Tokollo e lokisoang ea laeborari ea li-cryptographic ea OpenSSL 1.1.1l e fumaneha ka ho felisoa ha mefokolo e 'meli:
- CVE-2021-3711 ke buffer e phallang ka har'a khoutu e kenyang ts'ebetso ea SM2 cryptographic algorithm (e tloaelehileng Chaena), e lumellang ho fihla ho li-byte tse 62 ho ngoloa sebakeng se ka nģ'ane ho moeli oa buffer ka lebaka la phoso ea ho bala boholo ba buffer. Motho ea hlaselang a ka khona ho etsa khoutu kapa ho putlama ha ts'ebeliso ka ho fetisa data e entsoeng ka boqhetseke lits'ebetsong tse sebelisang EVP_PKEY_decrypt() ho hlakola data ea SM2.
- CVE-2021-3712 ke buffer overflow ho khoutu ea ts'ebetso ea likhoele ea ASN.1, e ka bakang ho senyeha ha kopo kapa ho senola litaba tsa mohopolo oa ts'ebetso (mohlala, ho tseba linotlolo tse bolokiloeng mohopolong) haeba mohlaseli a khona ho hlahisa khoele e ka hare ho sebopeho sa ASN1_STRING. ha e felisoe ka litlhaku tse sa sebetseng, 'me e sebetsa ho OpenSSL lits'ebetso tse hatisang setifikeiti, joalo ka X509_aux_print(), X509_get1_email(), X509_REQ_get1_email() le X509_get1_osp().
Ka nako e ts'oanang, liphetolelo tse ncha tsa laebrari ea LibreSSL 3.3.4 le 3.2.6 li ile tsa lokolloa, tse sa bueng ka ho hlaka ka bofokoli, empa ho latela lethathamo la liphetoho, ho ba kotsing ea CVE-2021-3712 ho felisitsoe.
Source: opennet.ru