Uhlaziyo oluchanekileyo lupapashwe kumasebe azinzileyo e-BIND iseva ye-DNS 9.11.31 kunye ne-9.16.15, kunye nesebe lokulinga 9.17.12, ekuphuhlisweni. Ukukhutshwa okutsha kujongana nobuthathaka obuthathu, obunye (CVE-2021-25216) bubangela ukuphuphuma kwebuffer. Kwiinkqubo ze-32-bit, ubuthathaka bunokusetyenziswa ukuphumeza ukude ikhowudi yomhlaseli ngokuthumela isicelo esenziwe ngokukodwa se-GSS-TSIG. Kwiisistim ezingama-64 ingxaki ikhawulelwe kukuntlitheka kwenkqubo ebizwayo.
Ingxaki ibonakala kuphela xa inkqubo ye-GSS-TSIG yenziwe yasebenza, kusetyenziswa i-tkey-gssapi-keytab kunye nesethingi ye-tkey-gssapi-credential. I-GSS-TSIG ivaliwe kuqwalaselo olungagqibekanga kwaye iqhele ukusetyenziswa kwiindawo ezixubeneyo apho i-BIND idityaniswe nabalawuli bommandla we-Active Directory, okanye xa idityaniswa ne-Samba.
Ukuba sesichengeni kubangelwa yimpazamo ekuphunyezweni kwe-SPNEGO (i-Simple and Protected GSSAPI Negotiation Mechanism) indlela, esetyenziswa kwi-GSSAPI ukubonisana ngeendlela zokukhusela ezisetyenziswa ngumxhasi kunye nomncedisi. I-GSSAPI isetyenziswa njengeprothokholi ekwinqanaba eliphezulu lotshintshiselwano olungundoqo olukhuselekileyo usebenzisa i-GSS-TSIG eyongeziweyo esetyenziswa kwinkqubo yokuqinisekisa uhlaziyo lwezowuni ye-DNS eguqukayo.
Ngenxa yokuba ubuthathaka obubalulekileyo ekuphunyezweni kwendabuko ye-SPNEGO kufunyenwe ngaphambili, ukuphunyezwa kwale protocol kususiwe kwisiseko sekhowudi ye-BIND 9. Kubasebenzisi abafuna inkxaso ye-SPNEGO, kucetyiswa ukuba kusetyenziswe ukuphunyezwa kwangaphandle okunikezelwe yilayibrari yenkqubo ye-GSSAPI (kubonelelwe kwiMIT Kerberos kunye neHeimdal Kerberos).
Abasebenzisi beenguqulelo ezindala ze-BIND, njengendlela yokusebenza yokuthintela ingxaki, banokukhubaza i-GSS-TSIG kwizicwangciso (ukhetho lwe-tkey-gssapi-keytab kunye ne-tkey-gssapi-credential) okanye uphinde wakhe i-BIND ngaphandle kwenkxaso yendlela ye-SPNEGO (ukhetho "- -khubaza-isc-spnego" kwiskripthi "qwalasela"). Unokulandelela ukufumaneka kohlaziyo kunikezelo kula maphepha alandelayo: Debian, SUSE, Ubuntu, Fedora, Arch Linux, FreeBSD, NetBSD. Iiphakheji ze-RHEL kunye ne-ALT Linux zakhiwe ngaphandle kwenkxaso yendalo ye-SPNEGO.
Ukongeza, izinto ezimbini ezibuthathaka zilungisiwe kuhlaziyo lwe-BIND embuzweni:
- I-CVE-2021-25215 - inkqubo ebizwa ngokuba yinkqubo ephazamisekileyo xa icutshungulwa iirekhodi ze-DNAME (ukuqondisa kwakhona ukuqhutyelwa kwenxalenye ye-subdomains), ekhokelela ekongezwe ngokuphindaphindiweyo kwicandelo le-MPENDULO. Ukuxhaphaza ubuthathaka kwiiseva ze-DNS ezigunyazisiweyo kufuna ukuba kwenziwe utshintsho kwimimandla ye-DNS esetyenzisiweyo, kunye neeseva eziphindaphindayo, irekhodi eyingxaki inokufumaneka emva kokuqhagamshelana nomncedisi ogunyazisiweyo.
- I-CVE-2021-25214 - Inkqubo egama layo liphazamiseka xa kusetyenzwa isicelo esenziwe ngokukhethekileyo esingenayo se-IXFR (esisetyenziselwa ukuhambisa ngokunyukayo utshintsho kwiindawo ze-DNS phakathi kweeseva ze-DNS). Ingxaki ichaphazela kuphela iisistim ezivumele ukuhanjiswa kwendawo ye-DNS ukusuka kumncedisi womhlaseli (ngokuqhelekileyo ukudluliselwa kwendawo kusetyenziselwa ukuvumelanisa iiseva eziphambili kunye nezicaka kwaye zivunyelwe ngokukhethiweyo kuphela kwiiseva ezithembekileyo). Njengomsebenzi wokhuseleko, unokukhubaza inkxaso ye-IXFR usebenzisa "isicelo-ixfr no;".
umthombo: opennet.ru