Abaphenyi bezokuphepha beQualys bakhombisile ithuba lokuxhaphaza ukuba sengozini kuseva ye-imeyili ye-qmail, eyaziwa kusukela ngo-2005 (CVE-2005-1513), kepha ayilungiswa, kusukela U-qmail uthi bekungenangqondo ukudala ukuxhashazwa okusebenzayo Lokho kungasetshenziselwa ukuhlasela amasistimu lapho kwenziwa ukumiswa okuzenzakalelayo.
Kepha kubonakala sengathi abathuthukisi be-qmail babenephutha, ngoba iQualys yakwazi ukulungiselela ukuxhaphaza ephikisana nalokhu kucabanga futhi evumela ukwenziwa kwekhodi ekude ukuthi kuqalwe kuseva ngokuthumela umyalezo owenziwe ngokukhethekile.
Inkinga idalwa ukugcwala emsebenzini we-stralloc_readyplus (), ongenzeka lapho kucubungulwa umlayezo omkhulu kakhulu. Ngokusebenza, kwakudingeka uhlelo olunama-64-bit olunememori ebonakalayo engaphezu kuka-4 GB.
Ekuhlaziyweni kokuqala kokuba sengozini ngo-2005, uDaniel Bernstein waphikisa ngokuthi ukucatshangelwa kwekhodi ukuthi ubukhulu bezinhlu ezabiwe zihlala zilingana nenani lama-32-bit kususelwa ekutheni akekho noyedwa ohlinzeka ngama-gigabytes enkumbulo kunqubo ngayinye.
Eminyakeni eyi-15 edlule, amasistimu angama-64-bit kumaseva athathe indawo yezinhlelo ezingama-32-bit, inani lememori elihlinzekiwe kanye ne-bandwidth yenethiwekhi inyuke kakhulu.
Amaphakeji ahambisana ne-qmail abhekele ukuphawula kukaBernstein futhi lapho kuqala inqubo ye-qmail-smtpd, bakhawulele inkumbulo etholakalayo (ngokwesibonelo, ku-Debian 10, umkhawulo usethwe ku-7MB).
Kepha Onjiniyela beQualys bathole ukuthi lokhu akwanele futhi ngaphezu kwe-qmail-smtpd, ukuhlaselwa okukude kungenziwa kunqubo yendawo ye-qmail, ehlala ingenamkhawulo kuwo wonke amaphakheji ahlolwe.
Njengobufakazi, uhlobo lokuxhaphaza lwalungiswa, okulungele ukuhlasela iphakethe elihlinzekwe nge-Debian nge-qmail ekucushweni okuzenzakalelayo. Ukuhlela ukwenziwa kwekhodi ekude ngesikhathi sokuhlaselwa, iseva idinga i-4 GB yesikhala sediski samahhala ne-8 GB ye-RAM.
Ukuxhashazwa kuvumela ukwenza noma imuphi umyalo igobolondo elinamalungelo wanoma yimuphi umsebenzisi ohlelweni, ngaphandle kwabasebenzisi bezimpande nabesistimu abangenayo i-subdirectory yabo enkombeni "/ yasekhaya"
Ukuhlaselwa kwenziwa ngokuthumela umyalezo omkhulu kakhulu we-imeyili, okubandakanya imigqa eminingi kunhlokweni, cishe u-4GB no-576MB ngosayizi.
Lapho kucutshungulwa umugqa ku-qmail-local ukuchichima kwenamba kwenzeka lapho uzama ukuletha umlayezo kumsebenzisi wendawo. Ukuchichima kwenamba bese kuholela ekuchichimeni kwesikhumbuzi lapho kukopishwa idatha kanye namandla okubhala ngaphezulu amakhasi ememori ngekhodi ye-libc.
Futhi, kunqubo yokubiza i-qmesearch () ku-qmail-local, ifayela ".qmail-extension" livulwa ngomsebenzi open (), oholela ekwethulweni koqobo kohlelo (". Qmail-extension"). Kepha njengoba ingxenye yefayela le- "extension" yakhiwa ngokuya ngekheli lomamukeli (isibonelo, "localuser-extension @ localdomain"), abahlaseli bangahlela ukuqala komyalo ngokucacisa umsebenzisi "localuser-;" umyalo; @localdomain »njengomamukeli womyalezo.
Ukuhlaziywa kwekhodi kuveze ubungozi obubili esiqeshini esingeziwe hlola i-qmail, okuyingxenye yephakeji le-Debian.
- Ukuba sengozini kokuqala (i-CVE-2020-3811) kuvumela ukudlula ukuqinisekiswa kwamakheli e-imeyili, kanti okwesibili (i-CVE-2020-3812) kuholela ekuvuzeni kolwazi lwasendaweni.
- Ukuba sengozini kwesibili kungasetshenziselwa ukuqinisekisa ukutholakala kwamafayela nezinkomba kuhlelo, kufaka phakathi lezo ezitholakala kuphela kuzimpande (qmail-Qinisekisa iqala ngamalungelo ezimpande) ngokushaya ucingo ngqo kumshayeli wendawo.
Iqoqo lezimagqabhagqabha lilungiselelwe le phakheji, lisusa ubuthakathaka obudala kusuka ngo-2005 ngokungeza imikhawulo yememori enzima kwikhodi yokusebenza () yokusebenza nezinkinga ezintsha ku-qmail.
Ngaphezu kwalokho, inguqulo ebuyekeziwe yesiqeshana se-qmail yalungiswa ngokuhlukile. Abathuthukisi benguqulo ye-notqmail balungiselele ama-patches abo ukuvimba izinkinga ezindala futhi baqala nokusebenza ukuze kuqedwe konke ukugcwala kwenombolo okungenzeka kube yikhodi.
Umthombo: https://www.openwall.com/