O le tuʻuina atu o le Exim 4.94.2 mail server ua faʻasalalau faʻatasi ma le faʻaumatiaina o faʻafitauli 21 (CVE-2020-28007-CVE-2020-28026, CVE-2021-27216), lea na faʻamaonia e Qualys ma tuʻuina atu i lalo ole igoa ole igoa. 21Fao. 10 faʻafitauli e mafai ona faʻaogaina mamao (e aofia ai le faʻatinoina o tulafono faʻatasi ma aia tatau) e ala i le faʻaogaina o tulafono SMTP pe a fegalegaleai ma le server.
O fa'aliliuga uma a Exim, o lona tala fa'asolopito na siaki i Git talu mai le 2004, e a'afia i le fa'afitauli. O faʻataʻitaʻiga galue o faʻaoga ua saunia mo 4 faʻalavelave faʻapitonuʻu ma 3 faʻafitauli mamao. Fa'aoga mo fa'aletonu i le lotoifale (CVE-2020-28007, CVE-2020-28008, CVE-2020-28015, CVE-2020-28012) fa'atagaina oe e fa'ae'eina ou avanoa i le tagata fa'aoga a'a. E lua mataupu mamao (CVE-2020-28020, CVE-2020-28018) faʻatagaina le code e faʻatinoina e aunoa ma le faʻamaonia e pei o le Exim user (e mafai ona e maua le aʻa e ala i le faʻaaogaina o se tasi o faʻafitauli faʻapitonuʻu).
O le CVE-2020-28021 vulnerability e mafai ai ona vave faʻataunuʻuina code code ma aia tatau aʻa, ae manaʻomia le faʻamaonia avanoa (e tatau i le tagata faʻaoga ona faʻatuina se sauniga faʻamaonia, a maeʻa ona mafai ona latou faʻaogaina le faʻafitauli e ala i le faʻaogaina o le AUTH parameter i le MAIL FROM command). O le faʻafitauli e mafua mai i le mea moni e mafai e se tagata osofaʻi ona ausia le sui o manoa i le ulutala o se faila faila e ala i le tusiaina o le faʻamaonia_sender tau e aunoa ma le sola ese lelei o mataitusi faapitoa (mo se faʻataʻitaʻiga, e ala i le pasia o le poloaiga "MAIL FROM:<> AUTH = Raven + 0AReyes ”).
E le gata i lea, o loʻo maitauina o le isi faʻafitauli mamao, CVE-2020-28017, e faʻaaogaina e faʻatino ai le code ma le "exim" aia tatau a tagata e aunoa ma le faʻamaonia, ae manaʻomia le sili atu i le 25 GB o le manatua. Mo isi fa'aletonu e 13, e mafai fo'i ona saunia ni fa'aoga, ae e le'i faia lava galuega i lea itu.
Na logoina le au atinaʻe Exim e uiga i faʻafitauli i tua ia Oketopa o le tausaga talu ai ma faʻaalu le sili atu i le 6 masina i le atinaʻeina o mea. O pule uma e fautuaina ina ia vave faʻafouina Exim i luga o latou meli meli ile version 4.94.2. O fa'aliliuga uma a le Exim a'o le'i tu'uina atu le 4.94.2 ua fa'ailoa mai ua le toe aoga. O le faʻasalalauga o le lomiga fou na faʻamaopoopoina faʻatasi ma tufatufaga na faʻasalalau faʻatasi faʻamatalaga faʻamaumauga: Ubuntu, Arch Linux, FreeBSD, Debian, SUSE ma Fedora. RHEL ma CentOS e le aʻafia i le faʻafitauli, talu ai e le o aofia ai Exim i totonu o la latou pusa faʻamaufaʻailoga masani (EPEL e leʻi iai se faʻafouga).
Ave'esea fa'aletonu:
- CVE-2020-28017: O lo'o fa'asolo atu le numera atoa i le galuega receive_add_recipient();
- CVE-2020-28020: O lo'o sosolo le numera atoa i le receive_msg() galuega;
- CVE-2020-28023: I fafo atu o tuaoi faitau i smtp_setup_msg();
- CVE-2020-28021: Suiga laina fou i le ulutala faila taʻavale;
- CVE-2020-28022: Tusi ma faitau i totonu o se vaega i fafo atu o le paʻu tuʻufaʻatasia i le extract_option() galuega;
- CVE-2020-28026: Otiotiina manoa ma sui i le spool_read_header();
- CVE-2020-28019: Faʻalavelave pe a toe setiina se faʻailoga galuega pe a maeʻa se mea sese BDAT;
- CVE-2020-28024: Faʻamaulalo i lalo ole galuega smtp_ungetc();
- CVE-2020-28018: Fa'aoga-pe'a-pe'a-sa'oloto avanoa puipui i tls-openssl.c
- CVE-2020-28025: O se faitauga i fafo atu o tuaoi i le galuega pdkim_finish_bodyhash().
Fa'alotoifale vaivai:
- CVE-2020-28007: Fa'ailoga feso'ota'iga osofa'iga i le fa'amaumauga o fa'amaumauga a Exim;
- CVE-2020-28008: Spool directory osofaiga;
- CVE-2020-28014: Faia o faila faila;
- CVE-2021-27216: Aveese faila;
- CVE-2020-28011: O loʻo tafe le paʻu i le queue_run();
- CVE-2020-28010: I fafo atu o tuaoi tusi i le autu();
- CVE-2020-28013: O loʻo tafe le paʻu i le galuega parse_fix_phrase();
- CVE-2020-28016: I fafo atu o tuaoi tusi i le parse_fix_phrase();
- CVE-2020-28015: Suiga laina fou i le ulutala faila taʻavale;
- CVE-2020-28012: Ua misi le fu'a vavalalata mo se paipa e le o ta'ua;
- CVE-2020-28009: O loʻo faʻateleina le numera i le get_stdinput () galuega.
puna: opennet.ru