Zotsatira za kafukufuku wodziyimira pawokha wachitetezo cha seva ya proxy Squid, yomwe idachitika mu 2021, idasindikizidwa. Kuwunika kwa codebase ya polojekitiyi kunazindikira zofooka 55, 35 zomwe sizinalembedwe ndi opanga (zovuta zamasiku a ziro). Opanga ma Squid adadziwitsidwa za nkhaniyi zaka ziwiri ndi theka zapitazo, koma sanamalize kukonza kwawo. Pamapeto pake, wolemba kafukufukuyo adaganiza zowulula zidziwitso zonse zisanakonzedwe, ndikudziwitsa opanga a Squid pasadakhale.
Zina mwa zovuta zomwe zadziwika:
- Kusefukira kwa stack pakukhazikitsa kutsimikizika kwa hashi (Digest Authentication) kumachitika mukakonza mutu wa Proxy-Authorization HTTP wokhala ndi gawo lalikulu kwambiri la "Digest nc".
- Kufikira kukumbukira pambuyo pomasulidwa muzopempha ndi njira ya TRACE.
- Chiwopsezo chogwiritsa ntchito pambuyo paulere pazopempha za HTTP ndi mutu wa Range (CVE-2021-31807).
- Kusefukira kwa stack kunachitika pokonza mutu wa HTTP X-Forwarded-For.
- Zipatso zikusefukira pamene mukukonza zopempha zazing'ono.
- Kufikira kukumbukira pambuyo pomasulidwa mu CacheManager web interface.
- Integer kusefukira mu HTTP Range header handler (CVE-2021-31808).
- Kugwira pambuyo pakusefukira kwaulere ndi buffer mu ESI (Edge Side Includes) purosesa ya mawu.
- Kuchulukira kukumbukira kangapo, kuchulukitsa kwa buffer pakuwerenga, ndi zovuta zakuwonongeka.
Source: opennet.ru
