Chiwopsezo (CVE-2021-3997) chadziwika mu systemd-tmpfiles utility yomwe imalola kubwereza kosalamulirika kuchitika. Vuto lingagwiritsidwe ntchito kuletsa ntchito panthawi ya boot system popanga ma subdirectories ambiri mu /tmp directory. Kukonzekera kukupezeka mu mawonekedwe a chigamba. Zosintha za phukusi kuti zithetse vutoli zimaperekedwa ku Ubuntu ndi SUSE, koma sizinapezeke mu Debian, RHEL ndi Fedora (zokonza zikuyesedwa).
Mukapanga masauzande ang'onoang'ono, kuchita "systemd-tmpfiles --remove" ntchito ikuwonongeka chifukwa cha kutopa kwa stack. Nthawi zambiri, pulogalamu ya systemd-tmpfiles imagwira ntchito yochotsa ndikupanga zolembera mu foni imodzi ("systemd-tmpfiles -create -remove -boot -exclude-prefix=/dev"), ndikuchotsa komwe kunachitika koyamba kenako kupanga, mwachitsanzo. Kulephera pakuchotsa kudzapangitsa kuti mafayilo ovuta omwe afotokozedwa mu /usr/lib/tmpfiles.d/*.conf asapangidwe.
Zowopsa kwambiri pa Ubuntu 21.04 zimatchulidwanso: popeza kuwonongeka kwa systemd-tmpfiles sikupanga fayilo ya / run/lock/subsys, ndipo / run/lock directory imalembedwa ndi ogwiritsa ntchito onse, wowukira amatha kupanga / run/lock/directory subsys pansi pa chizindikiritso chake ndipo, kudzera mukupanga maulalo ophiphiritsa omwe amadutsana ndi mafayilo okhoma kuchokera pamakina amachitidwe, konzani kulembedwanso kwamafayilo adongosolo.
Kuphatikiza apo, titha kuzindikira kusindikizidwa kwatsopano kwa ma projekiti a Flatpak, Samba, FreeRDP, Clamav ndi Node.js, momwe zofooka zimakhazikika:
- M'mawu owongolera a zida zopangira mapaketi a Flatpak 1.10.6 ndi 1.12.3, ziwopsezo ziwiri zakhazikitsidwa: Chiwopsezo choyamba (CVE-2021-43860) chimalola, mukatsitsa phukusi kuchokera kumalo osadalirika, kudzera kusokoneza metadata, kubisa kuwonetsa zilolezo zina zapamwamba panthawi yoyika. Chiwopsezo chachiwiri (popanda CVE) chimalola lamulo la "flatpak-builder -mirror-screenshots-url" kuti lipange zolembera m'dera la fayilo kunja kwa chikwatu chomanga panthawi yosonkhanitsa phukusi.
- Kusintha kwa Samba 4.13.16 kumachotsa chiwopsezo (CVE-2021-43566) chomwe chimalola kasitomala kugwiritsa ntchito maulalo ophiphiritsa pagawo la SMB1 kapena NFS kuti apange chikwatu pa seva kunja kwa dera la FS lotumizidwa (vuto limayamba chifukwa cha mpikisano ndipo ndizovuta kugwiritsa ntchito, koma mwachidziwitso zotheka). Mabaibulo asanafike 4.13.16 amakhudzidwa ndi vutoli.
Lipoti lasindikizidwanso za chiopsezo china chofananira (CVE-2021-20316), chomwe chimalola kasitomala wotsimikizika kuti awerenge kapena kusintha zomwe zili mufayilo kapena chikwatu metadata mdera la seva ya FS kunja kwa gawo lotumizidwa kunja kudzera mukusintha maulalo ophiphiritsa. Nkhaniyi idakhazikitsidwa pakumasulidwa 4.15.0, koma imakhudza nthambi zam'mbuyomu. Komabe, zokonza nthambi zakale sizidzasindikizidwa, popeza mapangidwe akale a Samba VFS salola kukonza vutoli chifukwa chomangirira ma metadata kumayendedwe amafayilo (mu Samba 4.15 wosanjikiza wa VFS udakonzedwanso). Chomwe chimapangitsa kuti vutoli lisakhale lowopsa ndikuti ndizovuta kwambiri kugwiritsa ntchito ndipo ufulu wa wogwiritsa ntchito uyenera kulola kuwerenga kapena kulemba ku fayilo yomwe mukufuna kapena chikwatu.
- Kutulutsidwa kwa pulojekiti ya FreeRDP 2.5, yomwe imapereka kukhazikitsidwa kwaulere kwa Remote Desktop Protocol (RDP), imakonza zovuta zitatu zachitetezo (zozindikiritsa za CVE sizinagawidwe) zomwe zingayambitse kusefukira kwa buffer mukamagwiritsa ntchito malo olakwika, kukonza zolembera zopangidwa mwapadera. makonda ndikuwonetsa dzina lowonjezera losasinthidwa molakwika. Zosintha mu mtundu watsopanowu zikuphatikiza kuthandizira laibulale ya OpenSSL 3.0, kukhazikitsa kokhazikika kwa TcpConnectTimeout, kugwirizanitsa bwino ndi LibreSSL komanso njira yothetsera mavuto ndi bolodi lojambula m'malo a Wayland.
- Kutulutsa kwatsopano kwa phukusi laulere la antivayirasi ClamAV 0.103.5 ndi 0.104.2 kumachotsa chiwopsezo cha CVE-2022-20698, chomwe chimalumikizidwa ndi kuwerenga kolakwika kwa pointer ndikukulolani kuti mupangitse kuwonongeka kwakutali ngati phukusi lapangidwa ndi libjson- c laibulale ndi njira ya CL_SCAN_GENERAL_COLLECT_METADATA imayatsidwa pazokonda (clamscan --gen-json).
- Pulatifomu ya Node.js imasintha 16.13.2, 14.18.3, 17.3.1 ndi 12.22.9 kukonza zowopsa zinayi: kupitilira chitsimikiziro cha satifiketi potsimikizira kulumikizidwa kwa netiweki chifukwa cha kutembenuka kolakwika kwa SAN (Maina Amtundu Wamtundu) kukhala mtundu wa zingwe (CVE- 2021 -44532); kusamalidwa kolakwika kwa kuwerengera kwazinthu zingapo pamutu ndi wopereka, zomwe zitha kugwiritsidwa ntchito kudutsa kutsimikizira kwa magawo omwe atchulidwa mu satifiketi (CVE-2021-44533); zoletsa zoletsa zokhudzana ndi mtundu wa SAN URI mu satifiketi (CVE-2021-44531); Kusakwanira kovomerezeka mu ntchito ya console.table(), yomwe ingagwiritsidwe ntchito kupereka zingwe zopanda kanthu kumakiyi adijito (CVE-2022-21824).
Source: opennet.ru