An fitar da nau'ikan rarrabawar OpenWrt 18.06.7 и 19.07.1, wanda a ciki ake gyara shi rauni CVE-2020-7982 a cikin mai sarrafa kunshin opkg, wanda za'a iya amfani dashi don kai harin MITM da maye gurbin abinda ke cikin kunshin da aka sauke daga ma'ajiyar. Sakamakon kuskure a lambar tabbatarwa na checksum, maharin na iya yin watsi da SHA-256 checksums daga fakitin, wanda ya ba da damar ketare hanyoyin bincika amincin albarkatun ip da aka zazzage.
Matsalar ta wanzu tun watan Fabrairun 2017, bayan da aka ƙara lambar don yin watsi da manyan wurare kafin tantancewa. Sakamakon kuskure lokacin tsallake wurare, ba a canza mai nuni zuwa matsayi a cikin layi ba kuma SHA-256 hexadecimal decoding madauki nan da nan ya dawo da sarrafawa kuma ya dawo da adadin adadin tsayin sifili.
Saboda gaskiyar cewa an ƙaddamar da mai sarrafa kunshin opkg azaman tushen, mai hari zai iya canza abubuwan da ke cikin kunshin ipk yayin harin MITM, wanda aka zazzage shi daga wurin ajiyar lokacin da mai amfani ke aiwatar da umarnin "opkg install", kuma ya shirya lambar sa. za a kashe shi tare da tushen haƙƙin ta ƙara rubutun mai sarrafa ku zuwa kunshin, wanda ake kira yayin shigarwa. Don cin gajiyar rashin lafiyar, dole ne maharin kuma ya zube fihirisar fakitin (misali, daga downloads.openwrt.org). Girman fakitin da aka gyara dole ne ya dace da ainihin ɗaya daga fihirisar.
Sabbin sigogin kuma sun kawar da wani rauni a cikin ɗakin karatu na libubox, wanda zai iya haifar da cikar buffer lokacin sarrafa tsarin binary na musamman ko bayanan JSON a cikin aikin blobmsg_format_json.
source: linux.org.ru