ProHoster > Блог > labaran intanet > Sakin uwar garken Apache 2.4.49 http tare da ƙayyadaddun lahani

Sakin uwar garken Apache 2.4.49 http tare da ƙayyadaddun lahani

An buga sakin sabar HTTP Apache 2.4.49, wanda ke gabatar da canje-canje 27 kuma yana gyara raunin 5:

  • CVE-2021-33193 - mod_http2 yana da saukin kamuwa da sabon bambance-bambancen harin "HTTP Request Smuggling", wanda ke ba da damar, ta hanyar aika buƙatun abokin ciniki na musamman, don shigar da kanta cikin abubuwan buƙatun daga sauran masu amfani waɗanda aka watsa ta mod_proxy (misali, za ku iya cimma shigar da mugunyar lambar JavaScript a cikin zaman wani mai amfani da rukunin yanar gizon).
  • CVE-2021-40438 rashin lahani ne na SSRF (Server Side Request Forgery) a cikin mod_proxy, wanda ke ba da damar tura buƙatar zuwa uwar garken da maharin ya zaɓa ta hanyar aika buƙatun uri-hanya na musamman.
  • CVE-2021-39275 - Buffer ambaliya a cikin aikin ap_escape_quotes. Ana yiwa lahanin alama a matsayin mara kyau saboda duk daidaitattun kayayyaki ba sa wuce bayanan waje zuwa wannan aikin. Amma yana yiwuwa a haƙiƙanin cewa akwai na'urori na ɓangare na uku waɗanda za a iya kai hari ta hanyarsu.
  • CVE-2021-36160 - Ana karantawa daga kan iyaka a cikin tsarin mod_proxy_uwsgi yana haifar da karo.
  • CVE-2021-34798 - Ƙaƙwalwar ma'ana NULL yana haifar da ɓarnawar tsari lokacin sarrafa buƙatun da aka kera na musamman.

Mafi shaharar canje-canje marasa tsaro sune:

  • Yawancin canje-canje na ciki a mod_ssl. Saitunan "ssl_engine_set", "ssl_engine_disable" da "ssl_proxy_enable" an motsa su daga mod_ssl zuwa babban cikawa (core). Yana yiwuwa a yi amfani da madadin tsarin SSL don kare haɗin kai ta mod_proxy. An ƙara ikon shiga maɓallai masu zaman kansu, waɗanda za a iya amfani da su a cikin wireshark don tantance ɓoyayyen zirga-zirga.
  • A cikin mod_proxy, tantance hanyoyin soket na unix da aka wuce cikin “wakili:” URL an haɓaka.
  • Ƙarfin tsarin mod_md, wanda aka yi amfani da shi don sarrafa karɓa da kiyaye takaddun shaida ta amfani da yarjejeniyar ACME (Automatic Certificate Management Environment), an faɗaɗa. An ba da izinin kewaye yankuna tare da ƙididdiga a ciki kuma ya ba da goyan baya ga tls-alpn-01 don sunayen yankin da ba su da alaƙa da runduna kama-da-wane.
  • An ƙara ma'auni na StrictHostCheck, wanda ya hana ƙayyadaddun sunayen da ba a tsara su ba a cikin muhawarar jeri na "ba da izini".

source: budenet.ru

Add a comment