ProHoster > Blog > nkhani zapaintaneti > OpenSSL 3.6.0 Yotulutsidwa ndi EVP_SKEY Support ndi Buffer Overflow Fix

OpenSSL 3.6.0 Yotulutsidwa ndi EVP_SKEY Support ndi Buffer Overflow Fix

OpenSSL 3.6.0, kukhazikitsidwa kwa ma protocol a SSL/TLS ndi ma algorithms osiyanasiyana obisala, yatulutsidwa. OpenSSL 3.6 ndikutulutsa kothandizira pafupipafupi, zosintha zomwe zimapezeka kwa miyezi 13. Thandizo pazotulutsa zakale za OpenSSL-3.5 LTS, 3.4, 3.3, 3.2, ndi 3.0 LTS-zipitilira mpaka Epulo 2030, Okutobala 2026, Epulo 2026, Novembara 2025, ndi Seputembara 2026, motsatana. Khodi ya polojekitiyi ili ndi chilolezo pansi pa Apache 2.0 License.

Zatsopano zazikulu:

  • Thandizo lowonjezera la EVP_SKEY (Symmetric KEY) loyimira makiyi ofananira ngati zinthu zosawoneka bwino. Mosiyana ndi makiyi aiwisi, omwe amaimiridwa ngati gulu la byte, EVP_SKEY imachotsa makiyiwo ndipo imakhala ndi metadata yowonjezera. EVP_SKEY itha kugwiritsidwa ntchito pobisa, kusinthana makiyi, ndi ma key derivation (KDF). Ntchito za EVP_KDF_CTX_set_SKEY(), EVP_KDF_derive_SKEY(), ndi EVP_PKEY_derive_SKEY() zawonjezedwa pogwira ntchito ndi makiyi a EVP_SKEY.
  • Thandizo lawonjezeredwa kutsimikizira siginecha ya digito potengera dongosolo la Leighton-Micali Signatures (LMS), lomwe limagwiritsa ntchito ntchito za hashi ndi mitengo yamtengo wapatali monga Mtengo wa Merkle (nthambi iliyonse imatsimikizira nthambi zonse zapansi ndi mfundo). Masiginecha a digito a LMS amalimbana ndi kuyezetsa mwamphamvu pakompyuta ndipo amapangidwa kuti atsimikizire kukhulupirika kwa firmware ndi mapulogalamu.
  • Thandizo lowonjezera lamagulu achitetezo a NIST pamagawo azinthu za PKEY (makiyi agulu ndi achinsinsi). Gulu lachitetezo limayikidwa kudzera pa "security-category". EVP_PKEY_get_security_category() ntchito yawonjezedwa kuti muwone mulingo wachitetezo. Mulingo wachitetezo umawonetsa kukana kuukira kwamphamvu pamakompyuta amtundu wa quantum ndipo kumatha kutenga ziwerengero kuchokera pa 0 mpaka 5:
    • 0 - kukhazikitsa sikulimbana ndi kubera pamakompyuta a quantum;
    • 1/3/5 - kukhazikitsa sikumapatula kusaka pakompyuta ya quantum pa kiyi mu block cipher yokhala ndi kiyi ya 128/192/256-bit;
    • 2/4 - kukhazikitsa sikumapatula mwayi wofufuza kugundana mu 256/384-bit hash pakompyuta yochulukira).
  • Lamulo la "openssl configutl" lawonjezedwa pokonza mafayilo osintha. Izi zimakupatsani mwayi wopanga fayilo yophatikizidwa ndi zosintha zonse kuchokera pakusintha kwamafayilo angapo ndikuphatikiza.
  • The FIPS cryptographic provider yasinthidwa kuti ithandizire kupanga deterministic m'badwo wa siginecha za digito za ECDSA (siginecha yomweyi imapangidwa ndi zolowetsa zomwezo), molingana ndi zofunikira za mulingo wa FIPS 186-5.
  • Zofunikira zomanga chilengedwe zawonjezeka. Kumanga OpenSSL sikufunanso zida zothandizidwa ndi ANSI-C; chophatikiza chogwirizana ndi muyezo wa C-99 tsopano chikufunika.
  • Ntchito zokhudzana ndi EVP_PKEY_ASN1_METHOD zatsitsidwa.
  • Thandizo la nsanja ya VxWorks lathetsedwa.

Zowonongeka Zokhazikika:

  • CVE-2025-9230 ndi chiwopsezo mu code decryption pa password-encrypted CMS messages (PWRI). Kusatetezeka kungapangitse kuti data yakunja ilembedwe kapena kuwerengedwa, zomwe zingayambitse kuwonongeka kapena kuwonongeka kwa kukumbukira mu pulogalamu yomwe imagwiritsa ntchito OpenSSL kukonza mauthenga a CMS. Ngakhale kugwiritsa ntchito chiwopsezochi pakukhazikitsa ma code ndikotheka, kuwopsa kwa nkhaniyi kumachepetsedwa chifukwa chakuti mauthenga achinsinsi a CMS sagwiritsidwa ntchito kawirikawiri. Kuphatikiza pa OpenSSL 3.6.0, kusatetezeka kudakhazikika mu OpenSSL 3.5.4, 3.4.3, 3.3.5, 3.2.6, ndi 3.0.18. Nkhaniyi idakonzedwanso mu LibreSSL 4.0.1 ndi 4.1.1, laibulale yopangidwa ndi polojekiti ya OpenBSD.
  • CVE-2025-9231 - Kukhazikitsidwa kwa algorithm ya SM2 kumakhala pachiwopsezo chowukiridwa ndi njira. Pamakina omwe ali ndi ma 64-bit ARM CPUs, izi zimathandiza kuti makiyi achinsinsi abwezeretsedwe popenda nthawi ya kuwerengera payekha. Kuukira kungathe kuchitika patali. Chiwopsezo chakuukirachi chimachepetsedwa chifukwa OpenSSL sichigwirizana mwachindunji ndi kugwiritsa ntchito ziphaso zokhala ndi makiyi a SM2 mu TLS.
  • CVE-2025-9232 ndi chiwopsezo pakukhazikitsa kwamakasitomala a HTTP omwe amalola kuti anthu aziwerenga mopitilira malire pokonza ulalo wopangidwa mwapadera muzochita za HTTP Client. Nkhaniyi imangodziwonetsera yokha pamene kusintha kwa chilengedwe "no_proxy" kukhazikitsidwa ndipo kungayambitse kuwonongeka kwa ntchito.

Source: opennet.ru

Kuwonjezera ndemanga