Ana samun sakin ci gaba na ɗakin karatu na sirri na OpenSSL 1.1.1k, wanda ke gyara lahani guda biyu waɗanda aka sanya babban matakin tsanani:
- CVE-2021-3450 - Yana yiwuwa a ketare tabbatar da takardar shaidar takardar shaidar lokacin da aka kunna tutar X509_V_FLAG_X509_STRICT, wacce aka kashe ta tsohuwa kuma ana amfani da ita don bincika kasancewar takaddun shaida a cikin sarkar. An gabatar da matsalar a cikin OpenSSL 1.1.1h ta aiwatar da sabon rajistan rajista wanda ya hana amfani da takaddun shaida a cikin sarkar da ke ɓoye madaidaicin madaidaicin lanƙwasa.
Sakamakon kuskure a lambar, sabon cak ɗin ya yi galaba akan sakamakon cak ɗin da aka yi a baya don ingantacciyar takardar shedar shaida. Sakamakon haka, takaddun shaida da aka tabbatar ta hanyar takardar shedar sa hannu, waɗanda ba su da alaƙa da sarkar amana da hukumar ba da takaddun shaida, an ɗauke su a matsayin cikakkiyar amintattu. Rashin lahani ba ya bayyana idan an saita ma'aunin "manufa", wanda aka saita ta tsoho a cikin abokin ciniki da hanyoyin tabbatar da takaddun sabar a cikin libssl (amfani da TLS).
- CVE-2021-3449 - Yana yiwuwa a haifar da karon uwar garken TLS ta hanyar abokin ciniki yana aika saƙon ClientHello na musamman. Batun yana da alaƙa da NULL ɓacin rai a cikin aiwatar da tsawaita sa hannu_algorithms. Batun yana faruwa ne kawai akan sabobin da ke goyan bayan TLSv1.2 kuma suna ba da damar sake shawarwarin haɗi (an kunna ta tsohuwa).
source: budenet.ru