Igatsha eliyinhloko le-nginx 1.23.2 likhululiwe, lapho ukuthuthukiswa kwezici ezintsha kuqhubeka, kanye nokukhululwa kwegatsha elizinzile elisekelwayo le-nginx 1.22.1, elihlanganisa kuphela izinguquko ezihlobene nokuqedwa kwamaphutha amakhulu kanye ubuthakathaka.
Izinguqulo ezintsha zisusa ubungozi obubili (CVE-2022-41741, CVE-2022-41742) kumojula ye-ngx_http_mp4_module, esetshenziselwa ukuhlela ukusakaza kusuka kumafayela ngefomethi ye-H.264/AAC. Ubungozi bungaholela ekonakaleni kwenkumbulo noma ukuvuza kwenkumbulo lapho kucutshungulwa ifayela le-mp4 elakhiwe ngokukhethekile. Ukunqanyulwa kwesimo esiphuthumayo kwenqubo yomsebenzi kushiwo njengomphumela, kodwa okunye ukubonakaliswa akushiywa ngaphandle, njengokuhlelwa kokwenziwa kwekhodi kuseva.
Kuyaphawuleka ukuthi ukuba sengozini okufanayo kwase kulungisiwe kakade kumojula ethi ngx_http_mp4_module ngo-2012. Ngaphezu kwalokho, i-F5 ibike ukuba sengozini okufanayo (i-CVE-2022-41743) kumkhiqizo we-NGINX Plus, okuthinta imojuli ye-ngx_http_hls_module, ehlinzeka ngosekelo lwephrothokholi ye-HLS (Apple HTTP Live Streaming).
Ngokungeziwe ekususeni ubungozi, izinguquko ezilandelayo zihlongozwa ku-nginx 1.23.2:
- Usekelo olungeziwe lweziguquko ze-“$proxy_protocol_tlv_*”, eziqukethe amanani ezinkambu ze-TLV (Type-Length-Value) ezivela kuphrothokholi ye-Type-Length-Value PROXY v2.
- Kuhlinzekwe ngokuzungezisa ngokuzenzakalela kokhiye bokubethela kumathikithi eseshini ye-TLS, okusetshenziswa uma kusetshenziswa inkumbulo eyabiwe kumyalelo we-ssl_session_cache.
- Izinga lokungena lamaphutha ahlobene nezinhlobo zerekhodi elingalungile le-SSL lehlisiwe kusukela ezingeni elibucayi ukuya ezingeni lolwazi.
- Izinga lokungena emilayezweni emayelana nokungakwazi ukwaba imemori kuseshini entsha lishintshiwe lisuka ekubeni isixwayiso ukuya kwesexwayiso futhi lilinganiselwe ekukhipheni okukodwa okufakiwe ngomzuzwana.
- Emsamo weWindows, ukuhlangana nge-OpenSSL 3.0 sekusunguliwe.
- Ukuboniswa okuthuthukisiwe kwamaphutha ephrothokholi ye-PROXY kulogu.
- Kulungiswe inkinga lapho ukuphela kwesikhathi esishiwo kumyalelo othi "ssl_session_timeout" kungazange kusebenze lapho kusetshenziswa i-TLSv1.3 ngokusekelwe ku-OpenSSL noma i-BoringSSL.
Source: opennet.ru