Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Zowopsa mu QEMU, Node.js, Grafana ndi Android

Zowopsa mu QEMU, Node.js, Grafana ndi Android

Zowopsa zingapo zomwe zadziwika posachedwa:

  • Chiwopsezo (CVE-2020-13765) mu QEMU, zomwe zingapangitse kuti code ichitidwe ndi mwayi wa ndondomeko ya QEMU kumbali ya wolandirayo pamene chithunzi cha kernel chatsitsidwa mwamlendo. Vutoli limayambitsidwa ndi kusefukira kwa buffer mu ROM code code panthawi ya boot system ndipo zimachitika pomwe zomwe zili mu chithunzi cha 32-bit kernel zimasungidwa kukumbukira. Kukonzekera kumangopezeka mu fomu chigamba.
  • Zofooka zinayi mu Node.js. Zofooka kuthetsedwa mu zotulutsidwa 14.4.0, 10.21.0 ndi 12.18.0.
    • CVE-2020-8172 - Imalola chitsimikiziro cha satifiketi yolandila kuti chizilambalale mukamagwiritsanso ntchito gawo la TLS.
    • CVE-2020-8174 - Mutha kuloleza kukhazikitsidwa kwa ma code pamakina chifukwa cha kusefukira kwa buffer mu napi_get_value_string_*() ntchito zomwe zimachitika pama foni ena N-API (C API yolemba zowonjezera zakwawo).
    • CVE-2020-10531 ndikusefukira mu ICU (International Components for Unicode) ya C/C++ yomwe ingayambitse kusefukira kwa buffer mukamagwiritsa ntchito UnicodeString::doAppend() ntchito.
    • CVE-2020-11080 - imalola kukana ntchito (100% CPU katundu) kudzera pakutumiza mafelemu akuluakulu a "SETTINGS" polumikizana kudzera pa HTTP/2.
  • Chiwopsezo mu nsanja ya Grafana interactive metrics visualization, yomwe imagwiritsidwa ntchito popanga ma grafu owunikira potengera ma data osiyanasiyana. Cholakwika mu code yogwira ntchito ndi ma avatar amakulolani kuti muyambe kutumiza pempho la HTTP kuchokera ku Grafana kupita ku ulalo uliwonse popanda kutsimikizira ndikuwona zotsatira za pempholi. Izi zitha kugwiritsidwa ntchito, mwachitsanzo, kuphunzira maukonde amkati amakampani omwe amagwiritsa ntchito Grafana. Vuto kuthetsedwa mu nkhani
    Grafana 6.7.4 ndi 7.0.2. Monga njira yachitetezo, tikulimbikitsidwa kuti muchepetse mwayi wofikira ku URL "/ avatar/*" pa seva yomwe ikuyenda Grafana.

  • Lofalitsidwa Kukonzekera kwa June kwachitetezo kwa Android, komwe kumakonza zovuta 34. Nkhani zinayi zapatsidwa mulingo wovuta kwambiri: zofooka ziwiri (CVE-2019-14073, CVE-2019-14080) m'zigawo za Qualcomm) ndi ziwopsezo ziwiri zamakina zomwe zimalola kukhazikitsidwa kwa ma code pokonza deta yopangidwa mwapadera (CVE-2020) -0117 - chiwerengero chonse kusefukira mu stack Bluetooth, CVE-2020-8597 - EAP kusefukira mu pppd).

Source: opennet.ru

Kuwonjezera ndemanga