Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Zowopsa mu Linux kernel, Glibc, GStreamer, Ghostscript, BIND ndi CUPS

Zowopsa mu Linux kernel, Glibc, GStreamer, Ghostscript, BIND ndi CUPS

Zowopsa zingapo zomwe zadziwika posachedwa:

  • CVE-2023-39191 ndi pachiwopsezo mu eBPF subsystem yomwe imalola wogwiritsa ntchito wakomweko kuti achulukitse mwayi wawo ndikuchita ma code pa Linux kernel level. Chiwopsezocho chimadza chifukwa cha kutsimikizira kolakwika kwa mapulogalamu a eBPF operekedwa ndi wogwiritsa ntchito kuti aphedwe. Kuti achite chiwembu, wogwiritsa ntchitoyo ayenera kutsegula pulogalamu yake ya BPF (ngati kernel.unprivileged_bpf_disabled parameter yakhazikitsidwa ku 0, mwachitsanzo, monga Ubuntu 20.04). Zambiri zokhudzana ndi chiwopsezochi zidaperekedwa kwa opanga kernel mu Disembala chaka chatha, ndipo kukonzako kudayambitsidwa mwakachetechete mu Januware.
  • CVE-2023-42753 Nkhani yokhala ndi ma index ambiri pakukhazikitsa ipset mu netfilter kernel subsystem, yomwe ingagwiritsidwe ntchito kukulitsa / kuchepetsa zolozera ndikupanga mikhalidwe yolembera kapena kuwerengera kumalo okumbukira kunja kwa buffer yomwe yaperekedwa. Kuti muwone ngati pali chiwopsezo, fanizo lachiwembu lakonzedwa lomwe limayambitsa kuthetsedwa kwachilendo (zochitika zowopsa kwambiri sizingasinthidwe). Kukonzekera kumaphatikizidwa ndi kutulutsidwa kwa kernel 5.4.257, 6.5.3, 6.4.16, 6.1.53, 5.10.195, 5.15.132.
  • CVE-2023-39192, CVE-2023-39193, CVE-2023-39193 - zofooka zingapo mu Linux kernel zomwe zimadzetsa kutayikira kwa kernel memory zomwe zili mkati chifukwa chotha kuwerenga kuchokera kumadera omwe ali kunja kwa buffer yomwe idaperekedwa mu match_flags ndi u32_match_it ya Netfilter subsystem, komanso mu code yosinthira mafayilo. Zofookazo zidakonzedwa mu Ogasiti (1, 2) ndi Juni.
  • CVE-2023-42755 ndi pachiwopsezo chomwe chimalola wogwiritsa ntchito wamba wopanda mwayi kuti apangitse kuwonongeka kwa kernel chifukwa cholakwitsa pogwira ntchito ndi zolozera mu gulu la rsvp traffic. Vutoli limapezeka mu LTS kernels 6.1, 5.15, 5.10, 5.4, 4.19 ndi 4.14. An exploit prototype yakonzedwa. Kukonzekera sikunavomerezedwebe mu kernel ndipo kumapezeka ngati chigamba.
  • CVE-2023-42756 ndi mtundu wamtundu mu NetFilter kernel subsystem yomwe ingagwiritsidwe ntchito kuti ipangitse wogwiritsa ntchito wakomweko kuyambitsa Mantha. Exploit prototype ilipo yomwe imagwira ntchito osachepera 6.5.rc7, 6.1 ndi 5.10. Kukonzekera sikunavomerezedwebe mu kernel ndipo kumapezeka ngati chigamba.
  • CVE-2023-4527 Kusefukira mu laibulale ya Glibc kumachitika mu getaddrininfo ntchito pokonza yankho la DNS lalikulu kuposa ma 2048 byte. Kusatetezeka kungayambitse kutayikira kwa data kapena kuwonongeka. Kusatetezeka kumangowoneka mumitundu ya Glibc yatsopano kuposa 2.36 mukamagwiritsa ntchito njira ya "no-aaaa" mu /etc/resolv.conf.
  • CVE-2023-40474, CVE-2023-40475 ndizosatetezeka mu GStreamer multimedia chimango choyambitsidwa ndi kusefukira kwa ma fayilo a MXF. Zowopsazi zitha kupangitsa kuti owukira awonongedwe akamakonza mafayilo opangidwa mwapadera a MXF mu pulogalamu yomwe imagwiritsa ntchito GStreamer. Vuto limakhazikika mu phukusi la gst-plugins-bad 1.22.6.
  • CVE-2023-40476 - Chosungira chikusefukira mu pulosesa ya kanema ya H.265 yoperekedwa ku GStreamer, yomwe imalola kupha ma code pokonza kanema wopangidwa mwapadera. Chiwopsezo chakhazikika mu phukusi la gst-plugins-bad 1.22.6.
  • Kuwunika - kusanthula zachinyengo chomwe chimagwiritsa ntchito kusatetezeka kwa CVE-2023-36664 mu phukusi la Ghostscript kuti lipereke nambala yake mukatsegula zikalata zopangidwa mwapadera za PostScript. Vutoli limadza chifukwa chakusintha kolakwika kwa mayina a mafayilo kuyambira ndi "|". kapena mawu oyamba %pipe%. Chiwopsezocho chidakhazikika pakutulutsidwa kwa Ghostscript 10.01.2.
  • CVE-2023-3341, CVE-2023-4236 - Zofooka mu seva ya BIND 9 DNS zomwe zimatsogolera ku kuwonongeka kwa njira yomwe yatchulidwa mukamakonza mauthenga owongolera opangidwa mwapadera (kufikira padoko la TCP lomwe limayendetsedwa ndikwanira (lotseguka kokha mwachisawawa). pa mawonekedwe a loopback), kudziwa kiyi ya RNDC sikufunika) kapena kupanga katundu wina wapamwamba mu mawonekedwe a DNS-over-TLS. Zowopsazo zidathetsedwa mu zotulutsa za BIND 9.16.44, 9.18.19, ndi 9.19.17.
  • CVE-2023-4504 ndi chiwopsezo mu seva yosindikizira ya CUPS ndi laibulale ya libppd yomwe imatsogolera ku kusefukira kwa buffer mukasanthula zolemba za Postscript. N'zotheka kuti chiwopsezocho chingagwiritsidwe ntchito pokonzekera kuchitidwa kwa code ya munthu mu dongosolo. Nkhaniyi yathetsedwa pakutulutsidwa kwa CUPS 2.4.7 (chigamba) ndi libppd 2.0.0 (chigamba).

Source: opennet.ru

Kuwonjezera ndemanga