ProHoster > Блог > labaran intanet > Sakin uwar garken Apache 2.4.46 http tare da ƙayyadaddun lahani

Sakin uwar garken Apache 2.4.46 http tare da ƙayyadaddun lahani

aka buga sakin uwar garken HTTP Apache 2.4.46 (sakin 2.4.44 da 2.4.45 an tsallake su), wanda ya gabatar 17 canje-canje da kuma kawar da su 3 rauni:

  • CVE-2020-11984 - wani buffer ambaliya a cikin mod_proxy_uwsgi module, wanda zai iya haifar da yoyon bayanai ko code kisa a kan uwar garke lokacin aika da wani musamman ƙera nema. Ana cin gajiyar raunin ta hanyar aika babban HTTP mai tsayi. Don kariya, an ƙara toshe masu kai sama da 16K (iyaka da aka ayyana a ƙayyadaddun yarjejeniya).
  • CVE-2020-11993 - rashin lahani a cikin mod_http2 module wanda ke ba da damar tsari don yin faɗuwa yayin aika buƙatu tare da keɓaɓɓiyar HTTP/2 na musamman. Matsalar tana bayyana kanta lokacin da aka kunna gyara ko ganowa a cikin mod_http2 module kuma yana haifar da lalacewar ƙwaƙwalwar ajiya saboda yanayin tsere lokacin adana bayanai zuwa log ɗin. Matsalar ba ta bayyana lokacin da aka saita LogLevel zuwa "bayanai".
  • CVE-2020-9490 - rashin lahani a cikin mod_http2 module wanda ke ba da damar tsari don faɗuwa yayin aika buƙatu ta hanyar HTTP/2 tare da ƙima na musamman na 'Cache-Digest' (hadarin yana faruwa lokacin ƙoƙarin yin aikin HTTP/2 PUSH akan hanya) . Don toshe raunin, zaka iya amfani da saitin "H2Push off".
  • CVE-2020-11985 - rashin lahani na mod_remoteip, wanda ke ba ku damar zubar da adiresoshin IP yayin wakili ta amfani da mod_remoteip da mod_rewrite. Matsalar tana bayyana kawai don sakewa 2.4.1 zuwa 2.4.23.

Mafi shaharar canje-canje marasa tsaro sune:

  • An cire tallafin daftarin bayani daga mod_http2 kazuho-h2-cache-narke, wanda aka dakatar da tallarsa.
  • Canza halayen umarnin "LimitRequestFields" a mod_http2; ƙayyadadden ƙimar 0 yanzu yana hana iyaka.
  • mod_http2 yana ba da sarrafa haɗin firamare da sakandare (master/secondary) da sanya alamar hanyoyin dangane da amfani.
  • Idan an karɓi abun cikin kai na Ƙarshe ba daidai ba daga rubutun FCGI/CGI, yanzu an cire wannan taken maimakon maye gurbinsa a zamanin Unix.
  • An ƙara aikin ap_parse_strict_length() zuwa lambar don tantance girman abun ciki sosai.
  • Mod_proxy_fcgi's ProxyFCGISetEnvIf yana tabbatar da cewa an cire masu canjin yanayi idan bayanin da aka bayar ya dawo Karya.
  • Kafaffen yanayin tsere da yuwuwar haɗarin mod_ssl lokacin amfani da takardar shaidar abokin ciniki da aka ƙayyade ta hanyar saitin SSLProxyMachineCertificateFile.
  • Kafaffen ƙwanƙwasa ƙwaƙwalwar ajiya a cikin mod_ssl.
  • mod_proxy_http2 yana ba da amfani da sigar wakili"ping»lokacin duba ayyukan sabuwar ko sake amfani da haɗin kai zuwa ƙarshen baya.
  • An dakatar da ɗaure httpd tare da zaɓin "-lsystemd" lokacin da aka kunna mod_systemd.
  • mod_proxy_http2 yana tabbatar da cewa an yi la'akari da saitin ProxyTimeout lokacin jiran bayanai masu shigowa ta hanyar haɗin kai zuwa ƙarshen baya.

source: budenet.ru

Add a comment