Categories
WordPress

Does cURL have POODLE?

同一記事の日本語版
Update information      Edit(Oct.26)

   I wrote about “POODLE” issue on the last post. After that, I suddenly got worried about cURL on WordPress because I read SSLv3 fallback attack POODLE.

   Though I found a following option at curl_setopt,
curl_setopt( $handle, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1);
I couldn’t get where I should add it among WordPress Core Scripts. So, I made a topic on WordPress Forums…I’m waiting answers.

Edit(Oct.26):
   I just made the topic [resolved]. Because I got the result that my cURL exactly uses TLSv1.2 by %{SSL_PROTOCOL} on the Apache log. I don’t need CURL_SSLVERSION_TLSv1 on the file class-http.php. If the SSL sever has appropriate configurations, clients can access it safely if their software components have the abilities required.

   Clap clap, (*´▽`*).

Categories
Windows

Memorandum #7.

同一記事の日本語版
Update information      Edit(Oct.18)

   Did you already handle “POODLE” issue, i.e. CVE-2014-3566? OpenSSL Security Advisory [15 Oct 2014] is also related to this.

   First, as a web site operator:
   I haven’t got the new version build with 1.0.1j from Apache Lounge yet, so I’ve done the workaround I read on “SSL v3 goes to the dogs – POODLE kills off protocol”.

   I added the SSLProtocol All -SSLv3 to my httpd-ssl.conf and restarted the httpd.exe. Before this, SSL Server Test gave me “This server is vulnerable to the POODLE attack. If possible, disable SSL 3 to mitigate. Grade capped to C”. But after this, it gave me “This server is not vulnerable to the POODLE attack because it doesn’t support SSL 3”. Actually, I use Apache 2.4 and OpenSSL 1.0.1, so at my mod_ssl ‘SSLProtocol all’ means ‘SSLProtocol +SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2’ according to SSLProtocol Directive.

   Second, as a user:
   I did the following workaround. See “How to protect your browser”.

Edit(Oct.18):
PHP 5.6.1 —>> PHP 5.6.2 ChangeLog.
phpMyAdmin 4.2.9.1 —>> phpMyAdmin 4.2.10 ChangeLog.

Categories
Vulnerability

ShellShock, shock shock shock!

同一記事の日本語版
Update information      Edit(Sep.30)    Edit2(Oct.6)

   Whew!!
   Have you coped with the threat from ShellShock, yet? My server is on Windows OS. Hence I think the vulnerability gives no effect to mine. But it’s a very serious one. NVD gave the impact score 10 to this. I have a CentOS 6.5 on my VMware, so I updated its bash to bash-4.1.2-15.el6_5.2.i686.

   If you still have the following messages after updating and doing env x='() { :;}; echo
vulnerable' bash -c "echo this is a test"
, your bash need more updating.
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for 'x'
this is a test

   I got the information form Masanari Iida’s comment on Red Hat Customer Portal.

   Several links which I am curious about, actually tons of articles about it on the Internet:

   By the way, I had the ShellShock attacks six times and blocked their IPs until yesterday, and today two more from other IPs until now on the Apache error log. I found that all of them my Apache returned HTTP Error Codes to.

Edit(Sep.30):
   On “Bash bug: apply Florian’s patch now” he said “I very strongly recommend manually deploying Florian’s patch unless your distro is already shipping it.” and how to check the patch applied or not.

   When you do foo='() { echo not patched; }' bash -c foo within the shell, the patch is already applied if you have “command not found”. If you have “not patched”, your bash is still vulnerable.

   On its comment vdp wrote “These ‘toughen the feature’ patches still feel quite scary.” and a suggestion. I agree with him.

Edit2Oct.6):
   Today, I’ve found this (Japanese).

   Woooo!
   It says that it’s not enough to check the bash by the code foo='() { echo not patched; }'
bash -c foo
. Nonetheless, they have less critical than CVE-2014-6271 or CVE-2014-7169. But still dangerous.

Categories
Windows

Microsoft Security Advisory 2915720-#2

同一記事の日本語版

   Do you remember my post “Microsoft Security Advisory 2915720 ???”? Now August 12 is approaching, so I wonder how it’s going on. For about a week, my translation was getting down to the wire in my mind, I missed the new revision about Microsoft Security Advisory 2915720, but I suddenly found yesterday.

   To conclude is “Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows.” But they also say “It remains available as an opt-in feature.”

   According to the well-informed, they are keenly reminded of its severe effects than expected, and then they give it up at this time.

Categories
Uncategorized

I’ve got an email from No-IP.

同一記事の日本語版
Update information      Edit(Jul.11)

   I’ve got an email from No-IP because I use a No-IP domain for my net radio. Its title is ★ Update to Microsoft Takedown – All Domains Restored ★. Of course, it’s related to Microsoft takes on global cybercrime epidemic in tenth malware disruption“. The original article has gone, so I link to the history in The Internet Archive (2014.9.24).

