My application code was recently scanned by JFrog XRay and it produced a result stating that the in use version of Bouncy Castle BKS version 1 keystore has a high vulnerability. The version in use by my application is version 1.61, aka “source version = 1.61”. XRay reports that infected versions of this library are <= 1.46 and >= 1.49, and is the reason XRay caught this. This means that only versions between 1.46 and 1.49 are not infected, everything else is, and 1.61 is outside that scope. That cannot be correct. The NVD site (https://nvd.nist.gov/vuln/detail/CVE-2018-5382) states that all versions up to 1.47 (excluding) are infected. Meaning that the in use version (1.61) is not part of the infected list as XRay is stating. There is a direct conflict between what XRay is stating and what the NVD is stating.
I have little contact with the administrator of the XRay vulnerability database. I've asked them to check certain things, but to now avail.
I'm hoping someone can help me understand what the problem could be so I can relay that information to the XRay administrator.
I am part of JXRay (XRay vulnerability database) maintaining team at JFrog.
Looking at the references from NVD, in the vulnerability note released by US-CERT (https://www.kb.cert.org/vuls/id/306792/), they write that the problem is in the “BKS keystore format version 1 (BKS-V1)” and this format is supported in all versions before 1.47, and the support in this format was brought back in 1.49 and on. That is why version 1.49 and on is possibly affected (depend on the used format).
Please feel free to contact us for further questions through JFrog’s support.
Related
Is there a file which ties the libversion to the release number. The libversion is in a file in the release, but I can't find documentation to trace this back. Working with a version of Linux that has one libversion of Poco and a SDK that was released was a different libversion and I am trying to track down the releases. Thanks.
I figured I go ahead and try to get and answer on Git Hub. There is no master file/database with the numbers , but it isn't super difficult to find. If you go to the tagged version (eg 1.11.0) and look at libversion - the number will be 81. Go back to tag version 1.6.1 and the libversion and the number is 31. I was able to create the database of the versions I needed based on trial and error.
I need to migrate an enterprise production database from a Windows source machine running Postgres 9.5 to an Ubuntu destination machine running Postgres 11.6 with < 15 mins downtime. I plan to do this with pglogical, which requires the extension being loaded on both source and destination. I am having trouble with the source side because it is Windows.
I have very little Postgres-Windows experience and can neither find any helpful literature on the specific situation nor can I figure out for myself how to presumably install from source.
I've dug and dug and so far the only answer I've been able to find is "ugh... Windows". It seems like the only way to build from source is using Visual Studio, which I don't have or know how to use.
Sources:
https://www.2ndquadrant.com/en/blog/compiling-postgresql-extensions-visual-studio-windows/
https://postgrespro.ru/list/thread-id/1835275
Alex, the 2ndQuadrant article you link to in your own comment solves this. A few of the project or build options noted there have moved a little bit in the newer VisualStudio Community editions, so I can see where you got hung-up.
Just for kicks I compiled 32-bit DLL on my oldest Windows instance. I included the /Release path so you can grab my DLL & see if it works for you. It's (a) 32-bit because I'm assuming worst-case for an old v9.5 install, and (b) targets Postgres 9.6 because that's what I had installed. Unless there were major API changes though, it should connect to v9.5 without any issues:
https://github.com/mbijon/winpglogical/tree/master
If you find you need a version that entirely matches Postgres 9.5, grab my solution files & VS Community 20xx. Load the project & update the Additional Include Directories in Project Config to target your v9.5 paths. That should be all that's needed to link v9.5 Postgres libs.
I need to determine whether a user's version of OpenJDK is susceptible to a particular security vulnerability. As an example, CVE-2016-0695 was discovered in OpenJDK 8u77, as revealed in the April 2016 Critical Patch Update. Ideally, detecting whether a user's OpenJDK version is vulnerable would be as simple as checking whether it's <= 8u77 or > 8u77 and accordingly marking it as vulnerable or not (assuming that all previous versions are also vulnerable and that the fix gets applied by the next version). The picture gets muddied by manual patches, though.
