Siideynta saxda ah ee maktabadda cryptographic OpenSSL 1.1.1l ayaa diyaar ah iyadoo meesha laga saarayo laba dayacan:
- CVE-2021-3711 waa bakhti xad dhaaf ah oo koodhka fulinaya algorithm cryptographic SM2 (oo ku badan Shiinaha), kaas oo u oggolaanaya ilaa 62 bytes in lagu qoro meel ka baxsan soohdinta kaydka sababtoo ah khalad xisaabinta cabbirka kaydinta. Weeraryahanku waxa laga yaabaa inuu gaadho fulinta koodka ama shil arji isagoo u gudbiya xogta si gaar ah loo farsameeyay ee codsiyada adeegsada shaqada EVP_PKEY_decrypt() si ay u furto xogta SM2.
- CVE-2021-3712 waa bakhtiyeyaal ku jira ASN.1 string processing code, kaas oo sababi kara shil codsi ama muujin kara waxa ku jira habka xusuusta (tusaale, si loo aqoonsado furayaasha lagu kaydiyo xusuusta) haddii weeraryahanku si uun awoodo inuu dhaliyo xadhig ku jira qaab dhismeedka gudaha ASN1_STRING.oo aan lagu joojin sifo aan waxba ka jirin, oo ku socodsii hawlaha OpenSSL ee daabacaadda shahaadooyinka, sida X509_aux_print(), X509_get1_email(), X509_REQ_get1_email() iyo X509_get1_ocsp().
Isla mar ahaantaana, noocyada cusub ee maktabadda LibreSSL 3.3.4 iyo 3.2.6 ayaa la sii daayay, kuwaas oo aan si cad u sheegin dayacanka, laakiin marka la eego liiska isbeddelada, nuglaanta CVE-2021-3712 waa la tirtiray.
Source: opennet.ru