OpenWrt kugovera shanduro dzakaburitswa 18.06.7 ΠΈ 19.07.1, umo inoruramiswa vulnerability CVE-2020-7982 mune opkg package maneja, iyo inogona kushandiswa kuita MITM kurwisa uye kutsiva zviri mukati mepakeji yakatorwa kubva pane repository. Nekuda kwechikanganiso mucheki yekuongorora kodhi, munhu anorwisa anogona kufuratira SHA-256 cheki kubva pakiti, izvo zvakaita kuti zvikwanise kunzvenga nzira dzekutarisa kuvimbika kwezviwanikwa zvepk zvakadhawunirodha.
Dambudziko ravepo kubva muna Kukadzi 2017, mushure mekunge kodhi yawedzerwa kusafuratira nzvimbo dzinotungamira pamberi pecheki. Nekuda kwekukanganisa pakusvetuka nzvimbo, chinongedzo chenzvimbo mumutsara hachina kuchinjika uye iyo SHA-256 hexadecimal sequence decoding loop yakabva yadzosa kudzora uye yakadzosa cheki yehurefu hwe zero.
Nekuda kwekuti iyo opkg package maneja yakatangwa semudzi, munhu anorwisa anogona kushandura zviri mukati ipk package panguva yekurwiswa kweMITM, yakatorwa kubva pane repository mushandisi ari kuita iyo "opkg install", uye kuronga kodhi yake. kuti iitwe nemidzi yekodzero nekuwedzera yako yekubata zvinyorwa pasuru, inodanwa panguva yekuisa. Kushandisa kusazvibata, munhu anorwisa anofanirawo kukanganisa index yepasuru (semuenzaniso, kubva kudownloads.openwrt.org). Saizi yepasuru yakagadziridzwa inofanirwa kuenderana neyekutanga kubva pane index.
Shanduro itsva dzinobvisawo imwezve vulnerability muraibhurari yelibubox, iyo inogona kutungamira mukufashukira kwebuffer paunenge uchigadzira yakanyatso kurongeka serialized binary kana JSON data mune blobmsg_format_json basa.
Source: linux.org.ru