Kusagadzikana kwakawanda kwakawanikwa mumapurojekiti akasiyana akavhurwa sosi

Mazuva mashoma apfuura huwandu hwekusagadzikana hwakaburitswa pachena mumapurojekiti akasiyana-siyana akavhurwa uye zvezvakanyanya kukosha iyo yakawanikwa muOpenSSL cryptographic library, iyo inokonzerwa nebug mukushandiswa kweadder muBN_mod_exp basa, iyo inokonzera mhedzisiro isina kururama ye squaring operation inodzorerwa.

Dambudziko rakatonyorwa pasi CVE-2021-4160 uye oga inoitika pane Hardware yakavakirwa paMIPS32 uye MIPS64 zvivakwa uye inogona kukanganisa elliptic curve algorithms, kusanganisira ayo anoshandiswa nekusarudzika muTLS 1.3. Nyaya yakagadziriswa mukuvandudzwa kwaDecember kuOpenSSL 1.1.1m uye 3.0.1.

Mukuwedzera, zvinoonekwa kuti kushandiswa kwekurwiswa kwechokwadi kuwana ruzivo pamusoro pemakiyi epachivande uchishandisa dambudziko rakaonekwa rinotariswa kuRSA, DSA uye Diffie-Hellman algorithm (DH, Diffie-Hellman) sezvinobvira, asi zvisingaiti, zvakaoma zvikuru. kuita uye zvinoda hukuru hwemakomputa zviwanikwa.

Panguva imwecheteyo, kurwiswa kweTLS hakubatanidzwe, semuna 2016, apo CVE-2016-0701 kusagadzikana kwakabviswa uye kugovera kiyi yakavanzika yeDH nevatengi kwakarambidzwa.

Imwe njodzi izvo zvakazarurwa ndizvo CVE-2022-0330 uye akazivikanwa mukati i915 mifananidzo mutyairi ine chekuita nekushaikwa kweGPU TLB kuseta zvakare. Kana IOMMU (shanduro yekero) isina kushandiswa, kusagadzikana kunobvumira kuwana mapeji asina kujairika endangariro kubva munzvimbo yemushandisi.

Dambudziko inogona kushandiswa kushatisa kana kuverenga data kubva munzvimbo dzisina kujairika dzendangariro. Iyo nyaya inoitika pane ese akabatanidzwa uye discrete Intel GPUs. Iyo gadziriso inoshandiswa nekuwedzera inosungirwa TLB flush pamberi peGPU yega yega buffer postback oparesheni kune sisitimu, izvo zvinozotungamira mukuderera kwekuita. Kuita kunoenderana neGPU, mashandiro anoitwa paGPU, uye system mutoro. Iyo gadziriso iripo chete sechigamba.

vakawanikwawo kusasimba mu library yeGlibc standard C zvinokanganisa mabasa realpath (CVE-2021-3998) uye getcwd (CVE-2021-3999) Dambudziko riri mu realpath() rinotsanangurwa richikonzerwa nekudzosa kukosha kusiri kufanira pasi pemamwe mamiriro, ayo ane data yasara isina kuchena kubva mudura. Yeiyo SUID-mudzi fusermount chirongwa, kusagadzikana kunogona kushandiswa kuwana ruzivo rwakadzama kubva mundangariro yemaitiro, semuenzaniso, kuwana ruzivo nezve zvinongedzo.

Dambudziko ne getcwd() rinobvumira one-byte buffer kufashukira. Dambudziko rinokonzerwa nebug rave riripo kubva 1995. Kuti udane mafashama, mune imwe nzvimbo yegomo yezita, ingodaidza chdir () pane "/" dhairekitori. Hazvitaurwe kana kusazvibata kunongogumira pakugadzirisa kukanganisa, asi pakave nezviitiko zvekushanda kwekusagadzikana kwakadaro munguva yakapfuura, zvisinei nekupokana kubva kuvagadziri.

Zvezvimwe zvisizvo izvo zvakangoonekwa mumapurojekiti akavhurika sosi:

  • Kuzvidzivirira CVE-2022-23220: muusbview pasuru inobvumira vashandisi venzvimbo kupinda neSSH kuti vamhanye kodhi semudzi, nekuda kwekumisikidzwa (bvumira_any=hongu) mumitemo yePolKit yekumhanyisa usbview utility semudzi pasina humbowo. Iko kuvhiyiwa kunosvika pakushandisa iyo "-gtk-module" sarudzo yekuisa raibhurari yako muusbview. Dambudziko rakagadziriswa muusbview 2.2.
  • Kuzvidzivirira CVE-2022-22942:en vmwgfx graphics driver anoshandiswa kuita 3D kukwidziridza munzvimbo dzeVMware. Iyo nyaya inobvumira mushandisi asina rombo rakanaka kuwana mafaera akavhurwa nemamwe maitiro pane system. Kurwiswa kwacho kunoda kuwana mudziyo /dev/dri/card0 kana /dev/dri/rendererD128 uye kugona kuita ioctl() kufona neiyo yakawanikwa faira descriptor.
  • Kudzvinyirirwa CVE-2021-3996 y CVE-2021-3995: muLibmount raibhurari yakapihwa ne-util-linux package inobvumira mushandisi asina rusaruro kukwira disk partitions pasina kupihwa mvumo yekudaro. Dambudziko rakaonekwa panguva yekuongororwa kweSUID midzi zvirongwa umount uye fusermount.

Izvo zviri muchinyorwa zvinoomerera pamisimboti yedu ye tsika dzekunyora. Kuti utaure chikanganiso tinya pano.

Iva wekutanga kutaura

Siya yako yekutaura

Your kero e havazobvumirwi ichibudiswa.

*

*

  1. Inotarisira data: AB Internet Networks 2008 SL
  2. Chinangwa cheiyo data: Kudzora SPAM, manejimendi manejimendi.
  3. Legitimation: Kubvuma kwako
  4. Kutaurirana kwedata
  5. Dhata yekuchengetedza: Dhatabhesi inobatwa neOccentus Networks (EU)
  6. Kodzero: Panguva ipi neipi iwe unogona kudzora, kupora uye kudzima ruzivo rwako