Ukukhutshwa kogcino lwethala leencwadi le-OpenSSL cryptographic 3.0.1 kunye ne-1.1.1m ziyafumaneka. Inguqulelo 3.0.1 ilungisa ubuthathaka (CVE-2021-4044), kwaye malunga neshumi elinesibini bugs zilungisiwe kuzo zombini ukukhutshwa.
Ubuthathaka bukhona ekuphunyezweni kwabathengi be-SSL/TLS kwaye kungenxa yokuba ilayibrari ye-libssl iphatha ngokungalunganga amaxabiso ekhowudi yempazamo ebuyiswe ngu- X509_verify_cert () umsebenzi, obizelwe ukungqinisisa isatifikethi esigqithiselwe kumxhasi ngumncedisi. Iikhowudi ezilandulayo zibuyiswa xa iimpazamo zangaphakathi zisenzeka, umzekelo, ukuba akunakwenzeka ukwaba imemori yesithinteli. Ukuba impazamo enjalo ibuyiswe, iminxeba elandelayo kwi-I/O imisebenzi efana ne-SSL_connect() kunye ne-SSL_do_handshake() iya kubuyisela ukusilela kunye nekhowudi yemposiso SSL_ERROR_WANT_RETRY_VERIFY, ekufuneka ibuyiswe kuphela ukuba isicelo sele senze umnxeba ngaphambili ku-SSL_CTX_set_cert_verify_callback() .
Kuba uninzi lwezicelo zingafowuneli SSL_CTX_set_cert_verify_callback(), ukwenzeka kwempazamo ye-SSL_ERROR_WANT_RETRY_VERIFY kunokutolika ngendlela engeyiyo kwaye kukhokelela kungqubano, iluphu, okanye enye indlela yokuziphatha engalunganga. Ingxaki iyingozi kakhulu xa idibene nenye ibug kwi-OpenSSL 3.0, ekhokelela kwimpazamo yangaphakathi xa i-X509_verify_cert () iqhuba izatifikethi ngaphandle kolwandiso lwe-"Subject Alternative Name", kodwa kunye nezibophelelo zegama kwizithintelo zosetyenziso. Kule meko, uhlaselo lunokukhokelela ekudidekeni okuxhomekeke kwisicelo ekusetyenzweni kwesatifikethi kunye nokusekwa kweseshoni ye-TLS.
umthombo: opennet.ru
