ProHoster > Blog > litaba tsa inthanete > Bofokoli ho Linux kernel, Glibc, GStreamer, Ghostscript, BIND le CUPS

Bofokoli ho Linux kernel, Glibc, GStreamer, Ghostscript, BIND le CUPS

Bofokoli bo 'maloa bo sa tsoa tsejoa:

  • CVE-2023-39191 ke tlokotsi e ka har'a sistimi e tlase ea eBPF e lumellang mosebelisi oa lehae ho holisa litokelo tsa bona le ho etsa khoutu boemong ba Linux kernel. Kotsi e bakoa ke netefatso e fosahetseng ea mananeo a eBPF a rometsoeng ke mosebelisi hore a phethe. Ho etsa tlhaselo, mosebelisi o tlameha ho khona ho kenya lenaneo la hae la BPF (haeba kernel.unprivileged_bpf_disabled parameter e behiloe ho 0, mohlala, joalo ka Ubuntu 20.04). Lintlha tse mabapi le ho ba kotsing li ile tsa fetisetsoa ho baetsi ba kernel morao koana ka Tšitoe selemong se fetileng, 'me tokiso e ile ea hlahisoa ka khutso ka Pherekhong.
  • CVE-2023-42753 Taba e nang le li-index tse ngata ts'ebetsong ea ipset ho netfilter kernel subsystem, e ka sebelisetsoang ho eketsa / ho fokotsa lintlha le ho theha maemo a ho ngola kapa ho balla sebaka sa memori kantle ho buffer e fanoeng. Ho hlahloba boteng ba ho ba kotsing, ho lokiselitsoe prototype ea tlhekefetso e bakang pheliso e sa tloaelehang (maemo a kotsi a ho sebelisoa hampe a ke ke a qheleloa ka thoko). Tokiso e kenyellelitsoe ho li-kernel tse 5.4.257, 6.5.3, 6.4.16, 6.1.53, 5.10.195, 5.15.132.
  • CVE-2023-39192, CVE-2023-39193, CVE-2023-39193 - bofokoli bo bongata ho Linux kernel e lebisang ho lutla ha litaba tsa memori ea kernel ka lebaka la bokhoni ba ho bala ho tsoa libakeng tse kantle ho buffer e fanoeng papaling_flags le mesebetsi ea u32_match_it. ea Netfilter subsystem, hammoho le khoutu ea ts'ebetso ea filthara ea mmuso. Bofokoli bo ile ba lokisoa ka Phato (1, 2) le Phuptjane.
  • CVE-2023-42755 ke ts'oaetso e lumellang mosebelisi oa lehae ea sa sireletsehang ho baka kotsi ea kernel ka lebaka la phoso ha a sebetsa ka litsupa ho sehlopha sa sephethephethe sa rsvp. Bothata bo hlaha ho LTS kernels 6.1, 5.15, 5.10, 5.4, 4.19 le 4.14. Ho se ho lokisitsoe prototype ea exploit. Tokiso ha e so amoheloe kernel mme e fumaneha joalo ka patch.
  • CVE-2023-42756 ke boemo ba morabe ka har'a NetFilter kernel subsystem e ka sebelisoang hampe ho etsa hore mosebelisi oa lehae a bake boemo ba Tšabo. Ho na le mohlala oa exploit o sebetsang bonyane kernel 6.5.rc7, 6.1 le 5.10. Tokiso ha e so amoheloe kernel mme e fumaneha joalo ka patch.
  • CVE-2023-4527 Palo e khaphatsehang laebraring ea Glibc e etsahala ts'ebetsong ea getaddrininfo ha e sebetsana le karabo ea DNS e kholo ho feta 2048 bytes. Ho ba kotsing ho ka lebisa ho dutla ha data kapa ho senyeha. Ho ba kotsing ho hlaha feela liphetolelong tsa Glibc tse ncha ho feta 2.36 ha u sebelisa khetho ea "no-aaaa" ho /etc/resolv.conf.
  • CVE-2023-40474, CVE-2023-40475 ke bofokoli ka har'a moralo oa multimedia oa GStreamer o bakiloeng ke palo e kholo ea li-file tsa video tsa MXF. Bofokoli bo ka lebisa ho ts'ebetsong ea khoutu ea bahlaseli ha o sebetsana le lifaele tsa MXF tse etselitsoeng ka ho khetheha ts'ebelisong e sebelisang GStreamer. Bothata bo tsitsitsoe ka har'a sephutheloana sa gst-plugins-bad 1.22.6.
  • CVE-2023-40476 - Buffer e phalla ka har'a processor ea video ea H.265 e fanoang ho GStreamer, e lumellang ts'ebetso ea khoutu ha o sebetsana le video e hlophisitsoeng ka ho khetheha. Kotsi e lokisitsoe ho sephutheloana sa gst-plugins-bad 1.22.6.
  • Analysis - tlhahlobo ea ketso e sebelisang ho ba kotsing ea CVE-2023-36664 sephutheloana sa Ghostscript ho etsa khoutu ea eona ha ho buloa litokomane tsa PostScript tse etselitsoeng ka ho khetheha. Bothata bo bakoa ke ts'ebetso e fosahetseng ea mabitso a lifaele ho qala ka "|". kapa sehlongwapele %pipe%. Ho ba kotsing ho ile ha lokisoa tokollong ea Ghostscript 10.01.2.
  • CVE-2023-3341, CVE-2023-4236 - bofokoli ho seva sa BIND 9 DNS se lebisang ho senyeha ha ts'ebetso e boletsoeng ha ho sebetsoa melaetsa ea taolo e etselitsoeng ka ho khetheha (ho fihlella koung ea TCP eo lebitso la eona e laoloang ho lekane (e bulehile feela. ka ho sa feleng). bakeng sa sehokelo sa loopback), tsebo ea senotlolo sa RNDC ha e hlokehe) kapa ho theha mojaro o itseng o phahameng ka mokhoa oa DNS-over-TLS. Bofokoli bo rarollotsoe ho lingoliloeng tsa BIND 9.16.44, 9.18.19, le 9.19.17.
  • CVE-2023-4504 ke tlokotsi ho seva sa khatiso sa CUPS le laeborari ea libppd e lebisang ho phallo ea buffer ha ho arola litokomane tsa Postscript tse hlophisitsoeng ka mokhoa o ikhethileng. Ho ka etsahala hore bofokoli bo ka sebelisoa hampe ho hlophisa ts'ebetsong ea khoutu ea motho tsamaisong. Taba ena e rarollotsoe likhatisong tsa CUPS 2.4.7 (patch) le libppd 2.0.0 (patch).

Source: opennet.ru

Eketsa ka tlhaloso