Ukukhishwa kwesondlo komtapo wolwazi we-OpenSSL cryptographic 3.0.2 kanye no-1.1.1n kuyatholakala. Isibuyekezo silungisa ukuba sengozini (CVE-2022-0778) okungasetshenziswa ukudala ukunqatshelwa kwesevisi (i-loop engapheli yesibambi). Ukuxhaphaza ubungozi, kwanele ukucubungula isitifiketi esiklanywe ngokukhethekile. Inkinga yenzeka kuzo zombili izinhlelo zokusebenza zeseva nezeklayenti ezingacubungula izitifiketi ezinikezwe umsebenzisi.
Inkinga ibangelwa iphutha kumsebenzi we-BN_mod_sqrt(), oholela kuluphu lapho kubalwa impande eyisikwele yemodulo enye into ngaphandle kwenombolo eyinhloko. Umsebenzi usetshenziswa lapho kuncozululwa izitifiketi ezinokhiye abasuselwe kumajika ayi-elliptic. Ukusebenza kwehla ekufakeni amapharamitha ejika eliyi-elliptic engalungile kusitifiketi. Ngoba inkinga yenzeka ngaphambi kokuthi kuqinisekiswe isiginesha yedijithali yesitifiketi, ukuhlasela kungase kwenziwe umsebenzisi ongagunyaziwe ongabangela iklayenti noma isitifiketi seseva ukuthi sidluliselwe ezinhlelweni zokusebenza zisebenzisa i-OpenSSL.
Ukuba sengozini kuphinde kuthinte ilabhulali ye-LibreSSL ethuthukiswe iphrojekthi ye-OpenBSD, ukulungiswa okwaphakanyiswa ekukhishweni kokulungisa kwe-LibreSSL 3.3.6, 3.4.3 kanye no-3.5.1. Ukwengeza, ukuhlaziya kwezimo zokuxhaphaza ubungozi kushicilelwe (isibonelo sesitifiketi esinonya esibangela ukubanda besingakathunyelwa esidlangalaleni).
Source: opennet.ru