Furitaanka balastar-ka OpenSSL 1.1.1k ayaa hadda diyaar ah, hagaajinta laba dayacan oo lagu qiimeeyay darnaanta sare:
- CVE-2021-3450 — Ka gudubka suurtagalka ah ee ansaxinta shahaadada CA ayaa suurtagal ah marka calanka X509_V_FLAG_X509_STRICT la furo. Calankan, oo si caadi ah u naafo ah oo loo isticmaalo xaqiijinta dheeraadka ah ee shahaadooyinka silsilad, ayaa la isticmaalaa. Arrinka waxaa lagu soo bandhigay jeeg cusub oo lagu soo bandhigay OpenSSL 1.1.1h kaas oo ka hortagaya isticmaalka shahaadooyinka silsilad si cad u qeexaysa cabbirrada qalooca elliptical.
Cilad koodka dartiis, jeega cusubi waxa uu dhaafiyay natiijadii hubinta xaqiijinta shahaadada CA ee hore loo sameeyay. Natiijo ahaan, shahaadooyinka lagu xaqiijiyay shahaado iskiis u saxeexay, oo aan ku xidhnayn CA ee silsiladda kalsoonida, ayaa loola dhaqmay si buuxda loo aamini karo. Nuglaanta lafteeda ma muujiso marka "ujeedada" la dejiyo, taas oo ah macmiilka iyo shahaadaynta shahaadadda joogtada ah ee libssl (loo isticmaalo TLS).
- CVE-2021-3449 – Suurtagalnimada in shil dhaco server TLS iyada oo loo marayo macmiilka oo diraya farriin ClientHello ah oo si gaar ah loo sameeyay. Arrintu waxay la xiriirtaa ka-reebitaan tilmaame NULL ah oo ku jira hirgelinta kordhinta signature_algorithms. Arrintu waxay isku muuqataa oo keliya gudaha adeegayaal iyadoo la adeegsanayo taageerada TLSv1.2 iyo dib-u-gorgortanka xiriirka oo la shiday (oo si caadi ah loo shiday).
Source: opennet.ru
