ProHoster > Блог > labaran intanet > Buɗe SSL 1.1.1j, wolfSSL 4.7.0 da sabunta LibreSSL 3.2.4

Buɗe SSL 1.1.1j, wolfSSL 4.7.0 da sabunta LibreSSL 3.2.4

Ana samun sakin ci gaba na ɗakin karatu na sirri na OpenSSL 1.1.1j, wanda ke gyara lahani biyu:

  • CVE-2021-23841 shine NULL mai nuni da rashin kuskure a cikin aikin X509_issuer_and_serial_hash(), wanda zai iya rushe aikace-aikacen da ke kiran wannan aikin don sarrafa takaddun shaida na X509 tare da ƙimar da ba daidai ba a cikin filin mai bayarwa.
  • CVE-2021-23840 lamba ce ta ambaliya a cikin EVP_CipherUpdate, EVP_EncryptUpdate, da EVP_DecryptUpdate ayyuka waɗanda zasu iya haifar da dawo da ƙimar 1, yana nuna nasarar aiki, da saita girman zuwa ƙimar mara kyau, wanda zai iya haifar da aikace-aikacen yin faɗuwa ko rushewa. al'ada hali.
  • CVE-2021-23839 aibi ne a cikin aiwatar da kariyar juyawa don amfani da ka'idar SSLv2. Ya bayyana kawai a cikin tsohon reshe 1.0.2.

Hakanan an buga fakitin LibreSSL 3.2.4, wanda a cikinsa aikin OpenBSD ke haɓaka cokali mai yatsu na OpenSSL da nufin samar da babban matakin tsaro. Sakin sanannen abu ne don komawa zuwa tsohuwar lambar tabbatarwa ta takaddun shaida da aka yi amfani da ita a cikin LibreSSL 3.1.x saboda hutu a wasu aikace-aikacen tare da ɗaure don aiki a kusa da kwari a cikin tsohuwar lambar. Daga cikin sababbin abubuwa, ƙari na aiwatar da kayan aikin mai fitarwa da autochain zuwa TLSv1.3 ya fito fili.

Bugu da kari, an sami sabon sakin ƙaramin ɗakin karatu na cryptographic wolfSSL 4.7.0, wanda aka inganta don amfani akan na'urori da aka haɗa tare da iyakanceccen sarrafawa da albarkatun ƙwaƙwalwar ajiya, kamar Intanet na Abubuwa, tsarin gida mai wayo, tsarin bayanan kera motoci, masu tuƙi da wayoyin hannu. . An rubuta lambar a cikin harshen C kuma an rarraba ta ƙarƙashin lasisin GPLv2.

Sabuwar sigar ta haɗa da goyan baya ga RFC 5705 (Masu Fitar da Kayan Maɓalli don TLS) da S/MIME (Maɓallin Saƙon Intanet na Amintacce/Multipurpose). An ƙara "--enable-reproducible-build" tuta don tabbatar da sake ginawa. API ɗin SSL_get_verify_mode API, X509_VERIFY_PARAM API da X509_STORE_CTX an ƙara su zuwa Layer don tabbatar da dacewa da OpenSSL. An aiwatar da macro WOLFSSL_PSK_IDENTITY_ALERT. Ƙara sabon aiki _CTX_NoTicketTLSv12 don musaki tikitin zama na TLS 1.2, amma adana su don TLS 1.3.

source: budenet.ru

Add a comment