OpenSSH 可移植版-遠端代碼競行漏洞
二 02 七月 2024 by ols3sshd(8) in Portable OpenSSH versions 8.5p1 to 9.7p1 (inclusive). Race condition resulting in potential remote code execution. A race condition in sshd(8) could allow remote code execution as root on non-OpenBSD systems. This attack could be prevented by disabling the login grace timeout (LoginGraceTime=0 in sshd_config) though this makes denial-of service against sshd(8) considerably easier. For more information, please refer to the release notes and the report from the Qualys Security Advisory Team who discovered the bug.
可移植 OpenSSH 版本 8.5p1 至 9.7p1(含)中的 sshd(8) 潛在遠端代碼執行的爭用條件。 sshd(8) 中的爭用條件允許在非 OpenBSD 系統上以 root 身份遠端執行代碼。這種攻擊可以通過禁用登錄寬限超時( LoginGraceTime=0 在 sshd_config 中)來防止,儘管這會使針對 sshd(8) 的拒絕服務變得容易得多。有關更多資訊,請參閱發現該漏洞的 Qualys 安全諮詢團隊的發行說明和報告。
xz-utils 植入後門 (CVE-2024-3094)
xz-utils: backdoor in upstream xz/liblzma leading to ssh server compromise
Malicious code was discovered in the upstream tarballs of xz, starting with version 5.6.0. Through a series of complex obfuscations, the liblzma build process extracts a prebuilt object file from a disguised test file existing …
read more白宮敦促開發人員放棄 C 和 C++
ksmbd 漏洞 (CVE-2022-47939)
ksmbd 在 kernel 5.15 期被併入核心, 主要用來建立一個 in-kernel 的 SMB 服務, 可提高 SMB 網路檔案系統的效能. 不過, 這個新的程式碼 …
read more具備記憶體安全的程式語言
NSA 軟體開發指南 Software Memory Safety
NSA urges shift to memory safe programming languages
C#, Go, Java®, Ruby™, Rust®, and Swift®.
read more