If I understand correctly, the April 2016 patch would be automatically bundled into the next version of OpenJDK8 (8u91, in this case), but would also be available for manual application. The latter would probably be an attractive option to risk-averse users who want to keep their Java version as-is while patching security holes. If a user manually applies the patch to their 8u77 install, is there any way for me to detect that? For instance, does the version number reported by java -version change? Or is there no indicator that a patch had been applied?
If the OpenJDK build comes from a vendor, the vendor may publish security information. For example, here is the CVE-2016-0695 security information from Debian. This information typically contains the first fixed package version, according to some vendor-specific versioning scheme.
However, in general, you need to obtain the sources for that OpenJDK build and review them if they have to fix.
To find the patch corresponding to a particular CVE ID (say CVE-2016-0695), in most cases, the easiest way is to go to the Red Hat Bugzilla tracker, here the flaw bug for CVE-2016-0695, and note the internal Oracle bug number listed there, 8138593 in this case. Then you need to check out the appropriate OpenJDK sub-tree, in this case for the jdk component:
hg clone http://hg.openjdk.java.net/jdk8u/jdk8u/jdk
And look in the history for the appropriate commit, based on the Oracle bug number (8138593):
changeset: 11581:594e8dca337c
user: igerasim
date: Thu Dec 24 08:42:10 2015 +0300
summary: 8138593: Make DSA more fair
The commit themselves do not contain CVE IDs (which are often not available when the fix is written, so this is understandable), so the detour via the Red Hat bug tracker is needed. (I have not seen a CVE-ID-to-bug-number mapping from Oracle.)
You can view the patch using another Mercurial command:
hg export 594e8dca337c
Once you have the patch, it is a matter of review the source code to check whether it has been applied. If you cannot obtain the source code for some reason, for changes to the jdk, it is often sufficient to disassemble the relevant classes using javap -c. For native code, you need a different disassembler (such as objdump -dr).
The OpenJDK JDK 8 Updates Project provides source code, rather than builds or binary patches. Per the Q&A at http://openjdk.java.net/projects/jdk8u/qanda.html
Security fixes for this Project's source code will be made available
in the JDK 8 Update Project around the same time as they're released
in products from Oracle
They are made available in order to be integrated into the Project's Mercurial forest. Such source code patches are not provided separately, to be applied manually by users for other releases.
In general, if you need to understand whether a particular change has been applied in a third party build, you will need to get and compare the source code from upstream and the third party builds and/or their commit history. Mechanisms to obtain the source code, commit history, patching policies, patch versioning and patch timing may differ from third party to third party.
I am upgrading CentOS 5.6 to CentOS 6.4, can anyone give me the differentiating points or a link to a website that shows that
The entire release history is at http://wiki.centos.org/Manuals/ReleaseNotes
You will need to read/combine the release notes for 5.7..5.10 & 6.0..6.4 and you may also need to take a look at the bug tracker.
It's a major upgrade from 5 to 6 so the list of differences is long and it's dedicated multiple webpages to the changes in doing that, just google "centos migrate 5 to 6" and you get a ton of hits.
Redhats planning guide at https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/pdf/Migration_Planning_Guide/Red_Hat_Enterprise_Linux-6-Migration_Planning_Guide-en-US.pdf is one that points out differences and what you need to plan for.
Do we have any cli/api to check openstack development version..i mean whether my system installed havana or grizzly.I searched the openstack cli/api docs but i don't find any relevant.
OpenStack has a number of elements if you want to verify state.
Each of the component projects and each of the python-client api bindings have their own versions. Then there are configurable options for addressing API versions in REST queries.
I took a crack at building an API for the very purpose of verifying this data as well as all python dependencies a while back with the aim of cross verifying that against a vulnerability database but I simply haven't had the time to bring it to completion.
This would be a very useful feature I think.
You might look at your pip requires if you installed from source. Alternatively you can follow the debian package version chain from dependencies and that should provide good insight into what is installed on your system though it's not exactly verified.