Ukukhutshwa kokulungiswa kwethala leencwadi le-OpenSSL cryptographic 1.1.1l liyafumaneka ngokupheliswa kobuthathaka obubini:
- I-CVE-2021-3711 yi-buffer ephuphumayo kwikhowudi yokuphumeza i-SM2 cryptographic algorithm (eqhelekileyo e-China), evumela ukuya kuthi ga kwi-62 bytes ukuba ibhalwe ngaphezulu kwindawo engaphaya komda we-buffer ngenxa yempazamo ekubaleni ubungakanani be-buffer. Umhlaseli unakho ukuphumeza ukuphunyezwa kwekhowudi okanye ukungqubana kwesicelo ngokugqithisa idatha eyilwe ngokukhethekileyo kwiinkqubo ezisebenzisa i-EVP_PKEY_decrypt() umsebenzi ukukhulula idata ye-SM2.
- I-CVE-2021-3712 yi-buffer ephuphumayo kwikhowudi yokucubungula umtya we-ASN.1, enokubangela ukuphazamiseka kwesicelo okanye ibonise imixholo yememori yenkqubo (umzekelo, ukuchonga izitshixo ezigcinwe kwimemori) ukuba umhlaseli ngandlela-thile uyakwazi ukuvelisa. Umtya kulwakhiwo lwangaphakathi ASN1_STRING.alupheliswanga ngonobumba olilize, kwaye luqhubeke kwi OpenSSL imisebenzi eshicilela izatifikethi, ezifana X509_aux_print(), X509_get1_email(), X509_REQ_get1_email() kunye X509_get1_osp().
Ngelo xesha, iinguqulelo ezintsha zelayibrari ye-LibreSSL 3.3.4 kunye ne-3.2.6 zakhululwa, ezingakhankanyi ngokucacileyo ubuthathaka, kodwa ngokujonga uluhlu lweenguqu, ubuthathaka be-CVE-2021-3712 buphelisiwe.
umthombo: opennet.ru