Ubungozi buphawulwe ku-Linux kernel subsystems i-Netfilter kanye ne-io_uring evumela umsebenzisi wasendaweni ukuthi aphakamise amalungelo akhe ohlelweni:
- Ukuba sengozini (CVE-2023-32233) kusistimu engaphansi ye-Netfilter okubangelwa ukufinyelela kwenkumbulo yokusebenzisa ngemva kwamahhala kumojula ye-nf_tables, eqinisekisa ukusebenza kwesihlungi sephakethe le-nftables. Ukuba sengozini kungase kusetshenziswe ngokuthumela izicelo eziklanywe ngokukhethekile ukuze kubuyekezwe ukucushwa kwe-nftables. Ukuhlasela kudinga ukufinyelela kuma-nftables, angatholwa endaweni yamagama yenethiwekhi ehlukile (izikhala zamagama zenethiwekhi) uma unamalungelo okuthi CLONE_NEWUSER, CLONE_NEWNS noma CLONE_NEWNET (isibonelo, uma ungasebenzisa isiqukathi esingasodwa).
Ukuze unikeze abasebenzisi isikhathi sokufaka izibuyekezo, umcwaningi ohlonze inkinga uthembise ukuhlehlisa iviki lonke (kuze kube uMeyi 15) ukushicilelwa kolwazi olunemininingwane kanye nesibonelo sokusebenzisa okusebenzayo okunikeza igobolondo lempande. Ukuba sengozini kulungisiwe ekubuyekezeni i-6.4-rc1. Ungalandela ukulungiswa kokuba sengozini ekusabalaliseni emakhasini alandelayo: Debian, Ubuntu, Gentoo, RHEL, Fedora, SUSE/openSUSE, Arch.
- Ukuba sengozini (i-CVE ayikabelwa) ekusetshenzisweni kwesixhumi esibonakalayo se-io_uring se-asynchronous I/O esifakwe ku-Linux kernel kusukela ekukhululweni okungu-5.1. Inkinga ibangelwa iphutha kumsebenzi we-io_sqe_buffer_register, ovumela ukufinyelela kumemori ebonakalayo ngaphandle kwemingcele yebhafa eyabiwe ngokwezibalo. Inkinga ivela kuphela egatsheni le-6.3 futhi izolungiswa kusibuyekezo esizayo 6.3.2. I-prototype ye-exploit esebenzayo isivele itholakalela ukuhlolwa, okuvumela ukusebenzisa ikhodi ngamalungelo e-kernel.
Source: opennet.ru