Ukukhishwa kokuqala kwegatsha elisha eliyinhloko le-nginx 1.21.0 kwethulwe, lapho ukuthuthukiswa kwezici ezintsha kuzoqhubeka. Ngesikhathi esifanayo, ukukhishwa kokulungisa kwalungiselelwa ngokuhambisana negatsha elizinzile elingu-1.20.1 elisekelwe, elethula kuphela izinguquko ezihlobene nokuqedwa kwamaphutha amakhulu kanye nokuba sengozini. Ngonyaka ozayo, ngokusekelwe egatsheni eliyinhloko 1.21.x, kuzokwakhiwa igatsha elizinzile 1.22.
Izinguqulo ezintsha zilungisa ukuba sengozini (CVE-2021-23017) kukhodi yokuxazulula amagama omethuleli ku-DNS, okungase kuholele ekuphahlazekeni noma ekusebenziseni ikhodi yomhlaseli. Inkinga izibonakalisa ekucubungulweni kwezimpendulo ezithile zeseva ye-DNS okuholela ekuchichimeni kwebhayithi yebhayithi yebhayithi. Ukuba sengozini kubonakala kuphela uma kunikwe amandla kuzilungiselelo zesixazululi se-DNS kusetshenziswa imiyalelo “yesixazululi”. Ukuze enze ukuhlasela, umhlaseli kufanele akwazi ukukhohlisa amaphakethe e-UDP kuseva ye-DNS noma alawule iseva ye-DNS. Ukuba sengozini kuvele kusukela ekukhishweni kwe-nginx 0.6.18. Isiqeshana singasetshenziswa ukulungisa inkinga ekukhishweni okudala.
Izinguquko ezingavikeleki ku-nginx 1.21.0:
- Ukwesekwa okuguquguqukayo kwengezwe eziqondisweni "proxy_ssl_certificate", "proxy_ssl_certificate_key", "grpc_ssl_certificate", "grpc_ssl_certificate_key", "uwsgi_ssl_certificate" kanye "uwsgi_ssl_certificate".
- Imojula yommeleli wemeyili yengeze usekelo "lokufaka amapayipi" ekuthumeleni izicelo eziningi ze-POP3 noma ze-IMAP ngoxhumano olulodwa, futhi yengeza isiqondiso esisha esithi “max_errors”, esichaza inombolo enkulu yamaphutha ephrothokholi okuthi ngemva kwalokho uxhumo luvalwe.
- Kwengezwe ipharamitha "yokusheshisa" kumojula yokusakaza, okuvumela imodi ye-"TCP Fast Open" yamasokhethi okulalela.
- Izinkinga zokubalekela izinhlamvu ezikhethekile ngesikhathi sokuqondisa kabusha okuzenzakalelayo ngokungeza isileshi ekugcineni zixazululiwe.
- Inkinga yokuvala uxhumo kumaklayenti lapho kusetshenziswa amapayipi e-SMTP ixazululiwe.
Source: opennet.ru