Vagadziri veserver-side JavaScript papuratifomu Node.js vakaburitsa kururamisa kuburitswa 12.22.4, 14.17.4 uye 16.6.0, iyo inogadzirisa zvishoma kusagadzikana (CVE-2021-22930) muhttp2 module (HTTP/2.0 mutengi) , iyo inobvumira kutanga kuparara kwemaitiro kana kuti inogona kuronga kuurayiwa kwekodhi yako muhurongwa paunenge uchiwana muchengeti anotungamirirwa neanorwisa.
Dambudziko rinokonzerwa nekuwana yakatosunungurwa ndangariro pakuvhara chinongedzo mushure mekugamuchira RST_STREAM (tambo reset) mafuremu eshinda ari kuita zvakanyanya kuverenga mabasa anovharira kunyora. Kana iyo RST_STREAM furemu yakagamuchirwa pasina kutsanangura kodhi yekukanganisa, iyo http2 module inodaidzawo nzira yekuchenesa yedata yatotambirwa, kubva iyo yekuvhara mubati anodaidzwa zvakare kune yakavharwa rwizi, izvo zvinotungamira kusunungurwa kaviri kwe data zvimiro.
Nhaurirano yechigamba inotaura kuti dambudziko harina kugadziriswa zvachose uye, pasi pemamiriro akagadziridzwa zvishoma, rinoramba richionekwa mune zvakadhindwa zvinyorwa. Ongororo yacho yakaratidza kuti iyo gadziriso inongovhara imwe yeakakosha kesi - kana shinda iri mukuverenga mode, asi isingatarise dzimwe tambo dzinoti (kuverenga nekumbomira, kumbomira uye mamwe marudzi ekunyora).
Source: opennet.ru