ProHoster > Ibhulogi > iindaba ze-intanethi > I-OpenSSL 3.6.0 Ikhutshwe nge-EVP_SKEY Inkxaso kunye ne-Buffer Overflow Fix

I-OpenSSL 3.6.0 Ikhutshwe nge-EVP_SKEY Inkxaso kunye ne-Buffer Overflow Fix

I-OpenSSL 3.6.0, ukuphunyezwa kweeprothokholi ze-SSL/TLS kunye ne-algorithms eyahlukeneyo yokufihla, ikhutshwe. I-OpenSSL 3.6 kukukhutshwa kwenkxaso rhoqo, kunye nohlaziyo olukhoyo kwiinyanga ze-13. Inkxaso yokukhutshwa kwe-OpenSSL yangaphambili-3.5 LTS, 3.4, 3.3, 3.2, kunye ne-3.0 LTS-iya kuqhubeka kude kube ngu-Epreli 2030, Okthobha 2026, Epreli 2026, Novemba 2025, kunye noSeptemba 2026, ngokulandelanayo. Ikhowudi yeprojekthi inelayisensi phantsi kwe-Apache 2.0 License.

Iinguqulelo eziphambili:

  • Inkxaso eyongeziweyo ye-EVP_SKEY (i-Symmetric KEY) isakhiwo sokumela izitshixo ze-symmetric njengezinto ezipaque. Ngokungafaniyo namaqhosha ekrwada, amelwe njenge-byte array, i-EVP_SKEY ithatha isiseko esingundoqo kwaye iqulethe i-metadata eyongezelelweyo. I-EVP_SKEY ingasetyenziselwa uguqulelo oluntsonkothileyo, utshintshiselwano olungundoqo, kunye ne-key derivation (KDF) imisebenzi. I EVP_KDF_CTX_set_SKEY(), EVP_KDF_derive_SKEY(), kunye EVP_PKEY_derive_SKEY() imisebenzi yongezwe ekusebenzeni ngezitshixo ze-EVP_SKEY.
  • Inkxaso yongezwa kwi-digital signature verification esekelwe kwisikimu se-Leighton-Micali Signatures (LMS), esebenzisa imisebenzi ye-hash kunye ne-hashing esekelwe kwimithi ngendlela yoMthi we-Merkle (isebe ngalinye liqinisekisa onke amasebe angaphantsi kunye nama-nodes). Izisayino zedijithali ze-LMS ziyaxhathisa kuvavanyo lwe-brute-force kwikhompyuter ye-quantum kwaye ziyilelwe ukuqinisekisa ukuthembeka kwe-firmware kunye nezicelo.
  • Inkxaso eyongeziweyo yeendidi zokhuseleko ze-NIST kwiiparamitha zento ye-PKEY (izitshixo zikawonke-wonke nezabucala). Udidi lokhuseleko lusetwa ngolungiselelo lwe-"security-category". EVP_PKEY_get_security_category () umsebenzi wongezwe ukujonga umgangatho wokhuseleko. Inqanaba lokhuseleko libonisa ukuxhathisa kuhlaselo lwe-brute-force kwiikhompyuter ze-quantum kwaye inokuthatha amanani apheleleyo ukusuka ku-0 ukuya ku-5:
    • I-0 - ukuphunyezwa akuchasananga nokukhwabanisa kwiikhomputha ze-quantum;
    • I-1/3/5 — ukuphunyezwa akubandakanyi ithuba lokukhangela isitshixo kwi-block cipher eneqhosha le-128/192/256-bit kwikhompyuter ye-quantum;
    • I-2/4 - ukuphunyezwa akubandakanyi ithuba lokukhangela ukungqubana kwi-256/384-bit hash kwikhompyutheni ye-quantum).
  • Umyalelo othi "openssl configutl" wongezwe ukulungiselela iifayile zoqwalaselo. Esi sixhobo sikuvumela ukuba wenze ifayile edityanisiweyo kunye nazo zonke izicwangciso ukusuka kuqwalaselo lweefayile ezininzi ezibandakanya.
  • Umboneleli we-cryptographic we-FIPS uhlaziywe ukuxhasa ukuveliswa okuqinisekileyo kweesignitsha zedijithali ze-ECDSA (umsayino ofanayo uveliswa ngedatha yegalelo elifanayo), ngokuhambelana neemfuno zomgangatho we-FIPS 186-5.
  • Iimfuno zokusingqongileyo zokwakha zonyusiwe. Ukwakha i-OpenSSL akusafuni zixhobo ezinenkxaso ye-ANSI-C; i-compliiler ehambelana ne-C-99 iyafuneka ngoku.
  • Imisebenzi enxulumene ne-EVP_PKEY_ASN1_METHOD isakhiwo iyekisiwe.
  • Inkxaso yeqonga leVxWorks iyekisiwe.

Ubuthathaka obuzinzileyo:

  • I-CVE-2025-9230 bubuthathaka kwikhowudi yokuguqulelwa kwikhowudi yemiyalezo ye-CMS efihliweyo (PWRI). Ukuba sesichengeni kunokukhokelela ekubeni idatha engaphandle kwemida ibhalwe okanye ifundwe, nto leyo enokukhokelela kwingozi okanye ukonakala kwememori kwisicelo esisebenzisa i-OpenSSL ukucubungula imiyalezo yeCMS. Ngelixa ukuxhaphazwa kobu buthathaka bokwenziwa kwekhowudi kunokwenzeka, ubukhali bomba buyathotywa yinto yokuba imiyalezo ye-CMS efihliweyo nge-password ayifane isetyenziswe ekusebenzeni. Ukongeza kwi-OpenSSL 3.6.0, ukuba sesichengeni kwalungiswa kwi-OpenSSL 3.5.4, 3.4.3, 3.3.5, 3.2.6, kunye ne-3.0.18. Umba walungiswa kwakhona kwi-LibreSSL 4.0.1 kunye ne-4.1.1, ithala leencwadi eliphuhliswe yiprojekthi ye-OpenBSD.
  • I-CVE-2025-9231 - Ukuphunyezwa kwe-algorithm ye-SM2 isengozini yokuhlaselwa kwecala. Kwiinkqubo ezine-64-bit ARM CPUs, oku kuvumela ukubuyiswa kwesitshixo sabucala ngokuhlalutya ixesha lokubala komntu ngamnye. Uhlaselo lunokwenzeka ukuba lwenziwe kude. Umngcipheko wohlaselo uyathotywa yinto yokuba i-OpenSSL ayikuxhasi ngokuthe ngqo ukusetyenziswa kwezatifikethi ezinezitshixo ze-SM2 kwi-TLS.
  • I-CVE-2025-9232 inobungozi ekuphunyezweni kwe-HTTP eyakhelwe-ngaphakathi evumela ukufundwa kwedatha ngaphandle kwemida xa kusenziwa i-URL eyenziwe ngokukodwa kwimisebenzi yoMthengi we-HTTP. Umba uzibonakalisa kuphela xa "no_proxy" ukuguquguquka kwemekobume kusetiwe kwaye kunokukhokelela kwingozi yesicelo.

umthombo: opennet.ru

Yongeza izimvo