Kutulutsidwa koyenera kwa laibulale ya OpenSSL cryptographic 1.1.1l ikupezeka ndikuchotsa ziwopsezo ziwiri:
- CVE-2021-3711 ndi buffer kusefukira mu kachidindo kakukhazikitsa SM2 cryptographic algorithm (yofala ku China), yomwe imalola mpaka ma 62 byte kuti alembetsedwe kudera lopitilira malire a buffer chifukwa cha cholakwika pakuwerengera kukula kwake. Wowukira atha kukwaniritsa ma code kapena kuwonongeka kwa pulogalamu popereka zomwe zidapangidwa mwapadera ku mapulogalamu omwe amagwiritsa ntchito EVP_PKEY_decrypt() kuti atsitse data ya SM2.
- CVE-2021-3712 ndi buffer kusefukira mu ASN.1 string processing code, yomwe ingayambitse kusokonezeka kwa pulogalamu kapena kuwulula zomwe zili mu memory memory (mwachitsanzo, kuzindikira makiyi osungidwa kukumbukira) ngati wowukirayo atha kupanga chingwe chomwe chili m'kati mwa ASN1_STRING sichinathetsedwa ndi zilembo zopanda pake, ndikuchikonza muzochita za OpenSSL zomwe zimasindikiza satifiketi, monga X509_aux_print(), X509_get1_email(), X509_REQ_get1_email() ndi X509_get1_ocsp().
Nthawi yomweyo, mitundu yatsopano ya laibulale ya LibreSSL 3.3.4 ndi 3.2.6 idatulutsidwa, zomwe sizimatchula zowopsa, koma poyang'ana mndandanda wazosintha, chiwopsezo cha CVE-2021-3712 chachotsedwa.
Source: opennet.ru