Ukukhutshwa kwe-Tor 0.4.6.5 toolkit, esetyenziselwa ukuququzelela ukusebenza kwenethiwekhi yeTor engaziwa, ibonakalisiwe. Inguqulelo yeTor 0.4.6.5 yamkelwa njengokhululo lokuqala oluzinzileyo lwesebe le-0.4.6, eliphuhliswe kwiinyanga ezintlanu ezidlulileyo. Isebe elingu-0.4.6 liya kugcinwa njengenxalenye yomjikelo wolondolozo lwarhoqo - uhlaziyo luya kuyekwa emva kweenyanga ezi-9 okanye iinyanga ezi-3 emva kokukhululwa kwesebe elingu-0.4.7.x. Inkxaso yexesha elide (LTS) ibonelelwa kwisebe le-0.3.5, uhlaziyo oluya kukhutshwa kude kube ngumhla woku-1 kuFebruwari 2022. Ngelo xesha, i-Tor ikhupha i-0.3.5.15, i-0.4.4.9 kunye ne-0.4.5.9 yenziwe, eyasusa ubuthathaka be-DoS obunokubangela ukukhanyelwa kwenkonzo kubaxhasi beenkonzo ze-anyanisi kunye nokuhanjiswa.
Utshintsho oluphambili:
- Kongezwe ukukwazi ukwenza iinkonzo ze-anyanisi ngokusekelwe kuguqulelo lwesithathu lweprotocol kunye nokuqinisekiswa kokufikelela komthengi ngeefayile kwi-'authorized_clients' directory.
- Ukuhanjiswa, iflegi yongezwe evumela umqhubi we-node ukuba aqonde ukuba i-relay ayiqukwanga kwimvumelwano xa abancedisi bekhetha abalawuli (umzekelo, xa kukho ukuhanjiswa okuninzi kwidilesi enye ye-IP).
- Kunokwenzeka ukuhambisa ulwazi lokuxinana kwidatha ye-extrainfo, engasetyenziselwa ukulinganisa umthwalo kwinethiwekhi. Ukudluliselwa kweMetric kulawulwa kusetyenziswa ukhetho lwe-OverloadStatistics kwi-torrc.
- Ukukwazi ukunciphisa ubunzulu boqhagamshelwano lwabaxumi kwiireyilayi zongezwe kwi-DoS yokukhusela uhlaselo inkqubo engaphantsi.
- I-Relays izalisekisa ukupapashwa kwezibalo kwinani leenkonzo ze-anyanisi ezisekelwe kwinguqu yesithathu yeprotocol kunye nomthamo wezithuthi zabo.
- Inkxaso yokhetho lweDirPorts lususiwe kwikhowudi yokubuyisela, engasetyenziselwa olu hlobo lwe-node.
- Ikhowudi yenziwe ngokutsha. Inkqubo engaphantsi yokhuseleko lohlaselo lwe-DoS iye yasiwa kumphathi we-subsys.
- Inkxaso yeenkonzo ze-anyanisi endala esekelwe kwinguqu yesibini yeprotocol, eyabhengezwa ukuba ayisebenzi kunyaka odlulileyo, iyekile. Ukususwa ngokupheleleyo kwekhowudi ehambelana nenguqu yesibini yeprotocol kulindeleke ekwindla. Inguqulelo yesibini yeprotocol yaphuhliswa malunga neminyaka eyi-16 edlulileyo kwaye, ngenxa yokusetyenziswa kwe-algorithms yakudala, ayikwazi kuthathwa njengekhuselekile kwiimeko zanamhlanje. Kwiminyaka emibini enesiqingatha edlulileyo, ekukhululweni kwe-0.3.2.9, abasebenzisi banikwa inguqu yesithathu yeprotocol yeenkonzo ze-anyanisi, ephawulekayo ngokutshintshela kwiidilesi ze-56-character, ukhuseleko oluthembekileyo malunga nokuvuza kwedatha ngokusebenzisa iiseva zesikhokelo, isakhiwo semodyuli eyandisiweyo. kunye nokusetyenziswa kwe-SHA3, ed25519 kunye ne-curve25519 algorithms endaweni ye-SHA1, DH kunye ne-RSA-1024.
- Ubuthathaka bulungisiwe:
- I-CVE-2021-34550 - ukufikelela kwindawo yememori ngaphandle kwe-buffer eyabelwe kwikhowudi yokwahlula izichazi zenkonzo ye-anyanisi ngokusekelwe kwinguqu yesithathu yeprotocol. Umhlaseli unako, ngokubeka inkcazo yenkonzo ye-anyanisi eyenzelwe ngokukodwa, kubangele ukuphazamiseka kwanoma yimuphi umxhasi ozama ukufikelela kule nkonzo ye-anyanisi.
- I-CVE-2021-34549 - Ukukhanyela okunokwenzeka kokuhlaselwa kwenkonzo kwii-relays. Umhlaseli unokwenza amatyathanga anezihlonzi ezibangela ukungqubana kwimisebenzi ye-hash, ukuqhutyelwa kwayo okukhokelela kumthwalo onzima kwi-CPU.
- I-CVE-2021-34548 - I-relay inokuthi i-spoof RELAY_END kunye ne-RELAY_RESOLVED iiseli kwimisonto evaliweyo enesiqingatha, eyavumela ukupheliswa komsonto owenziwe ngaphandle kokuthatha inxaxheba kolu dluliselo.
- I-TROVE-2021-004 - Yongeza iitshekhi ezongezelelweyo zokungaphumeleli xa ubiza i-OpenSSL random number generator (ngokuphunyezwa kwe-RNG engagqibekanga kwi-OpenSSL, ukusilela okunjalo akwenzeki).
umthombo: opennet.ru