Ukukhishwa okulungisayo komtapo wolwazi we-OpenSSL cryptographic 3.0.7 kushicilelwe, okulungisa ubungozi obubili. Zombili izinkinga zibangelwa ukuchichima kwebhafa kukhodi yokuqinisekisa yenkundla ye-imeyili ezitifiketini ze-X.509 futhi kungase kuholele ekusebenziseni ikhodi lapho kucutshungulwa isitifiketi esifakwe uzimele okhethekile. Ngesikhathi sokushicilelwa kokulungiswa, abathuthukisi be-OpenSSL bebengakaqophi ubufakazi bokuba khona kokusebenza okungase kuholele ekusetshenzisweni kwekhodi yomhlaseli.
Naphezu kweqiniso lokuthi isimemezelo sangaphambi kokukhishwa kokukhishwa okusha sishilo ukuba khona kwenkinga ebucayi, empeleni, kusibuyekezo esikhishiwe isimo sokuba sengozini sehlisiwe safika ezingeni lokuba sengozini, kodwa hhayi ukuba sengozini okubalulekile. Ngokuvumelana nemithetho eyamukelwe kuphrojekthi, izinga lengozi liyancishiswa uma inkinga izibonakalisa ekucushweni kwe-atypical noma uma kunethuba eliphansi lokuxhashazwa kobungozi ekusebenzeni.
Kulesi simo, izinga lobunzima liye lancishiswa ngoba ukuhlaziya okuningiliziwe kokuba sengozini kwezinhlangano ezimbalwa kuphethe ngokuthi amandla okusebenzisa ikhodi phakathi nokuxhashazwa avinjwe izindlela zokuvikela ukuchichima kwesitaki ezisetshenziswa ezinkundleni eziningi. Ngaphezu kwalokho, ukwakheka kwegridi esetshenziswa kokunye ukusatshalaliswa kwe-Linux kuphumela kokuthi amabhayithi angu-4 aphuma emingceleni abekwe phezulu kubhafa elandelayo kusitaki, esingakasebenzi. Kodwa-ke, kungenzeka ukuthi kunezinkundla ezingase zisetshenziswe ukwenza ikhodi.
Izinkinga ezikhonjiwe:
- I-CVE-2022-3602 - ukuba sengozini, okwethulwe ekuqaleni njengokubucayi, kuholela ekuchichimeni kwebhayithi ye-4-byte uma uhlola inkambu enekheli le-imeyili eliklanywe ngokukhethekile kusitifiketi se-X.509. Kuklayenti le-TLS, ukuba sengozini kungase kusetshenziswe lapho kuxhunywa iseva elawulwa umhlaseli. Kuseva ye-TLS, ubungozi bungasetshenziswa uma ukuqinisekiswa kweklayenti kusetshenziswa izitifiketi kusetshenziswa. Kulesi simo, ubungozi buvela esiteji ngemva kokuqinisekiswa kochungechunge lokwethembeka oluhlotshaniswa nesitifiketi, i.e. Ukuhlasela kudinga ukuthi isiphathimandla sesitifiketi siqinisekise isitifiketi esinonya somhlaseli.
- I-CVE-2022-3786 ingenye i-vector yokusebenzisa ubungozi be-CVE-2022-3602, ekhonjwe ngesikhathi sokuhlaziywa kwenkinga. Umehluko ukhuphukela ekubeni nokwenzeka kokuchichima isitaki esitaki ngenani elithile lamabhayithi aqukethe elithi β.β (okungukuthi umhlaseli akakwazi ukulawula okuqukethwe kokuchichima futhi inkinga ingasetshenziswa kuphela ukudala uhlelo lokusebenza ukuthi luphahlazeke).
Ubungozi buvela kuphela egatsheni le-OpenSSL 3.0.x (isiphazamisi sethulwe kukhodi yokuguqula ye-Unicode (i-punycode) yengezwe egatsheni le-3.0.x). Ukukhishwa kwe-OpenSSL 1.1.1, kanye nemitapo yolwazi yemfoloko ye-OpenSSL LibreSSL kanye ne-BoringSSL, akuthintwa inkinga. Ngesikhathi esifanayo, isibuyekezo se-OpenSSL 1.1.1s sakhululwa, esiqukethe kuphela ukulungiswa kweziphazamisi okungezona ezokuvikela.
Igatsha le-OpenSSL 3.0 lisetshenziswa ekusabalaliseni okufana no-Ubuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, ββββDebian Testing/Unstable. Abasebenzisi balezi zinhlelo banconywa ukuthi bafake izibuyekezo ngokushesha ngangokunokwenzeka (Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch). Ku-SUSE Linux Enterprise 15 SP4 kanye ne-openSUSE Leap 15.4, amaphakheji ane-OpenSSL 3.0 ayatholakala ngokuzikhethela, amaphakheji esistimu asebenzisa igatsha le-1.1.1. I-Debian 1, i-Arch Linux, i-Void Linux, Ubuntu 11, i-Slackware, i-ALT Linux, i-RHEL 20.04, i-OpenWrt, i-Alpine Linux 8 kanye ne-FreeBSD zihlala emagatsheni e-OpenSSL 3.16.x.
Source: opennet.ru