Ubuthathaka ichongiwe kwiindlela ezisezantsi ze-Linux kernel Netfilter kunye ne-io_uring evumela umsebenzisi wasekhaya ukuba aphakamise amalungelo abo kwinkqubo:
- Ukuba sesichengeni (CVE-2023-32233) kwi-Netfilter subsystem ebangelwa kusetyenziso-emva kokungena kwimemori yokufikelela kwimodyuli ye-nf_tables, eqinisekisa ukusebenza kwesihluzo sepakethe ye-nftables. Ukuba sesichengeni kungasetyenziswa ngokuthumela izicelo eziyilwe ngokukodwa ukuhlaziya ubumbeko lwe-nftables. Uhlaselo lufuna ukufikelela kwi-nftables, enokufunyanwa kwindawo yamagama yothungelwano eyahlukileyo (izithuba zegama lomsebenzi womnatha) ukuba unamalungelo CLONE_NEWUSER, CLONE_NEWNS okanye CLONE_NEWNET (umzekelo, ukuba unokusebenzisa isikhongozeli esizimeleyo).
Ukunika abasebenzisi ixesha lokufaka uhlaziyo, umphandi oye wafumanisa ingxaki wathembisa ukuhlehlisa iveki (kude kube ngoMeyi 15) ukupapashwa kolwazi oluneenkcukacha kunye nomzekelo wokuxhaphazwa okusebenzayo okubonelela ngeengcambu zeengcambu. Ukuba sesichengeni kwalungiswa kuhlaziyo lwe-6.4-rc1. Ungalandela ukulungiswa kobuthathaka kunikezelo kula maphepha alandelayo: Debian, Ubuntu, Gentoo, RHEL, Fedora, SUSE/openSUSE, Arch.
- Ukuba sesichengeni (i-CVE ayikabelwa) ekuphunyezweni kwe-io_uring i-asynchronous I/O ujongano oluqukwe kwi-Linux kernel ukususela ekukhululweni kwe-5.1. Ingxaki ibangelwe ligciwane kumsebenzi we-io_sqe_buffer_register, ovumela ufikelelo kwinkumbulo ephathekayo ngaphandle kwemida yesikhuseli esabiwe ngokwezibalo. Ingxaki ibonakala kuphela kwisebe le-6.3 kwaye iya kulungiswa kuhlaziyo oluzayo lwe-6.3.2. Iprototype esebenzayo sele ikhona ukuze ivavanywe, evumela ukuphumeza ikhowudi ngamalungelo e-kernel.
umthombo: opennet.ru