Ebipụtala ntọhapụ mmezi nke GNU Mailman 2.1.35 sistemu njikwa nzipu ozi, ejiri hazie nkwukọrịta n'etiti ndị mmepe n'ọtụtụ ọrụ mepere emepe. Mmelite ahụ na-ekwu maka adịghị ike abụọ: adịghị ike nke mbụ (CVE-2021-42096) na-enye onye ọrụ ọ bụla debanyere aha na listi nzipu ozi iji chọpụta paswọọdụ nchịkwa maka ndepụta nzipu ozi ahụ. Ọdịmma nke abụọ (CVE-2021-42097) na-eme ka o kwe omume ịme mwakpo CSRF na onye ọrụ ndepụta nzipu ozi ọzọ iji weghara akaụntụ ya. Enwere ike ịme mwakpo ahụ naanị onye otu ndebanye aha na listi nzipu ozi. Okwu a emetụtaghị Mailman 3.
Ihe kpatara nsogbu abụọ a bụ na uru csrf_token eji kpuchido ọgụ megide mwakpo CSRF na ibe nhọrọ na-abụkarị otu ihe akara nchịkwa, na ewepụtaghị ya iche maka onye ọrụ nke nnọkọ ugbu a. Mgbe ị na-emepụta csrf_token, a na-eji ozi gbasara hash nke paswọọdụ nchịkwa, nke na-eme ka mkpebi nke paswọọdụ dị mfe site na ike dị nro. Ebe csrf_token emebere maka otu onye ọrụ dịkwa mma maka onye ọrụ ọzọ, onye na-awakpo nwere ike ịmepụta ibe nke, mgbe onye ọrụ ọzọ meghere, nwere ike ime ka emee iwu na interface Mailman n'aha onye ọrụ a wee nweta njikwa akaụntụ ya.
isi: opennet.ru