ProHoster > Ibhulogi > iindaba ze-intanethi > Ubuthathaka kwiLinux kernel, Glibc, GStreamer, Ghostscript, BIND kunye neCUPS

Ubuthathaka kwiLinux kernel, Glibc, GStreamer, Ghostscript, BIND kunye neCUPS

Uninzi lweziphene ezisanda kuchongwa:

  • I-CVE-2023-39191 bubuthathaka kwinkqubo ephantsi ye-eBPF evumela umsebenzisi wasekhaya ukuba anyuse amalungelo akhe kwaye aphumeze ikhowudi kwinqanaba le-Linux kernel. Ukuba sesichengeni kubangelwa kungqinisiso olungachanekanga lweeprogram ze-eBPF ezingeniswe ngumsebenzisi ukuba ziphunyezwe. Ukwenza uhlaselo, umsebenzisi kufuneka akwazi ukulayisha eyakhe inkqubo ye-BPF (ukuba i-kernel.unprivileged_bpf_disabled parameter isetelwe ku-0, umzekelo, njengaku-Ubuntu 20.04). Ulwazi malunga nokuba sesichengeni lugqithiselwe kubaphuhlisi be-kernel emva kukaDisemba wonyaka ophelileyo, kwaye ukulungiswa kwaziswa ngokuthula ngoJanuwari.
  • I-CVE-2023-42753 Umba onezalathisi zoluhlu ekuphunyezweni kwe-ipset kwisistim esezantsi ye-netfilter kernel, enokusetyenziswa ukunyusa/ukunciphisa izikhombisi kunye nokudala iimeko zokubhala okanye ukufundela indawo yememori ngaphandle kwe-buffer eyabelwe. Ukujonga ubukho bokuba sesichengeni, iprototype yoxhatshazo ilungiselelwe ebangela ukupheliswa okungaqhelekanga (imeko zoxhaphazo eziyingozi ngakumbi azinakukhutshelwa ngaphandle). Ukulungiswa kufakwe kukukhutshwa kwe-kernel 5.4.257, 6.5.3, 6.4.16, 6.1.53, 5.10.195, 5.15.132.
  • I-CVE-2023-39192, CVE-2023-39193, CVE-2023-39193 - ubuthathaka obuninzi kwi-Linux kernel ekhokelela ekuvuzeni kwemixholo yememori ye-kernel ngenxa yokukwazi ukufunda kwiindawo ezingaphandle kwe-buffer eyabelwe kwi-match_flags kunye ne-u32_match_it. ye Netfilter subsystem, kunye nakwinkqubo yokucoca ikhowudi yelizwe. Ubuthathaka balungiswa ngo-Agasti (1, 2) noJuni.
  • I-CVE-2023-42755 bubuthathaka obuvumela umsebenzisi wasekhaya ongenanto ukuba abangele ukuphahlazeka kwekernel ngenxa yempazamo xa usebenza nezalathisi kwi-rsvp yohlelo lwetrafikhi. Ingxaki ibonakala kwii-LTS kernels 6.1, 5.15, 5.10, 5.4, 4.19 kunye ne-4.14. Iprototype yokuxhaphaza ilungiselelwe. Ukulungiswa akukamkelwa kwi-kernel kwaye iyafumaneka njenge patch.
  • I-CVE-2023-42756 yimeko yogqatso kwi-NetFilter kernel subsystem enokuthi isetyenziswe ukuze ibangele umsebenzisi wendawo ukuba aqalise imeko ye-Panic. Iprototype yokuxhaphaza iyafumaneka esebenza ubuncinci kwiinkozo 6.5.rc7, 6.1 kunye no-5.10. Ukulungiswa akukamkelwa kwi-kernel kwaye iyafumaneka njenge patch.
  • I-CVE-2023-4527 Ukuphuphuma kwe-stack kwilayibrari ye-Glibc kwenzeka kumsebenzi we-getaddrininfo xa kusetyenzwa impendulo ye-DNS enkulu kune-2048 bytes. Ukuba sesichengeni kunokukhokelela ekuvuzeni kwedatha yemfumba okanye ukonakala. Ukuba sesichengeni kubonakala kuphela kwiinguqulelo ze-Glibc ezintsha kune-2.36 xa usebenzisa i-"no-aaaa" ukhetho kwi /etc/resolv.conf.
  • I-CVE-2023-40474, i-CVE-2023-40475 bubuthathaka kwisakhelo semultimedia ye-GStreamer ebangelwa kukuphuphuma okupheleleyo kwiifayile zevidiyo zeMXF. Ubuthathaka bunokukhokelela ekuqhutyweni kwekhowudi yomhlaseli xa kusetyenzwa ngokukhethekileyo iifayile zeMXF ezilungiselelwe ngokukodwa kwisicelo esisebenzisa iGStreamer. Ingxaki ilungisiwe kwi-gst-plugins-bad 1.22.6 package.
  • I-CVE-2023-40476 - I-buffer iphuphuma kwiprosesa yevidiyo ye-H.265 enikezelwa kwi-GStreamer, evumela ukuphunyezwa kwekhowudi xa kusetyenzwa ividiyo efomathiweyo ngokukodwa. Ubuthathaka bulungisiwe kwiphakheji ye-gst-plugins-bad 1.22.6.
  • Uhlalutyo - uhlalutyo lwe-exploit esebenzisa ubuthathaka be-CVE-2023-36664 kwiphakheji ye-Ghostscript ukwenza ikhowudi yayo xa uvula amaxwebhu e-PostScript ayilwe ngokukodwa. Ingxaki ibangelwa kukuqhubekeka ngendlela engeyiyo kwamagama eefayili aqala ngophawu β€œ|”. okanye isimaphambili %pipe%. Ukuba sesichengeni kwalungiswa kwi-Ghostscript 10.01.2 ukukhululwa.
  • CVE-2023-3341, CVE-2023-4236 - ubuthathaka kwi-BIND 9 iseva ye-DNS ekhokelela ekungqubekeni kwenkqubo ebizwa ngokuba yinkqubo enikwe igama xa kusetyenzwa imiyalezo yolawulo eyilwe ngokukodwa (ukufikelela kwizibuko le-TCP apho igama lilawulwa kwanele (evulekileyo kuphela). ngokungagqibekanga).ujongano lweloopback), ulwazi lwesitshixo seRNDC alufunwa) okanye ukwenza umthwalo othile ophezulu kwimowudi ye-DNS-over-TLS. Ubuthathaka basonjululwa kukukhutshwa kwe-BIND 9.16.44, 9.18.19, kunye ne-9.19.17.
  • I-CVE-2023-4504 bubuthathaka kumncedisi woshicilelo we-CUPS kunye nethala leencwadi le-libppd elikhokelela ekuphuphumeni kwe-buffer xa kusahlulwa amaxwebhu ePostscript afomathwe ngokukodwa. Kungenzeka ukuba ubuthathaka bunokusetyenziswa ukuququzelela ukuphunyezwa kwekhowudi yomntu kwisistim. Umba usonjululwe ekukhutshweni kwe-CUPS 2.4.7 (isiqwenga) kunye ne-libppd 2.0.0 (isiqwenga).

umthombo: opennet.ru

Yongeza izimvo