Kuburitswa kweExim 4.94.2 mail server kwakaburitswa nekubviswa kwemakumi maviri neimwe kusasimba (CVE-21-2020-CVE-28007-2020, CVE-28026-2021), iyo yakaonekwa neQualys uye yakaunzwa pasi pezita rekodhi. 27216Zvipikiri. 21 matambudziko anogona kushandiswa kure (kusanganisira kuita kodhi ine midzi kodzero) kuburikidza nekunyengedza kwemirairo yeSMTP kana uchidyidzana neseva.
Ese mavhezheni eExim, ane nhoroondo yakatevedzwa muGit kubvira 2004, anokanganiswa nedambudziko. Kushanda prototypes yezvakapambwa zvakagadzirirwa 4 kusagadzikana kwenzvimbo uye 3 matambudziko ari kure. Zvishandiso zvekusagadzikana kwenzvimbo (CVE-2020-28007, CVE-2020-28008, CVE-2020-28015, CVE-2020-28012) inokutendera iwe kukwidziridza ropafadzo dzako kune mudzi mushandisi. Nyaya mbiri dziri kure (CVE-2020-28020, CVE-2020-28018) inobvumira kodhi kuti iitwe pasina humbowo semushandisi weExim (unogona kuwana midzi yekuwana nekushandisa imwe yenjodzi yenzvimbo).
Kusagadzikana kweCVE-2020-28021 kunobvumira kukurumidza kuitwa kodhi kodhi ine kodzero dzemidzi, asi inoda kuwanikwa kwechokwadi (mushandisi anofanira kumisa chikamu chechokwadi, mushure mezvo vanogona kushandisa kusazvibata kuburikidza nekunyengera kweAUTH parameter mune MAIL FROM command). Dambudziko rinokonzerwa nenyaya yekuti munhu anorwisa anogona kuwana tambo inotsiva mumusoro we spool faira nekunyora iyo authenticated_sender kukosha pasina kunyatsopukunyuka mavara akakosha (semuenzaniso, nekupfuura murairo "MAIL FROM:<> AUTH=Raven+0AReyes. β).
Pamusoro pezvo, zvinocherechedzwa kuti kumwe kusagadzikana kuri kure, CVE-2020-28017, kunoshandiswa kuita kodhi ne "exim" kodzero dzemushandisi pasina humbowo, asi inoda inodarika 25 GB yendangariro. Kune gumi nenhatu dzasara kusadzivirirwa, zviitiko zvinogona zvakare kugadzirira, asi basa mune iyi nzira harisati raitwa.
Vagadziri veExim vakaziviswa nezvematambudziko kumashure muna Gumiguru gore rapfuura uye vakapedza mwedzi inodarika 6 vachigadzira zvigadziriso. Vese maneja vanokurudzirwa kukurumidza kugadzirisa Exim pamasevha avo etsamba kushanduro 4.94.2. Shanduro dzese dzeExim isati yaburitswa 4.94.2 dzakanzi hadzichashandi. Kuburitswa kweiyi vhezheni itsva kwakabatana nekugoverwa kwakaburitswa panguva imwe chete pasuru zvigadziriso: Ubuntu, Arch Linux, FreeBSD, Debian, SUSE uye Fedora. RHEL neCentOS haina kukanganiswa nedambudziko, sezvo Exim isingabatanidzwe mune yavo yakajairwa pasuru repository (EPEL haisati yave nekuvandudza).
Zvakabviswa vulnerabilities:
- CVE-2020-28017: Integer kufashukira mune yekugamuchira_add_recipient () basa;
- CVE-2020-28020: Integer kufashukira mune receive_msg () basa;
- CVE-2020-28023: Out-of-bounds verenga mu smtp_setup_msg();
- CVE-2020-28021: Newline kutsiva mune spool faira musoro;
- CVE-2020-28022: Nyora uye uverenge munzvimbo iri kunze kweiyo yakagoverwa buffer muextract_option () basa;
- CVE-2020-28026: String truncation uye kutsiva mu spool_read_header();
- CVE-2020-28019: Kuparara kana kusetazve chinongedzo chebasa mushure mekukanganisa kweBDAT;
- CVE-2020-28024: Buffer underflow mune smtp_ungetc () basa;
- CVE-2020-28018: Shandisa-mushure-yemahara buffer kupinda mutls-openssl.c
- CVE-2020-28025: Iyo yekubuda-ye-yekuganhurwa inoverengwa mune pdkim_finish_bodyhash() basa.
Kusagadzikana munharaunda:
- CVE-2020-28007: Symbol link kurwisa muExim log dhairekitori;
- CVE-2020-28008: Spool dhairekitori kurwisa;
- CVE-2020-28014: Kusikwa kwefaira kusina;
- CVE-2021-27216: Kudzima faira zvisina tsarukano;
- CVE-2020-28011: Buffer kufashukira mu queue_run();
- CVE-2020-28010: Kunze-kwemiganhu nyora mune main ();
- CVE-2020-28013: Buffer kufashukira mune basa parse_fix_phrase();
- CVE-2020-28016: Kunze-kwemiganhu nyora mu parse_fix_phrase ();
- CVE-2020-28015: Newline kutsiva mune spool faira musoro;
- CVE-2020-28012: Isipo yepedyo-on-exec mureza wepombi yakasarudzika isina kutaurwa zita;
- CVE-2020-28009: Integer kufashukira mune get_stdinput () basa.
Source: opennet.ru