A vulnerability (CVE-2021-3997) yakaonekwa mune systemd-tmpfiles utility inobvumira kusadzora kudzokororwa kuitika. Dambudziko rinogona kushandiswa kukonzera kuramba kwesevhisi panguva yebhoti system nekugadzira huwandu hukuru hwe subdirectories mu /tmp dhairekitori. Iyo gadziriso iripo parizvino mune chigamba fomu. Package inogadziridza kugadzirisa dambudziko inopihwa muUbuntu neSUSE, asi haisati yave kuwanikwa muDebian, RHEL uye Fedora (zvigadziriso zviri mukuyedza).
Paunenge uchigadzira zviuru zvema subdirectories, kuita iyo "systemd-tmpfiles --remove" mashandiro ekupaza nekuda kwekuneta kwekuneta. Kazhinji, iyo systemd-tmpfiles utility inoita mashandiro ekudzima nekugadzira madhairekitori mune imwe runhare ("systemd-tmpfiles -create -remove -boot -exclude-prefix=/dev"), nekudzima kunoitwa kutanga uyezve kusikwa, i.e. Kutadza padanho rekudzima kuchaita kuti mafaira akakosha akataurwa mu/usr/lib/tmpfiles.d/*.conf asasikwe.
Imwe njodzi yakanyanya kurwiswa paUbuntu 21.04 inotaurwa zvakare: sezvo kuparara kwesystemd-tmpfiles kusingagadziri iyo /run/lock/subsys faira, uye iyo /run/lock dhairekitori inonyorwa nevashandisi vese, anorwisa anogona kugadzira / run/lock/dhairekitori subsys pasi pechiziviso chayo uye, kuburikidza nekugadzirwa kwezviratidzo zvinongedzo zvinopindirana nekiyi mafaera kubva kuhurongwa hwehurongwa, kuronga kudhindwa kwemafaira ehurongwa.
Uye zvakare, isu tinogona kucherechedza kuburitswa kwezvitsva zvakaburitswa zveFlatpak, Samba, FreeRDP, Clamav uye Node.js mapurojekiti, umo kusasimba kunogadziriswa:
- Mukugadzirisa kuburitswa kwechishandiso chekuvaka-yega Flatpak mapakeji 1.10.6 uye 1.12.3, kusakwana kuviri kwakagadziriswa: Kusagadzikana kwekutanga (CVE-2021-43860) inobvumira, kana uchidhawunirodha pasuru kubva kune isina kuvimbika repository, kuburikidza. kunyengedza metadata, kuvanza kuratidzwa kweimwe mvumo yepamusoro panguva yekuisa. Kusagadzikana kwechipiri (pasina CVE) kunobvumira murairo "flatpak-builder -mirror-screenshots-url" kugadzira madhairekitori munzvimbo yefaira system kunze kwedhairekitori rekuvaka panguva yekusangana kwepakeji.
- Iyo Samba 4.13.16 yekuvandudza inobvisa kusagadzikana (CVE-2021-43566) iyo inobvumira mutengi kuti ashandise ekufananidzira zvinongedzo paSMB1 kana NFS zvikamu zvekugadzira dhairekitori pane sevha kunze kwenzvimbo yeFS inotengeswa kunze kwenyika (dambudziko rinokonzerwa nemamiriro emujaho. uye zvakaoma kushandisa mukuita, asi nedzidziso zvinogoneka). Shanduro dzisati dzasvika 4.13.16 dzinobatwa nedambudziko.
Chirevo chakaburitswa zvakare nezve kumwe kusagadzikana kwakafanana (CVE-2021-20316), iyo inobvumira mutengi akatenderwa kuverenga kana kushandura zvirimo mufaira kana dhairekitori metadata munzvimbo yeFS server kunze kwechikamu chinotengeswa kunze kuburikidza nekunyengera kwezviratidzo zvinongedzo. Dambudziko rakagadziriswa mukuburitswa 4.15.0, asi rinobatawo matavi apfuura. Nekudaro, zvigadziriso zvematavi ekare hazvizoburitswa, sezvo iyo yekare Samba VFS architecture isingabvumiri kugadzirisa dambudziko nekuda kwekusungirirwa kwemetadata mashandiro ekufambisa nzira (muSamba 4.15 iyo VFS layer yakagadziridzwa zvachose). Chinoita kuti dambudziko risanyanya kuva nengozi ndezvekuti zvakaoma kushanda uye kodzero yekuwana yemushandisi inofanira kubvumira kuverenga kana kunyora kune faira rakananga kana dhairekitori.
- Kuburitswa kweiyo FreeRDP 2.5 purojekiti, inopa kuisirwa kwemahara kweRemote Desktop Protocol (RDP), inogadzirisa nyaya nhatu dzekuchengetedza (CVE identifiers haina kupihwa) izvo zvinogona kutungamira mukufashukira kwebuffer kana uchishandisa nzvimbo isiriyo, kugadzirisa yakanyatsogadzirirwa registry. zvigadziriso uye zvichiratidza zita rekuwedzera risina kurongeka. Shanduko dziri mushanduro itsva dzinosanganisira tsigiro yeraibhurari yeOpenSSL 3.0, kuitwa kweTcpConnectTimeout marongero, kufambirana kwakavandudzika neLibreSSL uye mhinduro kumatambudziko ne clipboard muWayland-based environments.
- Izvo zvitsva zvinoburitswa zvemahara antivirus package ClamAV 0.103.5 uye 0.104.2 inobvisa kusagadzikana kweCVE-2022-20698, iyo yakabatana neiyo isiriyo pointer kuverenga uye inobvumidza iwe kuti ukonzere kure kukonzeresa kuparara kana iyo package yakaunganidzwa neiyo libjson- c raibhurari uye iyo CL_SCAN_GENERAL_COLLECT_METADATA sarudzo inogoneswa muzvirongwa (clamscan --gen-json).
- The Node.js platform inogadziridza 16.13.2, 14.18.3, 17.3.1 uye 12.22.9 gadzirisa zvipingamupinyi zvina: kudarika chitupa chekuongorora paunenge uchiongorora kubatanidza netiweki nekuda kwekushandurwa kusiri kweSAN (Subject Alternative Names) kuita tambo fomati (CVE- 2021 -44532); kubata zvisirizvo kwekuverengera kwakawanda kwakawanda mumusoro uye mubudisi minda, iyo inogona kushandiswa kunzvenga ongororo yeminda yakataurwa muzvitupa (CVE-2021-44533); bypass zvirambidzo zvine chekuita neSAN URI mhando muzvitupa (CVE-2021-44531); Kusakwana kwekuisa simbisiro muiyo console.table() basa, iro rinogona kushandiswa kupa tambo dzisina chinhu kumakiyi edhijitari (CVE-2022-21824).
Source: opennet.ru