ProHoster > Блог > labaran intanet > Sakin uwar garken Apache http 2.4.43

Sakin uwar garken Apache http 2.4.43

aka buga sakin uwar garken HTTP Apache 2.4.43 (sakin 2.4.42 an tsallake shi), wanda ya gabatar 34 canje-canje da kuma kawar da su 3 rauni:

  • CVE-2020-1927: rauni a cikin mod_rewrite wanda ke ba da damar amfani da uwar garken don tura buƙatun zuwa wasu albarkatu (buɗe turawa). Wasu saitunan mod_rewrite na iya haifar da tura mai amfani zuwa wata hanyar haɗin yanar gizo, wanda aka sanya su ta amfani da sabon layin layi a cikin siga da aka yi amfani da shi a cikin turawa da ke akwai.
  • CVE-2020-1934: rauni a cikin mod_proxy_ftp. Yin amfani da ƙimar da ba a san shi ba na iya haifar da ƙwanƙwasa ƙwaƙwalwar ajiya lokacin da ake ba da buƙatun zuwa sabar FTP mai sarrafa maharin.
  • Ƙwaƙwalwar ƙwaƙwalwa a cikin mod_ssl wanda ke faruwa lokacin ɗaure buƙatun OCSP.

Mafi shaharar canje-canje marasa tsaro sune:

  • An ƙara sabon tsarin mod_tsarin, wanda ke ba da haɗin kai tare da mai sarrafa tsarin tsarin. Tsarin yana ba ku damar amfani da httpd a cikin ayyuka tare da nau'in "Type=notify".
  • An ƙara goyan bayan haɗe-haɗe zuwa apxs.
  • Ƙarfin tsarin mod_md, wanda aikin Let's Encrypt ya haɓaka don sarrafa karɓa da kiyaye takaddun shaida ta amfani da ka'idar ACME (Automatic Certificate Management Environment), an faɗaɗa:
    • An ƙara umarnin MDContactEmail, ta inda za ku iya tantance imel ɗin tuntuɓar wanda bai zoba da bayanai daga umarnin ServerAdmin ba.
    • Ga duk runduna kama-da-wane, an tabbatar da goyan bayan ƙa'idar da aka yi amfani da ita lokacin yin shawarwarin kafaffen tashar sadarwa ("tls-alpn-01").
    • Bada umarnin mod_md a yi amfani da shi a cikin tubalan Kuma .
    • Yana tabbatar da cewa an sake rubuta saitunan da suka gabata lokacin sake amfani da Kalubalen MDCA.
    • Ƙara ikon daidaita url don CTlog Monitor.
    • Don umarni da aka ayyana a cikin umarnin MDMessageCmd, ana bayar da kira tare da hujjar “shigar” lokacin kunna sabuwar takardar shedar bayan uwar garken ta sake farawa (misali, ana iya amfani da ita don kwafi ko canza sabuwar takardar shaida don wasu aikace-aikace).
  • mod_proxy_hcheck yana ƙara goyan baya ga abin rufe fuska%{Content-Type} a cikin maganganun duba.
  • CookieSameSite, CookieHTTPOnly da CookieSecure yanayin an ƙara zuwa mod_usertrack don saita sarrafa kuki mai amfani.
  • mod_proxy_ajp yana aiwatar da zaɓi na "asiri" don masu kula da wakili don tallafawa ƙa'idar tantancewar AJP13 ta gado.
  • Ƙara saitin saiti don OpenWRT.
  • Ƙara goyon baya ga mod_ssl don amfani da maɓallai masu zaman kansu da takaddun shaida daga OpenSSL ENGINE ta hanyar tantance PKCS#11 URI a cikin SSLCertificateFile/KeyFile.
  • Gwajin da aka aiwatar ta amfani da ci gaba da tsarin haɗin kai Travis CI.
  • An tsaurara matakan Canja wurin-Encoding.
  • mod_ssl yana ba da shawarwarin ƙa'idar TLS dangane da runduna kama-da-wane (an goyan bayan an gina shi tare da OpenSSL-1.1.1+.
  • Ta amfani da hashing don tebur na umarni, ana sake farawa a cikin yanayin “mai kyau” (ba tare da katse masu sarrafa tambaya ba).
  • Kara karantawa-kawai tebur r: headers_in_table, r: headers_out_table, r:err_headers_out_table, r: note_table da r: subprocess_env_table zuwa mod_lua. Ba da damar a sanya tebur darajar "nil".
  • A mod_authn_socache an ƙara iyakar girman layin cache daga 100 zuwa 256.

source: budenet.ru

Add a comment