Tokollo ea pele ea lekala le lecha le lecha la nginx 1.21.0 e hlahisitsoe, moo nts'etsopele ea likarolo tse ncha e tla tsoela pele. Ka nako e ts'oanang, tokollo ea tokiso e lokiselitsoe ka tsela e ts'oanang le lekala le tsitsitseng le tšehetsoeng 1.20.1, le hlahisang feela liphetoho tse amanang le ho felisoa ha liphoso tse tebileng le bofokoli. Selemong se tlang, ho itšetlehile ka lekala le leholo la 1.21.x, lekala le tsitsitseng 1.22 le tla thehoa.
Liphetolelo tse ncha li lokisa ts'oaetso (CVE-2021-23017) khoutu ea ho rarolla mabitso a baeti ho DNS, e ka lebisang ho senyeha kapa ho ka 'na ha e-ba le khoutu ea bahlaseli. Bothata bo iponahatsa ts'ebetsong ea likarabo tse itseng tsa li-server tsa DNS tse fellang ka ho phalla ha buffer e le 'ngoe. Kotsi e hlaha feela ha e nolofalitsoe ho li-setting tsa DNS resolution ho sebelisoa taelo ea "resolver". Ho etsa tlhaselo, mohlaseli o tlameha ho khona ho senya lipakete tsa UDP ho tswa ho seva sa DNS kapa ho fumana taolo ea seva sa DNS. Ho ba kotsing ho hlahile ho tloha ha ho lokolloa nginx 0.6.18. Patch e ka sebelisoa ho lokisa bothata likhatisong tsa khale.
Liphetoho tse seng tsa ts'ireletso ho nginx 1.21.0:
- Tšehetso e feto-fetohang e kentsoe litaelong "proxy_ssl_certificate", "proxy_ssl_certificate_key", "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate" le "uwsgi_sssl_certificate".
- Mojule oa proxy oa poso o kentse tšehetso bakeng sa "pipelining" bakeng sa ho romela likopo tse ngata tsa POP3 kapa IMAP ka khokahanyo e le 'ngoe, hape e kentse taelo e ncha "max_errors", e hlalosang palo e kholo ea liphoso tsa protocol ka mor'a moo khokahanyo e tla koaloa.
- E kentse parameter ea "fastopen" ho mojule oa molapo, e nolofalletsang "TCP Fast Open" mokhoa oa ho mamela li-sockets.
- Mathata a ho phonyoha litlhaku tse khethehileng nakong ea ho tsamaisa li-automatic ka ho eketsa slash qetellong a rarollotsoe.
- Bothata ba ho koala likhokahano ho bareki ha u sebelisa pipelining ea SMTP bo rarollotsoe.
Source: opennet.ru