Ukukhutshwa kokulungiswa kwethala leencwadi le-OpenSSL cryptographic 3.0.7 lipapashiwe, elilungisa ubuthathaka obubini. Yomibini imiba ibangelwa kukuphuphuma kwe-buffer kwikhowudi yokuqinisekisa indawo ye-imeyile kwizatifikethi ze-X.509 kwaye inokukhokelela ekuphunyezweni kwekhowudi xa kusetyenzwa isatifikethi esakhiwe ngokukodwa. Ngexesha lokupapashwa kokulungiswa, abaphuhlisi be-OpenSSL abazange babhale nabuphi na ubungqina bobukho bomsebenzi osebenzayo onokukhokelela ekuqhutyweni kwekhowudi yomhlaseli.
Ngaphandle kwento yokuba isibhengezo sangaphambi kokukhululwa kokhupho olutsha lukhankanye ubukho bomcimbi obalulekileyo, enyanisweni, kuhlaziyo olukhutshiweyo ubume bokuba sesichengeni kwancitshiswa ukuya kwinqanaba eliyingozi, kodwa elingekho sesichengeni esibalulekileyo. Ngokuhambelana nemigaqo eyamkelweyo kwiprojekthi, inqanaba lengozi liyancitshiswa ukuba ingxaki ibonakalisa ukucwangciswa kwe-atypical okanye ukuba kukho amathuba aphantsi okusetyenziswa komngcipheko ekusebenzeni.
Kule meko, inqanaba lobunzima liye lancitshiswa ngenxa yokuba uhlalutyo olucacileyo lokuba semngciphekweni yimibutho emininzi yagqiba ukuba ukukwazi ukwenza ikhowudi ngexesha lokuxhatshazwa kwakuvaliwe ngeendlela zokukhusela i-stack overflows ezisetyenziswa kumaqonga amaninzi. Ukongeza, uyilo lwegridi esetyenziswa kwezinye izinikezelo zeLinux iziphumo kwii-bytes ezi-4 eziphuma kwimida zibekwe phezulu kwisithinteli esilandelayo kwisitaki, esingekasebenzi. Nangona kunjalo, kunokwenzeka ukuba kukho amaqonga anokuthi asetyenziswe ukwenza ikhowudi.
Imiba ichongiwe:
- I-CVE-2022-3602 - ubuthathaka, obonakaliswe ekuqaleni njengento ebalulekileyo, ikhokelela kwi-buffer ye-4-byte ephuphumayo xa uhlola intsimi ngedilesi ye-imeyile eyenzelwe ngokukodwa kwisatifikethi se-X.509. Kumxhasi we-TLS, ubuthathaka bunokusetyenziswa xa kudityaniswa nomncedisi olawulwa ngumhlaseli. Kumncedisi we TLS, ubuthathaka bunokusetyenziswa ukuba uqinisekiso lomxhasi usebenzisa izatifikethi lusetyenziswa. Kule meko, ubuthathaka bubonakala kwinqanaba emva kokuqinisekiswa kwekhonkco lokuthembela elihambelana nesatifikethi, i.e. Uhlaselo lufuna ukuba ugunyaziwe wesatifikethi aqinisekise isatifiketi esikhohlakeleyo somhlaseli.
- I-CVE-2022-3786 yenye i-vector yokuxhaphaza i-CVE-2022-3602 ubuthathaka, ichongiwe ngexesha lokuhlalutya ingxaki. Umahluko uphelela ekubeni nokwenzeka kokuphuphuma kwesithinteli kwisitaki ngenani elithile leebhayithi eziqulathe "." (oko kukuthi umhlaseli akakwazi ukulawula imixholo yokuphuphuma kwaye ingxaki ingasetyenziselwa kuphela ukubangela ukuba isicelo siqhume).
Ubuthathaka buvela kuphela kwisebe le-OpenSSL 3.0.x (ibug yaziswa kwikhowudi yoguqulelo ye-Unicode (punycode) eyongezwe kwisebe le-3.0.x). Ukukhutshwa kwe-OpenSSL 1.1.1, kunye neelayibrari ze-OpenSSL zefolokhwe i-LibreSSL kunye ne-BoringSSL, azichatshazelwa yingxaki. Kwangaxeshanye, uhlaziyo lwe-OpenSSL 1.1.1s lwakhululwa, oluqulathe kuphela ulungiso lwebug olungakhuselekanga.
Isebe le-OpenSSL 3.0 lisetyenziselwa ukuhanjiswa okunje Ubuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, ββββDebian Testing / Unstable. Abasebenzisi bezi nkqubo bacetyiswa ukuba bafake uhlaziyo ngokukhawuleza (Debian, Ubuntu, RHEL, SUSE / openSUSE, Fedora, Arch). Kwi-SUSE Linux Enterprise 15 SP4 kunye ne-openSUSE Leap 15.4, iipakethe ezine-OpenSSL 3.0 ziyafumaneka ngokuzikhethela, iipakethe zesixokelelwano zisebenzisa i-1.1.1 yesebe. Debian 1, Arch Linux, Void Linux, Ubuntu 11, Slackware, ALT Linux, RHEL 20.04, OpenWrt, Alpine Linux 8 kunye neFreeBSD zihlala kumasebe e-OpenSSL 3.16.x.
umthombo: opennet.ru