
GMOãµã¤ãã¼ã»ãã¥ãªã㣠byã¤ã¨ã©ã¨æ ªå¼ä¼ç¤¾ã¯å½å ãããã¯ã©ã¹ã®ãã¯ã¤ãããã«ã¼ãå¤æ°å¨ç±ãããµã¤ãã¼ã»ãã¥ãªãã£ã®ä¼ç¤¾ã§ããæ»æææ³ã«é¢ããè±å¯ãªç¥èã¨æå 端ã®æè¡ãæã¤ãã¯ã¤ãããã«ã¼ãä»®æ³æµã¨ãªããã客æ§ã®æ±ããã»ãã¥ãªãã£ä¸ã®åé¡ã®å¯è¦åã¨èª²é¡è§£æ±ºããµãã¼ããã¾ãã ã誰ããç ç²ã«ãªããªã社ä¼ãåµãããããã·ã§ã³ã¨ãã¦æ²ãããã¸ã¿ã«ãã¤ãã£ãã®æ代ãçãããã¹ã¦ã®äººãå®å ¨ã«æ®ãããã¤ã³ã¿ã¼ããã社ä¼åµãã«è²¢ç®ãã¾ãã
About two days ago, I was poking around with OpenSSL to find a way to mitigate Heartbleed. I soon discovered that in its default config, OpenSSL ships with exploit mitigation countermeasures, and when I disabled the countermeasures, OpenSSL stopped working entirely. That sounds pretty bad, but at the time I was too frustrated to go on. Last night I returned to the scene of the crime. OpenSSL uses
OpenBSDãOpenSSLã®å¤§æé¤ã«çæãã¦ãã¾ãï¼slashdotï¼ã ãã¨ãã°libssl/src/sslãè¦ãã¨ãCVSã«ç½µåã¨ä¿®æ£ãã²ã£ãããªãã«è¨é²ããã¦ãã¾ãã Heatbleed対çã®ãããã ãã§æºè¶³ããªãã£ãçç±ã¯ãå½¼ãããè¦ã¦Heartbleedãåãªããã°ãä»æ§ã®åé¡ã§ã¯ãªããã»ãã¥ãªãã£æèã®åé¡ããç£ã¾ãããã®ã ããã§ãã ä½å¹´ãåãã ãOpenSSL ã¯ãµã«ãæ¸ãã¦ããã ãããã¨æ¶æãã¦ããã¨ãããOpenSSL ã³ã¼ãã®å質ãä½ããã¨ãOpenBSDéçºè ãã¡ã¯ç¥ã£ã¦ãã¾ãããããããæèã責任æã®åé¡ã ã¨ãã確信ã¯ã¾ã ãªãã£ãã®ããããã¾ããã OpenBSD ã«ã¯ã¡ã¢ãªé²è·æ©æ§ãããã¾ãã®ã§ãHeartbleedèå¼±æ§ããã£ã¦ãå½åãmalloc.confã«Jãªãã·ã§ã³ãä»ããã°freeæ¸ã¿ã¡ã¢ãªã¯ã·ã¥ã¬ããã¼ã«ããããç§å¯ã¯æ¼ããªãã ããã¨æã£ããã
The Heartbleed Challenge Can you steal the keys from this server? Has the challenge been solved yet? NO. This server is running nginx-1.5.13 linked against OpenSSL 1.0.1.f on Ubuntu 13.10 x86_64. It is vulnerable to Heartbleed. Can you get the secret key? If you think you have it, submit the RSA signature of the string "Proof I have your key\n" as proof. This proof can be obtained with the followi
ãªã¼ãã³ã½ã¼ã¹ã®SSLï¼TLSå®è£ ã©ã¤ãã©ãªãOpenSSLãã«64Kãã¤ãã®ã¡ã¢ãªãé²åããã¦ãã¾ãèå¼±æ§ãçºè¦ãããã®åé¡ãä¿®æ£ãããOpenSSL 1.0.1gãã4æ7æ¥ã«å ¬éãããã OpenSSLã®ã»ãã¥ãªãã£æ å ±ã«ããã¨ãèå¼±æ§ã¯TLS Heartbeatæ¡å¼µã®å¦çã«ãããå¢çãã§ãã¯ã®ä¸åã«èµ·å ãããæªç¨ãããå ´åãæ大64Kãã¤ãã®ã¡ã¢ãªãæ¥ç¶ãããã¯ã©ã¤ã¢ã³ãããµã¼ãã«é²åãããæããããã ãã®èå¼±æ§ã¯ãOpenSSL 1.0.1fã¨1.0.2-beta1ãå«ã1.0.1ããã³1.0.2-betaãªãªã¼ã¹ã«åå¨ãã¦ããã1.0.1gã§ä¿®æ£ããããç´ã¡ã«ã¢ããã°ã¬ã¼ãã§ããªãå ´åã®ããã«ããOPENSSL_NO_HEARTBEATSãã®ãã©ã°ãæå¹ã«ãã¦åã³ã³ãã¤ã«ããæ¹æ³ãç´¹ä»ãã¦ããã ãã®åé¡ã«ã¤ãã¦OpenSSLã使ã£ããµã¼ãã¹ãæä¾ãã¦ããã»ãã¥ãªãã£ä¼æ¥ã®C
ãã¤ãã®ããã« Thunderbird ã§ã¡ã¼ã«ããã§ãã¯ãããã¨ããããSSL 証ææ¸ã®æå¹æéãåãã¦ããã¨ã®è¦åãåºããã¡ã¼ã«ãµã¼ãã«ã¯ imapd-uw ã使ã£ã¦ SSL çµç±ã§æ¥ç¶ãã¦ãããèªåã§éç¨ãã¦èªåã§ãã使ã£ã¦ããªããµã¼ããªã®ã§ã使ã£ã¦ãã証ææ¸ã¯ãèªè¨¼å± (CA) ãèªåã®ããããããªã¬ãªã¬è¨¼ææ¸ã¨ãããã®ã ã imapd ã§ä½¿ã証ææ¸ãèªå·±è¨¼ææ¸ã«ãã¦ãè¯ãã®ã ããèªè¨¼å±ã®éç¨ã®ä»çµã¿ãç¥ãããã£ãã®ã§ãèªåãµã¼ãä¸ã§ OpenSSL ã«ããèªè¨¼å±ãç«ã¡ä¸ããimapd ã§ä½¿ã証ææ¸ã«ç½²åãããå½¢ã«ãã¦ãããèªè¨¼å±ã®è¨¼ææ¸ã¯èªå·±è¨¼ææ¸ã§æå¹æéã¯10å¹´ã¨ããimapd ã®è¨¼ææ¸ã®æå¹æé㯠1 å¹´ã¨ãã¦ããã èªå·±èªè¨¼å±ã§ãç½²åãããæ©ä¼ãªã©ãããããããã®ã§ã¯ãªããopenssl ãå®è¡ãããã¨ã¯å®éã®ã¨ãããå¹´ã«1度ã«ãªã£ã¦ãããå½ç¶ã®ããã«åã«ãã£ããã¨ãªã©å¿
ãªãªã¼ã¹ãé害æ å ±ãªã©ã®ãµã¼ãã¹ã®ãç¥ãã
ææ°ã®äººæ°ã¨ã³ããªã¼ã®é ä¿¡
å¦çãå®è¡ä¸ã§ã
j次ã®ããã¯ãã¼ã¯
kåã®ããã¯ãã¼ã¯
lãã¨ã§èªã
eã³ã¡ã³ãä¸è¦§ãéã
oãã¼ã¸ãéã
{{#tags}}- {{label}}
{{/tags}}