Babban reshe na nginx 1.23.2 an fito da shi, wanda a ciki ya ci gaba da ci gaba da sabbin abubuwa, da kuma sakin madaidaicin madaidaicin reshe na nginx 1.22.1, wanda kawai ya haɗa da canje-canjen da suka danganci kawar da manyan kurakurai da ƙari. rauni.
Sabbin sigogin suna kawar da lahani guda biyu (CVE-2022-41741, CVE-2022-41742) a cikin ngx_http_mp4_module module, ana amfani da su don tsara yawo daga fayiloli a cikin tsarin H.264/AAC. Lalacewar na iya haifar da ɓarnar ƙwaƙwalwar ajiya ko ɓarnar ƙwaƙwalwa yayin sarrafa fayil ɗin mp4 na musamman. An ambaci ƙarewar gaggawa na tsarin aiki a sakamakon haka, amma ba a cire wasu alamun ba, kamar tsarin aiwatar da lambar akan sabar.
Abin lura ne cewa an riga an daidaita irin wannan rauni a cikin ngx_http_mp4_module module a cikin 2012. Bugu da ƙari, F5 ya ba da rahoton irin wannan rauni (CVE-2022-41743) a cikin samfurin NGINX Plus, yana shafar tsarin ngx_http_hls_module, wanda ke ba da tallafi ga ka'idar HLS (Apple HTTP Live Streaming).
Baya ga kawar da raunin rauni, nginx 1.23.2 yana ba da shawarar canje-canje masu zuwa:
- Ƙara goyon baya ga masu canjin ''$proxy_protocol_tlv_*'', waɗanda ke ɗauke da ƙimar filayen TLV (Nau'in-Length-Value) waɗanda ke bayyana a cikin Nau'in-Length-Value PROXY v2 yarjejeniya.
- An ba da jujjuyawar maɓallan ɓoyewa ta atomatik don tikitin zaman TLS, ana amfani da su lokacin amfani da ƙwaƙwalwar ajiya a cikin umarnin ssl_session_cache.
- An saukar da matakin shiga don kurakurai masu alaƙa da nau'ikan rikodin SSL ba daidai ba daga mahimmanci zuwa matakin bayanai.
- Matsayin shiga don saƙonni game da rashin iyawa don ware ƙwaƙwalwar ajiya don sabon zaman an canza shi daga faɗakarwa zuwa faɗakarwa kuma yana iyakance ga fitar da shigarwa ɗaya a sakan daya.
- A kan dandalin Windows, an kafa taro tare da OpenSSL 3.0.
- Ingantattun hangen nesa na PROXY kurakurai a cikin log ɗin.
- Kafaffen batu inda aka ƙayyade lokacin ƙarewa a cikin umarnin "ssl_session_timeout" bai yi aiki ba yayin amfani da TLSv1.3 dangane da OpenSSL ko BoringSSL.
source: budenet.ru