Zimbalwa ezedlule ukukhishwa kwenguqulo entsha yeTor 0.4.6.5 kumenyezelwe okuyi ithathwa njengenguqulo yokuqala ezinzile yegatsha 0.4.6, lokho kuguquke ezinyangeni ezinhlanu ezedlule.
Igatsha 0.4.6 izogcinwa njengengxenye yomjikelezo wesondlo ojwayelekile; Ukuvuselelwa kuzonqanyulwa izinyanga eziyi-9 noma izinyanga ezi-3 ngemuva kokukhishwa kwegatsha le-0.4.7.x, ngaphezu kokuqhubeka nokuhlinzeka ngomjikelezo omude wokuxhasa (LTS) wegatsha le-0.3.5, izibuyekezo zalo ezizokhishwa kuze kube ngu-1 Februwari 2022.
Ngasikhathi sinye, kwakhiwa izinguqulo zeTor 0.3.5.15, 0.4.4.9, kanye no-0.4.5.9, ezazilungisa ukuba sengozini kweDoS ezingadala ukwenqatshwa kwensiza kumakhasimende ezinsizakalo ze-anyanisi nokudlulisa.
Izici ezintsha eziyinhloko zeTor 0.4.6.5
Kule nguqulo entsha ingeze amandla okwenza "amasevisi we-anyanisi" ngokususelwa kunguqulo yesithathu yephrothokholi enegunya lokufinyeleleka kwamakhasimende ngamafayela asenkombeni ye-'uthor_clients '.
Ngaphandle kwalokho futhi kunikezwe amandla okudlulisa imininingwane yokucinana kwimininingwane ye-extrainfo engasetshenziselwa ukulinganisa umthwalo kwinethiwekhi. Ukudluliswa kweMetric kulawulwa inketho ye-OverloadStatistics ku-torrc.
Singathola futhi ukuthi kufakwe ifulegi kokudluliswa okuvumela opharetha we-node ukuthi aqonde ukuthi ukudluliswa akufakiwe ekuvumelaneni lapho amaseva ekhetha izinkomba (ngokwesibonelo, lapho kunokudluliswa okuningi kakhulu kukheli elilodwa le-IP).
Ngakolunye uhlangothi kushiwo lokho ukusekelwa kwezinsizakalo ezindala zika-anyanisi kususiwe Enguqulweni yesibili yephrothokholi, eyamenyezelwa ukuthi ayisasebenzi ngonyaka owedlule. Ukususwa okuphelele kwekhodi okuhambisana nenguqulo yesibili ye-protocol kulindeleke ekwindla. Uhlobo lwesibili lwephrothokholi yathuthukiswa eminyakeni engaba ngu-16 eyedlule, futhi ngenxa yokusetshenziswa kwama-algorithms aphelelwe yisikhathi, ayikwazi ukubhekwa njengephephile ngaphansi kwezimo zesimanje.
Eminyakeni emibili nohhafu eyedlule, enguqulweni engu-0.3.2.9, inguqulo yesithathu yomthetho olandelwayo yanikezwa abasebenzisi, okuphawuleka ngokushintshela kumakheli ezinhlamvu ezingama-56, ukuvikelwa okunokwethenjelwa kakhudlwana ekuvuzeni kwedatha ngamaseva wemikhombandlela, isakhiwo semoduli esandekayo ukusetshenziswa kwama-algorithms SHA3, ed25519 ne-curve25519 esikhundleni se-SHA1, DH ne-RSA-1024.
Ezingcupheni zilungisiwe okulandelayo kuyashiwo:
- I-CVE-2021-34550: ukufinyelela endaweni yememori ngaphandle kwebhafa eyabelwe ikhodi ukukhombisa izincazelo zensizakalo ye-anyanisi ngokuya ngohlobo lwesithathu lomthetho olandelwayo Umhlaseli, ngokubeka isichazamazwi senkonzo anyanisi esakhiwe ngokukhethekile, angaqala ukuvimba noma yiliphi iklayenti elizama ukufinyelela kule nsizakalo ye-anyanisi.
- I-CVE-2021-34549 - Amandla okwenza ukuhlasela okubangela ukwenqatshwa kwensizakalo yokudlulisela. Umhlaseli angakha izintambo ngezihlonzi ezidala ukushayisana emsebenzini we-hashi, ukucubungula okuholela kumthwalo omkhulu ku-CPU.
- I-CVE-2021-34548 - Ukudluliswa kungaphazamisa u-RELAY_END kanye nama-RELAY_RESOLVED amaseli ekugelezeni okuvaliwe, okuvumela ukunqamula ukugeleza okwenziwe ngaphandle kokubandakanyeka kwalokhu kudlulisa.
- I-TROVE-2021-004: Kungezwe amasheke angeziwe ukuze kutholakale ukwehluleka lapho ufinyelela i-OpenSSL engahleliwe yenombolo ye-generator (ngokusetshenziswa okuzenzakalelayo kwe-RNG ku-OpenSSL, ukwehluleka okunjalo akuveli).
Kwezinye izinguquko okugqamile:
- Ikhono lokukhawulela amandla wokuxhuma kwamakhasimende ekudluliseni kwengezwe ohlelweni lokuvikela i-DoS.
- Ekudluliseni, ukushicilelwa kwezibalo ngenani lezinsizakalo ze-anyanisi kwenziwa ngokuya ngohlobo lwesithathu lweprotocol kanye nevolumu yethrafikhi yabo.
- Ukusekelwa kwenketho ye-DirPorts kususiwe kusuka kukhodi yokudlulisela, engasetshenziseli lolu hlobo lwe-node.
Ukuphinda usebenzise ikhodi. - Isistimu yokuvikela ye-DoS idluliselwe kumphathi wesistimu.
Okokugcina uma unesifiso sokwazi okwengeziwe ngakho mayelana nale nguqulo entsha, ungabheka imininingwane ku- isixhumanisi esilandelayo.
Ungayithola kanjani iTor 0.4.6.5?
Ukuze uthole le nguqulo entsha, vele uye kuwebhusayithi esemthethweni yephrojekthi futhi esigabeni sayo sokulanda singathola ikhodi yomthombo yokuhlanganiswa kwayo. Ungathola ikhodi yomthombo kusuka ku- isixhumanisi esilandelayo.
Ngenkathi yecala elikhethekile labasebenzisi be-Arch Linux singalithola endaweni yokugcina ye-AUR. Okwamanje kuphela lapho iphakethe lingakavuselelwa, ungaliqapha kusuka kusixhumanisi esilandelayo futhi ngokushesha nje lapho kutholakala ungenza ukufakwa ngokuthayipha umyalo olandelayo:
yay -S tor-git