ProHoster > Blog > litaba tsa inthanete > Nchafatso ea PostgreSQL e nang le bofokoli bo tsitsitseng. Odyssey Connection Balancer 1.2 E lokollotsoe

Nchafatso ea PostgreSQL e nang le bofokoli bo tsitsitseng. Odyssey Connection Balancer 1.2 E lokollotsoe

Lintlafatso tsa tokiso li hlahisitsoe bakeng sa makala ohle a tšehetsoeng a PostgreSQL: 14.1, 13.5, 12.9, 11.14, 10.19 le 9.6.24. Phatlalatso ea 9.6.24 e tla ba ea ho qetela ea ntlafatso ea lekala la 9.6, le seng le khaotsoe. Lintlafatso tsa lekala 10 li tla hlahisoa ho fihlela Pulungoana 2022, 11 - ho fihlela Pulungoana 2023, 12 - ho fihlela Pulungoana 2024, 13 - ho fihlela Pulungoana 2025, 14 - ho fihlela Pulungoana 2026.

Liphetolelo tse ncha li fana ka litokiso tse fetang 40 le ho felisa likotsi tse peli (CVE-2021-23214, CVE-2021-23222) ts'ebetsong ea seva le laeborari ea bareki ba libpq. Bofokoli bo lumella mohlaseli ho kena mocha oa puisano o patiloeng ka tlhaselo ea MITM. Tlhaselo ha e hloke setifikeiti se nepahetseng sa SSL mme e ka etsoa khahlano le lits'ebetso tse hlokang netefatso ea bareki ka setifikeiti. Boemong ba seva, tlhaselo e u lumella ho kenya potso ea hau ea SQL sebakeng sa hau ka nako ea ho theha khokahano e patiloeng ho tloha ho moreki ho ea ho seva sa PostgreSQL. Boemong ba libpq, ho ba kotsing ho lumella mohlaseli ho khutlisa karabo ea seva ea bogus ho moreki. Ha li kopantsoe, bofokoli bo lumella tlhahisoleseling mabapi le password ea moreki kapa lintlha tse ling tsa bohlokoa tse fetisoang pele ho khokahanyo ho ntšoa.

Ho feta moo, re ka ela hloko phatlalatso ea Yandex ea mofuta o mocha oa seva ea proxy ea Odyssey 1.2, e etselitsoeng ho boloka letamo la likhokahano tse bulehileng ho PostgreSQL DBMS le ho hlophisa mokhoa oa ho botsa lipotso. Odyssey e ts'ehetsa ho tsamaisa lits'ebetso tse ngata tsa basebetsi tse nang le likhoele tse ngata tse nang le likhoele tse ngata, ho ea ho seva se le seng ha moreki a hokela hape, le bokhoni ba ho kopanya matamo a khokahano ho basebelisi le database. Khoutu e ngotsoe ka C mme e ajoa tlasa laesense ea BSD.

Mofuta o mocha oa Odyssey o eketsa ts'ireletso ho thibela phetisetso ea data kamora ho buisana ka seboka sa SSL (e o lumella ho thibela litlhaselo o sebelisa bofokoli bo boletsoeng ka holimo CVE-2021-23214 le CVE-2021-23222). Tšehetso ea PAM le LDAP e kentsoe tšebetsong. Kenyelletso e ekelitsoeng le sistimi ea ho shebella ea Prometheus. Palo e ntlafetseng ea lintlha tsa lipalo-palo ho ikarabella bakeng sa khoebo le linako tsa ho botsa lipotso.

Source: opennet.ru

Eketsa ka tlhaloso