Izinguqulo zokusabalalisa ze-OpenWrt zikhishiwe 18.06.7 ΠΈ 19.07.1, lapho kulungiswa khona ukuba sengozini I-CVE-2020-7982 kumphathi wephakheji we-opkg, engase isetshenziselwe ukwenza ukuhlasela kwe-MITM futhi imiselele okuqukethwe kwephakheji elandwe endaweni yokugcina. Ngenxa yephutha kukhodi yokuqinisekisa ye-checksum, umhlaseli angaziba ama-checksums e-SHA-256 asuka kuphakethe, okwenze kwaba nokwenzeka ukudlula izindlela zokuhlola ubuqotho bezinsiza ze-ipk ezilandiwe.
Inkinga ibikhona kusukela ngoFebhuwari 2017, ngemuva kokuthi ikhodi yengezwe ukuze indiva izikhala eziholayo ngaphambi kwe-checksum. Ngenxa yephutha lapho weqa izikhala, isikhombi sendawo ekulayini asizange sigudluzwe futhi iluphu ye-SHA-256 ye-hexadecimal yokukhipha ikhodi ngokushesha ibuyise ukulawula futhi yabuyisela isheke lobude obuziro.
Ngenxa yokuthi umphathi wephakheji we-opkg wethulwe njengempande, umhlaseli angakwazi ukushintsha okuqukethwe kuphakheji ye-ipk ngesikhathi sokuhlasela kwe-MITM, okulandwe kunqolobane ngenkathi umsebenzisi asebenzisa umyalo othi "opkg install", futhi ahlele ikhodi yakhe. ukuze isetshenziswe ngempande yamalungelo ngokwengeza izikripthi zesibambi sakho kuphakheji, ebizwa ngesikhathi sokufakwa. Ukuze kuxhaphake ubungozi, umhlaseli kumele futhi aphaphe inkomba yephakheji (isibonelo, kusuka ku-downloads.openwrt.org). Usayizi wephakheji elungisiwe kufanele ufane nowangempela osuka kunkomba.
Izinguqulo ezintsha nazo zisusa eyodwa ngaphezulu ukuba sengozini kulabhulali ye-libubox, okungaholela ekuchichimeni kwebhafa lapho kucutshungulwa kanambambili efomethwe ngokukhethekile idatha ye-serialized noma ye-JSON kumsebenzi we-blobmsg_format_json.
Source: linux.org.ru