生成CA证书

openssl genrsa -out ca.key 2048
openssl req -new -key ca.key -out ca.csr
openssl x509 -req -days 3650 -sha256 -extfile /tmp/openssl.conf -extensions v3_req -extensions v3_ca -in ca.csr -signkey ca.key -out ca.crt

查看证书信息

openssl x509 -in rootCA.crt -text -noout

注意版号和CA扩展信息如下

Certificate:
    Data:
        Version: 3 (0x2)
            X509v3 Basic Constraints: 
                CA:TRUE

- 阅读剩余部分 -

Ubuntu Samba安全漏洞修复处理方法。
漏洞信息:
The version of Samba running on the remote host is 4.13.x prior to 4.13.17, 4.14.x prior to 4.14.12, or 4.15.x prior to 4.15.5. It is, therefore, affected by multiple vulnerabilities:

  • Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution. (CVE-2021-44142)
  • Information leak via symlinks of existence of files or directories outside of the exported share. (CVE-2021-44141)
  • Samba AD users with permission to write to an account can impersonate arbitrary services. (CVE-2022-0336)

Solution
Upgrade to Samba version 4.13.17, 4.14.12, or 4.15.5 or later.

- 阅读剩余部分 -

使用SSL开启重协商的服务都会受该漏洞影响

Apache解决办法:

升级到Apache 2.2.15以后版本

IIS解决办法:

IIS 5.0启用SSL服务时,也会受影响。可以升级IIS 6.0到更高的版本。

Lighttpd解决办法:

建议升级到lighttpd 1.4.30或者更高,并设置ssl.disable-client-renegotiation = "enable"。 
http://download.lighttpd.net/lighttpd/releases-1.4.x/

- 阅读剩余部分 -