I-Kees Cook idinga ukuhleleka okungcono komsebenzi ku-Linux maqondana nokulungiswa kwamaphutha

UKee Cook Ngenza okuthunyelwe kubhulogi lapho kuphakamise ukukhathazeka ngenqubo yokulungisa iziphazamisi okuqhubekayo emagatsheni azinzile we-Linux kernel futhi yilokho yisho ukuthi isonto nesonto kufakwe ukulungiswa okungaba yikhulu emagatsheni azinzile, amaningi kakhulu futhi adinga umzamo omkhulu wokugcina imikhiqizo esekwe ku-Linux kernel.

Ngokusho kukaKees, inqubo yokuphatha iphutha le-kernel yeqiwe futhi i-kernel entula okungenani onjiniyela abangu-100 abengeziwe ukusebenza ngendlela ehlelekile kule ndawo. Futhi ukubalula ukuthi abakhiqizi be-kernel abakhulu balungisa izimbungulu njalo, kepha asikho isiqinisekiso sokuthi lokhu kulungiswa kuzodlulisela kokuhlukile kwe-kernel yomuntu wesithathu.

Ngokwenza njalo, usho ukuthi abasebenzisi bemikhiqizo ehlukahlukene ye-Linux kernel futhi abanayo indlela yokulawula ukuthi yiziphi izimbungulu ezilungisiwe nokuthi iyiphi i-kernel esetshenziswa kumadivayisi abo. Ekugcineni, abathengisi banesibopho sokuphepha kwemikhiqizo yabo, kepha bebhekene nezinga eliphakeme kakhulu lezimagqabhagqabha emagatsheni e-kernel azinzile, babhekane nokukhetha ukuhambisa wonke ama-patches, ngokukhetha ukuhambisa okubaluleke kakhulu, noma ukungazinaki zonke iziqeshana. .

Abathuthukisi be-kernel abaphezulu bangalungisa izimbungulu, kepha abanamandla okulawula lokho umthengisi osezansi akhetha ukukufaka kwimikhiqizo yabo. Abasebenzisi bokugcina bangakhetha imikhiqizo yabo, kepha ngokuvamile abanakho ukulawula ukuthi yiziphi izimbungulu ezilungisiwe noma ukuthi iyiphi i-kernel esetshenziswayo (inkinga kuyo uqobo). Ekugcineni, abathengisi banesibopho sokugcina ama-cores womkhiqizo wabo ephephile.

UKee Cook iphakamisa ukuthi ikhambi elilungile kuzoba ukudlulisa kuphela ukulungiswa okubaluleke kakhulu nokuba sengozini, kepha inkinga enkulu ukuhlukanisa la maphutha ekugelezeni okujwayelekile, ngoba iningi lezinkinga ezivelayo zingumphumela wokusetshenziswa kolimi lwe-C, oludinga ukunakekelwa okukhulu lapho kusebenza ngememori nezikhombisi.

Ukwenza izinto zibe zimbi kakhulu, ukulungiswa okuningi okungahle kube sengozini akumakiwe ngezihlonzi ze-CVE noma akusitholi isikhombi se-CVE isikhathi esithile ngemuva kokukhishwa kwesiqephu.

Endaweni enjalo, kunzima kakhulu ukuthi abakhiqizi bahlukanise ukulungiswa okuncane ezindabeni ezinkulu zokuphepha. Ngokwezibalo, ngaphezu kwe-40% yokukhubazeka kuyasuswa ngaphambi kokunikezwa kwe-CVE, futhi ngokwesilinganiso ukubambezeleka phakathi kokukhishwa okulungiselelwe nokunikezwa kwe-CVE izinyanga ezintathu (okungukuthi, ekuqaleni, isisombululo sibona iphutha elijwayelekile,

Ngenxa yalokho, ukungabi negatsha elihlukile elinamalungiselelo okuba sengozini nokungatholi imininingwane ngokuxhumeka nokuphepha kwalokhu noma leyo nkinga, abakhiqizi bemikhiqizo esekwe ku-Linux kernel kufanele baqhubeke nokudlulisa konke ukulungiswa yamagatsha amasha azinzile. Kepha lo msebenzi usebenza ngamandla futhi ubhekene nokuphikiswa yizinkampani ngenxa yokwesaba izinguquko ezibuyela emuva ezingaphazamisa ukusebenza okujwayelekile komkhiqizo.

Okhiye Ukupheka ikholelwa ukuthi okuwukuphela kwesixazululo sokugcina i-kernel ivikelekile ngezindleko ezifanele esikhathini eside ukufaka onjiniyela be-patch kuya kernel ehlanyayo iyakhal ukusebenza ndawonye ngendlela edidiyelwe ukugcina amachashazi nobuthakathaka ku-kernel ephezulu. Njengoba kumile, abathengisi abaningi abazisebenzisi izinhlobo zakamuva ze-kernel emikhiqizweni yabo nasezilungisweni ze-backport bebodwa, okungukuthi, kuvela ukuthi onjiniyela bezinkampani ezahlukahlukene benza umsebenzi womunye nomunye, ukuxazulula inkinga efanayo.

Isibonelo, uma izinkampani eziyi-10, ngayinye enonjiniyela esekela ukulungiswa okufanayo, aqondise kabusha lawa onjiniyela ukuze balungise izimbungulu ngenhla, esikhundleni sokuthuthela okulungisiwe okukodwa, bangalungisa izimbungulu ezi-10 ezahlukahlukene ngenzuzo ephelele noma bahlangane ukuze babuyekeze izimbungulu. . Futhi gwema ukufaka ikhodi ye-buggy ku-kernel. Izinsizakusebenza zingasetshenziselwa ukudala amathuluzi amasha wokuhlaziya ikhodi nokuhlola azotholakala ngokuzenzakalela kusenesikhathi amakilasi wephutha ajwayelekile akhula kaninginingi.

Okhiye Ukupheka futhi iphakamisa ukusebenzisa ngenkuthalo ukuhlolwa okuzenzakalelayo nokudida ngqo kunqubo yokuthuthukiswa kernel, sebenzisa amasistimu wokuhlanganisa aqhubekayo futhi uyeke ukuphathwa kwakudala kwentuthuko nge-imeyili.

Umthombo: https://security.googleblog.com


Yiba ngowokuqala ukuphawula

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.