The email from No-IP
The email from No-IP

   Hey! No-IP. Are you doing OK from now?

Edit(Jul.11):
   Today, I have the second email from No-IP.

The email from No-IP
The email #2 from No-IP

   No-IP gives us more information on the page “Update: Details on Microsoft Takeover“.

   Anyway, congratulations for surviving, No-IP.

Categories
Uncategorized

Updating Apache because of OpenSSL Security Advisory [05 Jun].

同一記事の日本語版
Update information      Edit(Jun.9)

   I updated my Apache 2.4.9 to 2014 5 Jun version because of OpenSSL Security Advisory [05 Jun]..

   It is built with ‘IPv6 Crypto apr-1.5.0 apr-util-1.5.3 apr-iconv-1.2.1 openssl-1.0.1h zlib-1.2.8 pcre-8.34 libxml2-2.9.1 lua-5.1.5 expat-2.1.0’. Its Changelog.

   I really appreciate Steffen’s hard and quick work. Thanks again, Steffen.

Edit(Jun.9):
   I found this on the Net, so linked to it as a reference.
OpenSSL Patches Critical Vulnerabilities Two Months After Heartbleed

Categories
Windows

Microsoft Security Advisory 2915720 ???

同一記事の日本語版

   Now we have June. On Microsoft Security Advisory 2915720 they announced “Changes in Windows Authenticode Signature Verification”, and the Advisory was first published at 10 Dec. 2013. They said “The change is included with Security Bulletin MS13-098, but will not be enabled until June 11, 2014.” and suggested this actions.

   So I tested my PCs by “EnableCertPaddingCheck”=”1”, the PCs are a CF-J10(Win7 HP Sp1 64bit), an NJ2100(Win8 Pro 32bit), xw4200(Win7 HP Sp1 32bit) and KeyPaso(Vista Business SP2 32bit). But I have no troubles right now. Do you know what environments give me troubles under enabling CertPaddingCheck?

   By the way, I found Microsoft Security Advisory 2915720 was Updated on 21 May 2014 and the enabling date changed from June 11 to August 12.

Categories
Uncategorized

Updating Apache because of CVE-2014-0160.

同一記事の日本語版
Update information      Edit(May.13)

   I updated my Apache 2.4.9 to 2014 Apr 8 version because of CVE-2014-0160.

   It is built with ‘IPv6 Crypto apr-1.5.0 apr-util-1.5.3 apr-iconv-1.2.1 openssl-1.0.1g zlib-1.2.8 pcre-8.34 libxml2-2.9.1 lua-5.1.5 expat-2.1.0′. Its Changelog.

   I really appreciate Steffen’s hard and quick work. Thanks again, Steffen.

Edit(May.13):
   This vulnerability also has effects on everyday life as I’ve worried about. Some OS of smartphones might have the vulnerability. I’ve found the list out. ⇒ The list of Android phones vulnerable to Heartbleed bug

   And you can check your smartphone OS about the vulnerability by the Heartbleed Detector App.

   I add three sites about Heartbleed detector you can access by a PC.
     Heartbleed test
     heartbleed test
     Trend Micro Heartbleed Detector (does not exist anymore.)

Categories
Uncategorized

CVE-2012-1823

同一記事の日本語版

   I watched “さくらのVPSに来る悪い人を観察する その2” and “SSH ハニーポットでの悪い人の観察“, then rolled on the floor, laughing. I first found this on “徳丸浩の日記” which reads the slide show is very interesting and very popular lately, so I went to the slide show to be sure it and agreed with it.

   The slide show is related to CVE-2012-1823. Actually, the attacks the slide#36 shows come everywhere whether the vulnerability exists or not. My server is no exception. I don’t create SSH server, and my PHP doesn’t have the vulnerability nor isn’t CGI version, so all attacks failed though.

   Ozuma5119 is a genuine white hacker. If you’re up for this topic, visit the linked sites though they are only in Japanese. Please use some translation services m(_”_)m.

Categories
everyday life

I can’t accept this is happening, but it is true.

同一記事の日本語版

   On December 20th, Reuters broke “Exclusive: Secret contract tied NSA and security industry pioneer“. On December 23rd, Mikko Hypponen wrote “An Open Letter to the Chiefs of EMC and RSA“.

   I can’t accept this is happening, but Mikko wrote such a letter shows us the article is almost true. For NSA, it might be their regular jobs. But for RSA, what a shame!! Of course, we should read not only Reuters side articles but also the opposite side ones like RSA RESPONSE TO MEDIA CLAIMS REGARDING NSA RELATIONSHIP.

   It is a sad fact that RSA’s credibility was destroyed.