Kev saib xyuas kev tso tawm ntawm OpenSSL cryptographic tsev qiv ntawv 1.1.1k muaj, uas kho ob qhov tsis zoo uas tau muab rau qib siab:
- CVE-2021-3450 - Nws muaj peev xwm hla dhau qhov kev lees paub ntawm daim ntawv pov thawj txoj cai lij choj thaum lub X509_V_FLAG_X509_STRICT chij tau qhib, uas yog neeg xiam oob khab los ntawm lub neej ntawd thiab siv los ntxiv xyuas qhov muaj cov ntawv pov thawj hauv cov saw hlau. Qhov teeb meem tau qhia nyob rau hauv OpenSSL 1.1.1h qhov kev siv ntawm ib daim tshev tshiab uas txwv tsis pub siv daim ntawv pov thawj hauv cov saw uas qhia meej txog qhov tsis muaj qhov nkhaus elliptic.
Vim yog qhov yuam kev hauv cov cai, daim tshev tshiab overrode qhov tshwm sim ntawm qhov kev kuaj xyuas yav dhau los rau qhov tseeb ntawm daim ntawv pov thawj txoj cai lij choj. Raws li qhov tshwm sim, cov ntawv pov thawj uas tau lees paub los ntawm daim ntawv pov thawj tus kheej kos npe, uas tsis txuas los ntawm cov saw ntawm kev ntseeg siab rau cov ntawv pov thawj, tau raug saib xyuas raws li kev ntseeg siab. Qhov teeb meem tsis tshwm sim yog tias "lub hom phiaj" parameter tau teeb tsa, uas tau teeb tsa los ntawm lub neej ntawd hauv cov neeg siv khoom thiab cov ntaub ntawv pov thawj server cov txheej txheem hauv libssl (siv rau TLS).
- CVE-2021-3449 - Nws tuaj yeem ua rau TLS server poob ntawm tus neeg siv khoom xa cov lus tshwj xeeb ClientHello. Qhov teeb meem muaj feem xyuam rau NULL pointer dereference nyob rau hauv qhov kev siv ntawm kos npe_algorithms extension. Qhov teeb meem tsuas yog tshwm sim ntawm cov servers uas txhawb nqa TLSv1.2 thiab pab txhawb kev sib txuas lus rov qab (ua haujlwm los ntawm lub neej ntawd).
Tau qhov twg los: opennet.ru