OpenSSL 3.0.7 inosvika pakugadzirisa dambudziko rekuyerera kwebuffer 

Darkcrizt

4 maminitsi

OpenSSL_logo

OpenSSL ipurojekiti yemahara software yakavakirwa paSSLeay. 

Ruzivo rwakaburitswa nezve kuburitswa kwegadziriso vhezheni ye iyo crypto library OpenSSL 3.0.7, iyo inogadzirisa kusakwana kuvirikuti ndeipi uye nei iyi vhezheni yekururamisa yakaburitswa iri nekufashukira kwebhafa kunoshandiswa pakusimbisa zvitupa zveX.509.

Zvakakodzera kutaura izvozvo matambudziko ese ari maviri anokonzerwa nekufashukira kwebhafa mukodhi yekusimbisa nzvimbo yekero yeemail muzvitupa zveX.509 uye zvinogona kukonzera kuurayiwa kwekodhi paunenge uchigadzira chitupa chakagadzirwa.

Panguva yekusunungurwa kwekugadzirisa, vashanduri veOpenSSL vakanga vasati vataura kuvapo kwekushanda kwekushanda kunogona kutungamirira mukuitwa kwekodhi yeanorwisa.

Pane imwe nyaya apo maseva anogona kushandiswa kuburikidza neTLS yechokwadi yemutengi, iyo inogona kudarika CA kusaina zvinodiwa, sezvo zvitupa zvemutengi zvisingawanzo kudikanwa kuti zvisayinwe neCA yakavimbika. Sezvo chokwadi chemutengi chisingawanzo uye maseva mazhinji haana kugoneswa, kushandisa sevha kunofanirwa kuve njodzi yakaderera.

Vanorwisa inogona kushandisa kusazvibata uku nekutungamira mutengi kune ine hutsinye TLS server iyo inoshandisa chitupa chakagadzirwa zvakanyanya kukonzeresa kusagadzikana.

Kunyangwe chiziviso chisati chaburitswa chekuburitswa kutsva chakataura nyaya yakaoma, kutaura zvazviri, mukuburitswa kwakaburitswa, mamiriro ekusagadzikana akaderedzwa kusvika kune Njodzi, asi kwete Yakanyanya.

Maererano nemitemo yakagamuchirwa muprojekti, iyo severity level inodzikiswa kana paine dambudziko mune atypical configurations kana kuti pane mukana wakaderera wekushandisa kusagadzikana mukuita. Muchiitiko ichi, chiyero chekuomarara chakadzikiswa, sezvo kushandiswa kwekusagadzikana kwakavharwa nematanho ekudzivirira mafashama ekudzivirira anoshandiswa pamapuratifomu mazhinji.

Zviziviso zvakapfuura zveCVE-2022-3602 zvakatsanangura nyaya iyi seCRITICAL. Ongororo yekuwedzera yakavakirwa pane zvimwe zvekudzikisa zvinhu zvataurwa pamusoro apa zvaita kuti izvi zvidzikisirwe kuenda kuHIGH.

Vashandisi vachiri kukurudzirwa kugadzirisa kune imwe vhezheni nekukurumidza sezvinobvira. Pane mutengi weTLS, izvi zvinogona kukonzereswa nekubatanidza kune yakaipa server. Pane sevha yeTLS, izvi zvinogona kukonzereswa kana sevha ikakumbira kutendeseka kwemutengi uye mutengi ane hutsinye akabatana. OpenSSL shanduro 3.0.0 kusvika 3.0.6 vari panjodzi iyi nyaya. Vashandisi veOpenSSL 3.0 vanofanirwa kukwidziridza kuenda kuOpenSSL 3.0.7.

yematambudziko akaonekwa zvinotevera zvakataurwa:

CVE-2022-3602-Pakutanga yakashumwa seyakaoma, kusazvibata kunokonzeresa 4-byte buffer kufashukira paunenge uchiongorora nzvimbo yekero ye email yakanyatsogadzirwa muchitupa cheX.509. Pane mutengi weTLS, kusazvibata kunogona kushandiswa nekubatanidza kune sevha inodzorwa neanorwisa.. Pane sevha yeTLS, kusazvibata kunogona kushandiswa kana chokwadi chemutengi uchishandisa zvitupa chikashandiswa. Muchiitiko ichi, kusazvibata kunozviratidza padanho mushure mekuongororwa kwecheni yekuvimba ine chekuita nechitupa, kureva kuti, kurwiswa kunoda chiremera chetitifiketi kuti chisimbise chitupa chine hutsinye cheanorwisa.

CVE-2022-3786: Ndiyo imwe vector yekushandiswa kwekusagadzikana CVE-2022-3602 yakaonekwa panguva yekuongororwa kwedambudziko. Misiyano inodzika kusvika pakukwanisa kupfachukira stack buffer nehuwandu hwemabhaiti. ine "." character. Nyaya inogona kushandiswa kukonzera kuti app iparare.

Kusagadzikana kunoonekwa chete mubazi reOpenSSL 3.0.x, OpenSSL shanduro 1.1.1, pamwe chete neLibreSSL neBoringSSL maraibhurari anobva kuOpenSSL, haabatwe nedambudziko. Panguva imwecheteyo, imwe update yeOpenSSL 1.1.1s yakaburitswa, iine chete isiri-chengetedzo bug kugadzirisa.

Iyo OpenSSL 3.0 bazi rinoshandiswa nekugovera seUbuntu 22.04, CentOS Stream 9, RHEL 9, OpenMandriva 4.2, Gentoo, Fedora 36, ​​​​Debian Testing/Unstable. Vashandisi veaya masisitimu vanokurudzirwa kuisa zvigadziriso nekukurumidza sezvinobvira (Debian, Ubuntu, RHEL, SUSE/openSUSE, Fedora, Arch).

MuSUSE Linux Enterprise 15 SP4 uye vhuraSUSE Leap 15.4, mapakeji ane OpenSSL 3.0 anowanikwa senge sarudzo, system mapakeji anoshandisa 1.1.1 bazi. Debian 11, Arch Linux, Void Linux, Ubuntu 20.04, Slackware, ALT Linux, RHEL 8, OpenWrt, Alpine Linux 3.16, uye FreeBSD zvinoramba zviri mumapazi eOpenSSL 1.x.

Finalmente kana iwe uchifarira kuziva zvakawanda nezvazvo, unogona kutarisa ruzivo mu inotevera chinongedzo.


Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa. Raida minda anozivikanwa ne *

*

*

  1. Inotarisira iyo data: Miguel Ángel Gatón
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako