Litokollo tsa tlhokomelo ea laeborari ea OpenSSL cryptographic 3.0.1 le 1.1.1m lia fumaneha. Mofuta oa 3.0.1 o lokisa ho ba kotsing (CVE-2021-4044), 'me litšitšili tse ka bang leshome le metso e 'meli li lokisitsoe lintlafatsong tseo ka bobeli.
Kotsi e teng ts'ebetsong ea bareki ba SSL/TLS 'me e bakoa ke taba ea hore laeborari ea libssl e sebetsana ka nepo le litekanyetso tse fosahetseng tsa khoutu e khutlisitsoeng ke ts'ebetso ea X509_verify_cert(), e bitselitsoeng ho netefatsa setifikeiti se fetiselitsoeng ho moreki ke seva. Likhoutu tse mpe li khutlisoa ha liphoso tsa kahare li etsahala, mohlala, haeba ho sa khonehe ho abela memori bakeng sa buffer. Haeba phoso e joalo e khutlisitsoe, mehala e tlang ho I/O ho ts'ebetso joalo ka SSL_connect() le SSL_do_handshake() e tla khutlisa phoso le khoutu ea phoso SSL_ERROR_WANT_RETRY_VERIFY, e tla khutlisoa haeba ts'ebeliso e kile ea letsetsa SSL_CTX_set_cert_verify_callback() .
Kaha lits'ebetso tse ngata ha li letse SSL_CTX_set_cert_verify_callback(), ho etsahala ha phoso ea SSL_ERROR_WANT_RETRY_VERIFY ho ka 'na ha hlalosoa hampe 'me ho baka ho oa, loop, kapa boitšoaro bo bong bo fosahetseng. Bothata bo kotsi haholo ha bo kopane le kokoanyana e 'ngoe ho OpenSSL 3.0, e lebisang phosong ea kahare ha X509_verify_cert() e sebetsa litifikeiti ntle le katoloso ea "Subject Alternative Name", empa e na le litlamo tsa mabitso lithibelong tsa ts'ebeliso. Tabeng ena, tlhaselo e ka baka mathata a itšetlehileng ka kopo ts'ebetsong ea setifikeiti le ho thehoa ha nako ea TLS.
Source: opennet.ru