Kugadziriswa kuburitswa kweOpenSSL cryptographic raibhurari 3.0.7 yakaburitswa, iyo inogadzirisa kusakwana kuviri. Nyaya dzese dziri mbiri dzinokonzerwa nekuwanda kwebuffer munzvimbo ye email yekusimbisa kodhi muzvitupa zveX.509 uye zvinogona kutungamira kukuita kodhi kana uchigadzira chitupa chakagadzirwa. Panguva yekuburitswa kwegadziriso, vagadziri veOpenSSL vaive vasina kunyora humbowo hwekuvapo kwekubata kwekushanda kunogona kutungamira mukuitwa kwekodhi yeanorwisa.
Pasinei nechokwadi chokuti chiziviso chisati chasunungurwa chekusunungurwa kutsva chakataura kuvapo kwenyaya yakaoma, chaizvoizvo, mukuvandudzwa kwakasunungurwa mamiriro ehudziviriro akaderedzwa kusvika pamwero wengozi, asi kwete kunyanya kunetseka. Maererano nemitemo yakagamuchirwa mupurojekiti, chiyero chengozi chinoderedzwa kana dambudziko richizviratidza mukugadziriswa kweatypical kana kana pane mukana wakaderera wekushandiswa kwekusagadzikana mukuita.
Muchiitiko ichi, kuomarara kwakaderedzwa nekuti kuongororwa kwakadzama kwekusagadzikana nemasangano akati wandei kwakagumisa kuti kugona kuita kodhi panguva yekushandiswa kwakavharwa nemaitiro ekudzivirira mafashama anoshandiswa mumapuratifomu mazhinji. Pamusoro pezvo, iyo grid marongero anoshandiswa mune mamwe maLinux kugovera anokonzeresa mabhayiti mana anoenda kunze kwemiganhu achiiswa pamusoro peinotevera buffer pane stack, iyo isati yashandiswa. Nekudaro, zvinogoneka kuti kune mapuratifomu anogona kushandiswa kuita kodhi.
Nyaya dzakaonekwa:
- CVE-2022-3602 - kusagadzikana, kwakatanga kuratidzwa sekukosha, kunotungamira kune 4-byte buffer kufashama kana uchitarisa munda uine yakagadziridzwa email kero mune X.509 chitupa. Mune TLS mutengi, kusazvibata kunogona kushandiswa kana uchibatanidza kune sevha inodzorwa neanorwisa. Pane sevha yeTLS, kusazvibata kunogona kushandiswa kana chokwadi chemutengi uchishandisa zvitupa chikashandiswa. Muchiitiko ichi, kusagadzikana kunoonekwa pachikuva mushure mekusimbiswa kweketani yekuvimba yakabatana nechitupa, i.e. Kurwiswa kwacho kunoda kuti ane masimba echitupa atarise chitupa chine hutsinye chearwisa.
- CVE-2022-3786 imwe vheji yekushandisa iyo CVE-2022-3602 kusagadzikana, yakaonekwa panguva yekuongororwa kwedambudziko. Misiyano inodzika kusvika pakukwanisa kupfachukira buffer pane stack nehuwandu hwemabhaiti ane "." (kureva kuti anorwisa haakwanise kudzora zviri mukati mekufashukira uye dambudziko rinogona kungoshandiswa kuita kuti application iparare).
Kusasimba kunongoonekwa mubazi reOpenSSL 3.0.x (bug yakaunzwa muUnicode conversion code (punycode) yakawedzerwa ku3.0.x bazi). Kuburitswa kweOpenSSL 1.1.1, pamwe neOpenSSL fork raibhurari LibreSSL neBoringSSL, hazvikanganisike nedambudziko. Panguva imwecheteyo, iyo OpenSSL 1.1.1s update yakaburitswa, iyo ine chete isiri-chengetedzo bug inogadzirisa.
Bazi reOpenSSL 3.0 rinoshandiswa mukugovera seUbuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, ββββDebian Testing/Unstable. Vashandisi veaya masisitimu vanokurudzirwa kuisa zvigadziriso nekukurumidza sezvinobvira (Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch). MuSUSE Linux Enterprise 15 SP4 uye vhuraSUSE Leap 15.4, mapakeji ane OpenSSL 3.0 anowanikwa nesarudzo, mapakeji ehurongwa anoshandisa 1.1.1 bazi. Debian 1, Arch Linux, Void Linux, Ubuntu 11, Slackware, ALT Linux, RHEL 20.04, OpenWrt, Alpine Linux 8 uye FreeBSD zvinoramba zviri pamapazi eOpenSSL 3.16.x.
Source: opennet.ru