Ubuthathaka buchongiwe kwilayibrari ye-cryptographic ye-OpenSSL (i-CVE ayikabelwa), ngoncedo apho umhlaseli okude angonakalisa imixholo yememori yenkqubo ngokuthumela idatha eyilwe ngokukodwa ngexesha lokuseka uxhumano lwe-TLS. Akukacaci ukuba ingxaki ingakhokelela ekuqhutyweni kwekhowudi yomhlaseli kunye nokuvuza kwedatha kwimemori yenkqubo, okanye ingaba inqunyelwe kwingozi.
Ubuthathaka bubonakala kukhupho lwe-OpenSSL 3.0.4, epapashwe ngoJuni 21, kwaye kubangelwa ukulungiswa okungalunganga kwi-bug kwikhowudi enokuthi ibangele ukuya kwi-8192 bytes yedatha ibhalwe ngaphezulu okanye ifundwe ngaphaya kwe-buffer eyabelwe. Ukusetyenziswa kobuthathaka kunokwenzeka kuphela kwiinkqubo ze-x86_64 ngenkxaso yemiyalelo ye-AVX512.
Iifolokhwe ze-OpenSSL ezifana ne-BoringSSL kunye ne-LibreSSL, kunye ne-OpenSSL 1.1.1 yesebe, azichatshazelwa yingxaki. Ulungiso okwangoku lufumaneka kuphela njengepetshi. Kwimeko embi kakhulu, ingxaki inokuba yingozi ngakumbi kunobuthathaka be-Heartbleed, kodwa inqanaba lesisongelo liyancitshiswa yinto yokuba ubuthathaka bubonakala kuphela kwi-OpenSSL 3.0.4 ukukhululwa, ngelixa ulwabiwo oluninzi luqhubeka nokuhambisa i-1.1.1 isebe ngokungagqibekanga okanye alikabinalo ixesha lokwakha uhlaziyo lwephakheji ngoguqulelo 3.0.4.
umthombo: opennet.ru