I-OpenSSL 3.0.8 ifika nokulungiswa kweziphazamisi zokuphepha ezimbalwa

Darkcrizt

Imizuzu ye-4

VulaSSL_logo

I-OpenSSL iphrojekthi yesofthiwe yamahhala esekelwe ku-SSLeay. Iqukethe iphakethe eliqinile lemitapo yolwazi ehlobene ne-cryptography namathuluzi okuphatha, ahlinzeka ngemisebenzi ye-cryptographic kwamanye amaphakheji afana ne-OpenSSH neziphequluli zewebhu.

I ukukhishwa kwezinguqulo ezintsha zokulungisa ze-OpenSSL ( 3.0.8 , 1.1.1t ) lapho kulungiswe ukuba sengozini okuyingozi (CVE-2023-0286) evumela okuqukethwe kwezindawo ezingafanele zememori yenqubo ukuthi kutholwe lapho kucutshungulwa inqubo elawulwa uhlu lokuhoxiswa kwesitifiketi somhlaseli (CRL) noma ithokheni efakwe isitembu sesikhathi.

Ukuba sengozini kubangelwa Ukudideka Kohlobo lapho ucubungula ikheli le-X.400 kusandiso se-X.509 GeneralName.

Ikakhulukazi, ikheli le-X.400 lacutshungulwa ngohlobo lwe-ASN1_STRING, kuyilapho inkambu yekheli elithi x400 esakhiweni GENERAL_NAME yahlukaniswa ngohlobo lwe-ASN1_TYPE, okubangele ukuqhathanisa (GENERAL_NAME_cmp) ne-ASN1_TYPE esikhundleni sokuthi ASN1_STRING. Uma ukuhlolwa kohlu lokuhoxiswa kwesitifiketi kunikwe amandla (ngokusetha ifulege le-X509_V_FLAG_CRL_CHECK kuhlelo lokusebenza), ubungozi buvumela umhlaseli ukuthi adlulisele izikhombisi-ndlela kumsebenzi we-memcmp, ongasetshenziswa ukufunda okuqukethwe yinkumbulo noma ukuqalisa ukunqanyulwa okungavamile kwenqubo. .

Ezimweni eziningi, umhlaseli kufanele abe nokulawula phezu kohlu lokuhoxiswa kwesitifiketi (CRL) esetshenzisiwe kanye nochungechunge lokwethenjwa lwesitifiketi ukuze kwenziwe ukuhlasela okuyimpumelelo.

Ukuhlasela kungenziwa futhi uma kulawulwa enye yezinto ezishiwo, kodwa kulesi simo, ikheli le-X.400 kufanele livele njengendawo yokusabalalisa ye-CRL, okuyinto eyivelakancane. Ngalo mqondo, kucatshangwa ukuthi ubungozi buthinta kakhulu izinhlelo zokusebenza ezisebenzisa ukuqaliswa kwazo kokulanda kwe-CRL kunethiwekhi.

Ngaphezu kwenkinga okuxoxwe ngayo, I-OpenSSL 3.0.8 iphinde ilungise ubungozi obuningana ingozi encane:

  • I-CVE-2022-4304: iwukuhlasela kwesiteshi eseceleni esivumela ukunquma idatha yomthombo ngokulinganisa ukubambezeleka kwenethiwekhi lapho kwenziwa imisebenzi ye-RSA kusetshenziswa i-PKCS#1 v1.5, RSA-OEAP, kanye ne-RSASVE izindlela zokusakaza ezikhulayo. Ukuhlasela kuwukuhluka kwendlela ye-Bleichenbacher, ingqikithi yayo ukuthi umhlaseli, ngokusekelwe ekuphenduleni okuhlukile kuseva, angakwazi ukuhlukanisa amabhulokhi e-Oracle e-padding alungile nangalungile asetshenziselwa ukuqondanisa idatha ebethelwe eduze komngcele we-block. Ukuhlasela okuyimpumelelo kudinga ukuthumela inombolo enkulu yemilayezo yokuphenya ukuze kubhalwe phansi.
    Ngasohlangothini olungokoqobo, ukuhlasela, ngokwesibonelo, kungasetshenziswa ukuthola imfihlo eyinhloko yoxhumo lwe-TLS, iklayenti eliludlulisela kuseva ngendlela ebethelwe. Umhlaseli onekhono lokunqanda ukuxhumana phakathi kweklayenti neseva angakwazi ukubuyisela inani lemfihlo enkulu ngokuthumela inombolo enkulu yemilayezo yokuhlola kuseva nokuhlaziya isikhathi sayo sokucubungula. Uma imfihlo eyinhloko isinqunyiwe, umhlaseli angakwazi ukususa ukubhala ngemfihlo idatha ethunyelwe ngoxhumo lwe-TLS okukhulunywa ngalo.
  • I-CVE-2022-4203: Funda ibhafa ngaphandle kwemingcele lapho uqinisekisa izitifiketi ze-X.509 ngenkambu yegama langokwezifiso. Ukuhlasela kungaphahlazeka kuhlelo lokusebenza noma kuvuze okuqukethwe kwenkumbulo yenqubo ohlangothini lweklayenti uma ixhumeka kuseva elawulwa umhlaseli, noma ohlangothini lweseva uma iseva icela ukuqinisekiswa kusuka kuklayenti elilawulwa umhlaseli .
  • I-CVE-2023-0216: Isithenjwa sesikhombi esingalungile esilahlekile emisebenzini ye-d2i_PKCS7(), d2i_PKCS7_bio() kanye nethi d2i_PKCS7_fp() lapho uphatha idatha ye-PKCS7 efomethwe ngokukhethekile. Ukuba sengozini kungase kubangele ukuthi inqubo iphahlazeke.
  • I-CVE-2023-0217: I-NULL pointer dereference uma uthenga ukhiye wasesidlangalaleni we-DSA kumsebenzi we-EVP_PKEY_public_check().
  • I-CVE-2023-0215: ukufinyelela kokusetshenziswa ngemva kwamahhala endaweni yenkumbulo kumsebenzi we-BIO_new_NDEF osetshenziselwa ukudlulisa idatha ye-ASN.1 ngesixhumi esibonakalayo se-BIO.
  • I-CVE-2022-4450: inkumbulo ekhulula kabili ngemva kokubiza umsebenzi we-PEM_read_bio_ex.
  • I-CVE-2023-0401: I-NULL pointer dereference lapho kuqinisekiswa idatha ye-PKCS7.

Ebucayini obu-4 bokugcina, kucatshangwa ukuthi bukhawulelwe ekhonweni lokuqalisa ukunqanyulwa kwenqubo okungavamile.

Okokugcina, uma ungathanda ukwazi okwengeziwe ngale nguqulo entsha, ungabheka imininingwane kokuthi isixhumanisi esilandelayo.