Kururamisa kuburitswa kweOpenSSL cryptographic library 3.0.1 uye 1.1.1m iripo. Shanduro 3.0.1 yakagadzirisa kusagadzikana (CVE-2021-4044), uye angangoita gumi nemaviri mabhugi akagadziriswa mune zvese zvaburitswa.
Kusagadzikana kuripo mukuitwa kwevatengi veSSL/TLS uye kune chekuita nenyaya yekuti raibhurari yeLibssl inobata zvisizvo macode ekukanganisa akadzoserwa neX509_verify_cert() basa, rakadaidzwa kuti rione kuti chitupa chakatambidzwa kumutengi neseva. Makodhi asina kunaka anodzoserwa kana kukanganisa kwemukati kuchiitika, semuenzaniso, kana ndangariro isingagone kugoverwa kune buffer. Kana kukanganisa kwakadaro kwadzoserwa, nhare dzinotevera kumabasa eI/O akadai SSL_connect() uye SSL_do_handshake() zvinodzosa zvakundikana uye SSL_ERROR_WANT_RETRY_VERIFY kodhi yezvikanganiso, inongofanira kudzoserwa chete kana application yakamboita runhare kuSSL_CTX_set_cert_verify_callback().
Sezvo maapplication mazhinji asingafonere SSL_CTX_set_cert_verify_callback(), kuitika kwe SSL_ERROR_WANT_RETRY_VERIFY kukanganisa kunogona kusadudzirwa zvisizvo zvokonzera kuparara, loop, kana imwe mhinduro isiriyo. Dambudziko rine njodzi zvakanyanya mukubatana neimwe bug muOpenSSL 3.0, izvo zvinokonzeresa kukanganisa kwemukati paunenge uchigadzira zvitupa muX509_verify_cert() pasina "Subject Alternative Name" yekuwedzera, asi ine zita rinosungirwa muzvirambidzo zvekushandisa. Mune ino kesi, kurwiswa kwacho kunogona kutungamira kune-chaiyo anomalies mukubata chitupa uye TLS chikamu kugadzwa.
Source: opennet.ru