Iye zvino yawanikwa iyo nyowani yekuvandudza vhezheni duye "cURL 7.71.0", umo mavaitarisa mukugadzirisa zvipembenene zviviri zvakakomba iyo inobvumidza mapassword ekupinda uye zvakare kugona kunyora mafaira. Ndokusaka kukokwa kwekusimudzira kuchinyorwa chitsva kuchiitwa.
Kune avo vasingazive izvi zvinoshandiswa, vanofanira kuziva izvozvo inoshanda kugamuchira uye kutumira data pamusoro penetiweki, Inopa kugona kuchinjika fomu chikumbiro nekumisikidza parameter senge cookie, mushandisi_agent, referer, uye chero imwe musoro.
cURL inotsigira HTTP, HTTPS, HTTP / 2.0, HTTP / 3, SMTP, IMAP, POP3, Telnet, FTP, LDAP, RTSP, RTMP, uye mamwe maratidziro enetiweki. Panguva imwecheteyo, yakawiriraniswa yekuvandudza yakaburitswa kune libcurl raibhurari, iyo inopa iyo API yekushandisa ese curl mabasa muzvirongwa mumitauro yakadai seC, Perl, PHP, Python.
Shanduko huru muURL 7.71.0
Iyi vhezheni itsva ndeyekuvandudza uye sezvakataurwa pakutanga zvinouya kugadzirisa zvikanganiso zviviri, zvinova zvinotevera:
- Kunetseka CVE-2020-8177- Izvi zvinobvumidza anorwisa kuti anyorwe faira remuno pachirongwa kana uchinge wawana server inodzorwa. Dambudziko rinongozviratidza kana sarudzo "-J" ("- remote-musoro-zita") uye "-i" ("- musoro") dzichishandiswa panguva imwe chete.
Izvozvo "-J" inobvumidza iwe kusevha iyo faira ine zita rakatsanangurwa mune "Zvemukati-Disposition" musoro. Sndatova nefaira rine zita rimwe chete, chirongwa curl kazhinji inoramba kunyora, asi kana sarudzo "-I" iripo, fungidziro yekufunga yakatyorwa uye yakanyorwa iyo faira (ongororo inoitwa padanho rekugamuchira muviri, asi ne "-i" sarudzo misoro yeHTTP inobuda kutanga uye ine nguva yekushingirira isati yagadzirisa muviri wekupindura). Ndiwo chete misoro yeHTTP yakanyorerwa faira.
- Iyo CVE-2020-8169 kunetseka: izvi zvinogona kukonzera kudonha muDNS server yemamwe mapassword kuwana saiti (Basic, Digest, NTLM, nezvimwewo).
Paunenge uchishandisa iyo "@" hunhu mupassword, iyo inoshandiswawo seyekuita pasiwedhi muURL, kana iyo HTTP redirect ikamutswa, curl inotumira chikamu chepassword mushure me "@" hunhu pamwe nedomain kuona zita.
Semuenzaniso, kana iwe ukataura pasiwedhi "passw @ passw" uye zita rekushandisa "mushandisi", curl ichagadzira iyo URL "https: // mushandisi: passw @ passw @ example.com / nzira" pachinzvimbo che "https: user: passw" % 40passw@example.com/path "uye tumira chikumbiro kugadzirisa iyo inomiririra" pasww@example.com "pane" example.com ".
Dambudziko rinozviratidza kana richigonesa rutsigiro rwevatungamiriri veHTTP Hukama (akaremara kuburikidza neCURLOPT_FOLLOWLOCATION).
Kana iri nyaya yekushandisa echinyakare DNS, iyo DNS mupi uye anorwisa anogona kuwana ruzivo nezve chikamu che password, iyo inogona kukanzura transit network traffic (kunyangwe chikumbiro chekutanga chakaitwa pamusoro peHTTPS, seDNS traffic haina kunyorwa). Paunenge uchishandisa DNS pamusoro peHTTPS (DoH), kuvuza kunogumira kune chirevo cheDoH.
Chekupedzisira, kumwe kweshanduko kwakabatanidzwa mushanduro nyowani kuwedzerwa kwesarudzo ye "- kuyedza-kwese-kukanganisa" kwekudzokorora kuyedza kuita mashandiro pakaitika kukanganisa.
Maitiro ekuisa cURL paLinux?
Kune avo vanofarira kugona kuisa iyi nyowani vhezheni yeCURL Ivo vanogona kuzviita nekudhawunirodha sosi kodhi uye nekuinyora.
Kuti tiite izvi, chinhu chekutanga chatichaita kurodha pasi yazvino cURL package pamwe nerubatsiro rwechiteshi, mairi ngatinyorwe:
wget https://curl.haxx.se/download/curl-7.71.0.tar.xz
Ipapo, isu tichaenda kuzununura iyo kurodha pasi pasuru ne:
tar -xzvf curl-7.71.0.tar.xz
Isu tinopinda iyo ichangobva kugadzirwa dhairekita ne:
cd curl-7.71.0
Isu tinopinda semidzi ne:
sudo su
Uye tinonyora zvinotevera:
./configure --prefix=/usr \ --disable-static \ --enable-threaded-resolver \ --with-ca-path=/etc/ssl/certs &&
make make install && rm -rf docs/examples/.deps &&
find docs \( -name Makefile\* -o -name \*.1 -o -name \*.3 \) -exec rm {} \; &&
install -v -d -m755 /usr/share/doc/curl-7.71.0 && cp -v -R docs/* /usr/share/doc/curl-7.71.0
Pakupedzisira tinogona kutarisa vhezheni ne:
curl --version
Kana iwe uchida kuziva zvakawanda nezvazvo, unogona kubvunza chinotevera chinongedzo.