Ukukhishwa okulungiswayo komtapo wezincwadi we-cryptographic we-OpenSSL 1.1.1l kuyatholakala ngokususwa kobungozi obubili:
- I-CVE-2021-3711 iwukuchichima kwebhafa kukhodi esebenzisa i-SM2 cryptographic algorithm (evamile e-China), evumela amabhayithi angafika kwangu-62 ukuthi abhalwe phezu kwendawo engalΓ© komngcele webhafa ngenxa yephutha ekubaleni usayizi webhafa. Umhlaseli angakwazi ukuzuza ukukhishwa kwekhodi noma ukuphahlazeka kohlelo lokusebenza ngokudlulisa idatha yokukhipha amakhodi eklanywe ngokukhethekile ezinhlelweni ezisebenzisa umsebenzi we-EVP_PKEY_decrypt() ukuze asuse ukubethela idatha ye-SM2.
- I-CVE-2021-3712 ukuchichima kwebhafa kukhodi yokucubungula yeyunithi yezinhlamvu ye-ASN.1, engabangela ukuphahlazeka kohlelo lokusebenza noma iveze okuqukethwe kwememori yenqubo (isibonelo, ukukhomba okhiye abagcinwe kumemori) uma umhlaseli ekwazi ngandlela thize ukukhiqiza. iyunithi yezinhlamvu esakhiweni sangaphakathi se-ASN1_STRING. engaqedwanga ngohlamvu olungenalutho, futhi ilucubungule emisebenzini ye-OpenSSL ephrinta izitifiketi, njenge-X509_aux_print(), X509_get1_email(), X509_REQ_get1_email() kanye ne-X509_get1_osp().
Ngesikhathi esifanayo, kwakhululwa izinguqulo ezintsha zelabhulali ye-LibreSSL 3.3.4 kanye ne-3.2.6, engasho ngokucacile ubungozi, kodwa uma kubhekwa uhlu lwezinguquko, ukuba sengozini kwe-CVE-2021-3712 kususiwe.
Source: opennet.ru