Zotulutsa zowongolera za OpenSSL cryptographic library 3.0.1 ndi 1.1.1m zilipo. Mtundu wa 3.0.1 unakonza chiwopsezo (CVE-2021-4044), ndipo pafupifupi nsikidzi khumi ndi ziwiri zidakhazikitsidwa pazotulutsa zonse ziwiri.
Chiwopsezocho chilipo pakukhazikitsa makasitomala a SSL/TLS ndipo chikugwirizana ndi mfundo yakuti laibulale ya libssl imayendetsa molakwika manambala olakwika omwe abwezedwa ndi X509_verify_cert() ntchito, yoyitanidwa kutsimikizira satifiketi yoperekedwa kwa kasitomala ndi seva. Zizindikiro zoipa zimabwezedwa pamene zolakwika zamkati zimachitika, mwachitsanzo, ngati kukumbukira sikungaperekedwe kwa buffer. Zolakwa zotere zikabwezedwa, kuyimbanso kotsatira ku machitidwe a I/O monga SSL_connect() ndi SSL_do_handshake() kudzalephera ndipo SSL_ERROR_WANT_RETRY_VERIFY code yolakwika, yomwe iyenera kubwezedwa ngati pulogalamuyo idayimbapo kale SSL_CTX_set_cert_verify_callback().
Popeza mapulogalamu ambiri samayimba SSL_CTX_set_cert_verify_callback(), kuchitika kwa vuto la SSL_ERROR_WANT_RETRY_VERIFY kumatha kutanthauziridwa molakwika ndi kuchititsa kuwonongeka, lupu, kapena kuyankha kwina kolakwika. Vutoli ndilowopsa kwambiri kuphatikiza cholakwika china mu OpenSSL 3.0, chomwe chimayambitsa cholakwika chamkati mukakonza ziphaso mu X509_verify_cert() popanda chowonjezera cha "Subject Alternative Name", koma zomangirira mayina pazoletsa kugwiritsa ntchito. Pamenepa, kuwukirako kungayambitse kusagwirizana kwapadera pakugwiritsa ntchito satifiketi ndikukhazikitsa gawo la TLS.
Source: opennet.ru