sakin uwar garken HTTP Apache 2.4.41 (sakin 2.4.40 an tsallake shi), wanda ya gabatar da kuma kawar da su :
- al'amari ne a mod_http2 wanda zai iya haifar da ɓarna a ƙwaƙwalwar ajiya lokacin aika buƙatun turawa a matakin farko. Lokacin amfani da saitin "H2PushResource", yana yiwuwa a sake rubuta ƙwaƙwalwar ajiya a cikin wurin sarrafa buƙatun, amma matsalar ta iyakance ga ɓarna saboda bayanan da aka rubuta ba a kan bayanin da aka karɓa daga abokin ciniki ba;
- - kwanan nan fallasa Rashin lahani na DoS a cikin aiwatar da HTTP/2.
Mai hari zai iya ƙyale ƙwaƙwalwar ajiyar da ke akwai don tsari kuma ya haifar da nauyin CPU mai nauyi ta hanyar buɗe taga HTTP / 2 mai zamiya don uwar garken don aika bayanai ba tare da ƙuntatawa ba, amma rufe taga TCP, hana bayanai daga ainihin rubutawa zuwa soket; - - matsala a mod_rewrite, wanda ke ba ku damar amfani da sabar don tura buƙatun zuwa wasu albarkatu (buɗe turawa). Wasu saitunan mod_rewrite na iya haifar da tura mai amfani zuwa wata hanyar haɗin yanar gizo, rufaffiyar ta amfani da sabon layin layi a cikin sigar da aka yi amfani da ita a cikin turawa data kasance. Don toshe matsalar a cikin RegexDefaultOptions, zaku iya amfani da tutar PCRE_DOTALL, wanda yanzu an saita shi ta tsohuwa;
- - ikon yin rubutun giciye akan shafukan kuskure waɗanda mod_proxy ke nunawa. A kan waɗannan shafuka, hanyar haɗin yanar gizon ta ƙunshi URL ɗin da aka samo daga buƙatun, wanda maharin zai iya saka lambar HTML ta sabani ta hanyar tserewa hali;
- - tari ambaliya da NULL mai nuni a cikin mod_remoteip, wanda aka yi amfani da shi ta hanyar yin amfani da shugaban ka'idar PROXY. Za a iya kai harin ne kawai daga gefen uwar garken wakili da aka yi amfani da shi a cikin saitunan, kuma ba ta hanyar buƙatar abokin ciniki ba;
- - rashin lahani a cikin mod_http2 wanda ke ba da damar, a lokacin ƙarshen haɗin gwiwa, don fara karatun abubuwan ciki daga yankin ƙwaƙwalwar da aka 'yanta (karanta bayan-kyauta).
Mafi shaharar canje-canje marasa tsaro sune:
- mod_proxy_balancer ya inganta kariya daga hare-haren XSS/XSRF daga amintattun takwarorinsu;
- An ƙara saitin tazara na SessionExpiryUpdate zuwa mod_session don tantance tazarar sabunta lokacin ƙarewar zama/kuki;
- An tsaftace shafukan da ke da kurakurai, da nufin kawar da nunin bayanai daga buƙatun akan waɗannan shafuka;
- mod_http2 yayi la'akari da ƙimar ma'aunin "LimitRequestFieldSize", wanda a baya yana aiki ne kawai don duba filayen taken HTTP/1.1;
- Yana tabbatar da cewa an ƙirƙiri saitin mod_proxy_hcheck lokacin amfani da BalancerMember;
- Rage yawan ƙwaƙwalwar ajiya a mod_dav lokacin amfani da umarnin PROPFIND akan babban tarin;
- A cikin mod_proxy da mod_ssl, an warware matsaloli tare da tantance takaddun shaida da saitunan SSL a cikin toshewar wakili;
- mod_proxy yana ba da damar saitunan SSLProxyCheckPeer* don a yi amfani da su zuwa duk samfuran wakili;
- Ƙarfin ƙirar ƙirar ya faɗaɗa , Bari mu Encrypt aikin don sarrafa karɓa da kiyaye takaddun shaida ta amfani da ka'idar ACME (Muhalin Gudanar da Takaddun Takaddar atomatik):
- An ƙara sigar yarjejeniya ta biyu , wanda yanzu shine tsoho kuma buƙatun POST na wofi maimakon GET.
- Ƙara goyon baya don tabbatarwa dangane da tsawaita TLS-ALPN-01 (RFC 7301, Tattaunawar Layi-Layer Protocol), wanda ake amfani da shi a cikin HTTP/2.
- An daina goyan bayan hanyar tabbatarwa ta 'tls-sni-01' (saboda ).
- Ƙara umarni don saitawa da karya cak ta amfani da hanyar 'dns-01'.
- Ƙara goyon baya a cikin takaddun shaida lokacin da aka kunna tabbacin tushen DNS ('dns-01').
- An aiwatar da mai kula da 'md-status' da shafin matsayin takardar shaida 'https://domain/.httpd/certificate-status'.
- An ƙara "MDCertificateFile" da "MDCertificateKeyFile" umarni don daidaita sigogin yanki ta hanyar fayiloli masu tsayi (ba tare da goyan bayan sabuntawa ta atomatik ba).
- An ƙara umarnin "MDMessageCmd" don kiran umarni na waje lokacin da 'sabuwar', 'karewa' ko 'kuskuren' faruwa.
- Ƙara umarnin "MDWarnWindow" don saita saƙon gargaɗi game da ƙarewar takardar shaida;
source: budenet.ru
