Kana dzikashandiswa, zvikanganiso izvi zvinogona kubvumira vanorwisa kuti vawane mukana usina mvumo kune ruzivo rwakadzama kana kuti kazhinji kukonzera matambudziko.
Mazuva mashoma apfuura nyaya yakabuda kuti njodzi yekuchengetedza yakaoma yakawanikwa muPython SSLSocket module, kusavimbika (kwakatonyorwa pasi peCVE-2023-40217) kunobvumira anorwisa kudarika iyo TLS kubata ruoko uye kubaya data rakashata mukubatana kwakachengeteka.
Zvinonzi dambudziko riri mukirasi yeSSSocket kuti iwe unogona kusvetuka panguva yeTLS yekubatanidza kutaurirana nhanho uye maitiro ane hukama, sekusimbisa chitupa. Kurwisa kwakabudirira kunogona kukonzera kuti data risina kuvharwa ribatwe sekunge rakafambiswa pamusoro peiyo TLS yekubatanidza.
Idzo dzakakanganiswa shanduro dzePython dzinonzi:
- Python 3.12.0a1 kusvika 3.12.0rc1
- Python 3.11.0 kusvika 3.11.4
- Python 3.10.0 kusvika 3.10.12
- Python 3.9.0 kusvika 3.9.17
- Python 3.8.0 kusvika 3.8.17
- Python 3.7.17 uye yapfuura
Dambudziko imhaka yekuti mushure mekugadzira socket, pane hwindo diki panguva iyo data yakagamuchirwa uye yakachengetwa mubhafa vanozobatwa sekuverengwa kubva kumutengi kana kubatana kwavharwa kusati kwatanga nzira yekutaurirana yeTLS. Kuita kurwisa, ingo simbisa chinongedzo, tumira data nekukurumidza, uye vhara socket pasina kumirira mhinduro kutaurirana nezve TLS yekubatanidza. Saizi yedata inogona kutumirwa panguva yekurwiswa inoganhurwa nehukuru hwetiweki buffer.
Kunetseka inokanganisa server applications (semuenzaniso, maseva eHTTPS) uye mamwe maseva-parutivi maprotocol iyo inoshandisa Python's standard SSL mutengi kuvimbiswa kuronga nzira yakachengeteka yekutaurirana uchishandisa cheti chevatengi chechokwadi (semuenzaniso, mTLS). Kusagadzikana uku kune njodzi kune maseva eHTTPS, sezvavanoita munhu anorwisa inogona kushandisa kusagadzikana uku pfuura iyo TLS kubata ruoko uye jekiseni rague mutengi chitupa mukubatanidza. Izvi zvaizobvumira anorwisa kuwana mukana kune server zviwanikwa pasina kutenderwa.
Pamusoro peizvi, zvinotaurwa kuti inogona zvakare kushandiswa kurwisa vatengi vanobatana nesevha inodzorwa neanorwisa kana vatengi ava vakangoenderera mberi nekuverenga data kubva pasoketi, vasina kutanga vatumira chikumbiro (chakajairika mutengi application, senge pip. , iyo inoshandisa HTTPS kutumira zvikumbiro, kusagadzikana hakuna kukanganiswa).
Kunetseka inogona kungoshandiswa kutumira data pasina kuenda kuburikidza nechitupa chechokwadi; sezvo kubatana kwakavharwa pakarepo, mhinduro yechikumbiro haizotumirwa kumutengi. Panguva imwecheteyo, kusagadzikana kunogona kushandiswa kurwiswa kweAPI, kuburikidza nekuchinja kunogona kuitwa kana kubviswa data.
Kusagadzikana uku *kunokanganisa* vatengi vanoverenga nekugadzirisa data kubva kuseva mushure me TLS kubata maoko pasina kutumira chero data kutanga. Chikwata chedu hachizive protocol inoshandisa TLS inoenderana nemaitiro ekushandisa aya.
Kusagadzikana uku *hakuite* kukanganisa maclient-side HTTPS connections sepip kana zvikumbiro, sezvo chikumbiro cheHTTP chichifanira kutumirwa usati waverenga mhinduro yeHTTP, zvinoreva kuti chinongedzo chinenge chatovharwa panguva iyo mutengi atumira chikumbiro. kukumbira, izvo zvinozokonzera kukanganisa.
Ukuwo, Zvakakodzera kutaura kuti imwe njodzi muPython yakagadziriswa zvakare. (CVE-2023-41105) iyo yaive yakakosha zvakare, sezvo yaigona kushandiswa kunzvenga echokwadi faira nzira cheki inoitwa nebasa.
Kunetseka imhaka yekuti kana nzira yacho iine mavara ane null kodhi ('\0'), sezvo basa richicheka nzira mushure mekutanga null character. Muchiitiko ichi, mumabasa anotevera ekushanda nemafaira, nzira yakazara inogona kushandiswa, panzvimbo yenzira yakaderedzwa. Dambudziko rinoonekwa chete mubazi re 3.11.x.
Chekupedzisira, kana iwe uchida kukwanisa kuziva zvakawanda nezvazvo, unogona kubvunza iwo ruzivo mu inotevera chinongedzo.