ProHoster > Блог > labaran intanet > Sakin uwar garken Apache 2.4.53 http tare da ƙayyadaddun lahani masu haɗari

Sakin uwar garken Apache 2.4.53 http tare da ƙayyadaddun lahani masu haɗari

An saki uwar garken HTTP ta Apache 2.4.53, yana gabatar da canje-canje 14 da kuma kawar da raunin 4:

  • CVE-2022-22720 - yuwuwar aiwatar da harin "Smuggling Buƙatar HTTP", wanda ke ba da damar, ta hanyar aika buƙatun abokin ciniki na musamman, don shiga cikin abubuwan buƙatun daga sauran masu amfani waɗanda aka watsa ta hanyar mod_proxy (misali, zaku iya cimma shigar da lambar JavaScript mara kyau a cikin zaman wani mai amfani da rukunin yanar gizon). Matsalar tana faruwa ne ta hanyar barin hanyoyin haɗin yanar gizo a buɗe bayan kurakurai da suka faru lokacin sarrafa jikin buƙata mara inganci.
  • CVE-2022-23943 A buffer ambaliya a cikin mod_sed module yana ba da damar abin da ke ciki na ƙwaƙwalwar ajiya a sake rubuta shi tare da bayanan sarrafa maharan.
  • CVE-2022-22721 Akwai yuwuwar rubutawa daga kan iyaka saboda yawan adadin lamba wanda ke faruwa lokacin wucewa jikin buƙatun wanda ya fi 350MB. Matsalar tana bayyana akan tsarin 32-bit a cikin saitunan da aka saita ƙimar LimitXMLRequestBody da yawa (ta tsohuwa 1 MB, don harin dole ne iyaka ya wuce 350 MB).
  • CVE-2022-22719 rauni ne a cikin mod_lua wanda ke ba da damar karanta ƙwaƙwalwar ajiya bazuwar da ɓarnawar tsari lokacin sarrafa jikin buƙata na musamman. Matsalar tana faruwa ne ta hanyar amfani da ƙimar da ba a fara ba a cikin lambar aikin r: parsebody.

Mafi shaharar canje-canje marasa tsaro sune:

  • A cikin mod_proxy, an ƙara iyaka akan adadin haruffa a cikin sunan ma'aikaci (ma'aikaci). An ƙara ikon zaɓin saita lokutan ƙarewa don ƙarshen baya da gaba (misali, dangane da ma'aikaci). Don buƙatun da aka aika ta hanyar yanar gizo ko hanyar CONNECT, an canza lokacin ƙarewa zuwa matsakaicin ƙimar da aka saita don baya da gaba.
  • An raba aikin buɗe fayilolin DBM da loda direban DBM. A yayin rashin nasara, log ɗin yanzu yana nuna ƙarin cikakkun bayanai game da kuskuren da direban.
  • mod_md ya daina sarrafa buƙatun zuwa /.well-known/acme-challenge/ sai dai idan saitunan yankin sun ba da damar amfani da nau'in tabbatarwa na 'http-01'.
  • Mod_dav ya gyara koma baya wanda ya haifar da yawan amfani da ƙwaƙwalwar ajiya lokacin sarrafa ɗimbin albarkatu.
  • An ƙara ikon yin amfani da ɗakin karatu na pcre2 (10.x) maimakon pcre (8.x) don sarrafa maganganun yau da kullun.
  • An ƙara goyan baya don nazarin ƙa'idar LDAP don neman masu tacewa don daidaita bayanan allo lokacin ƙoƙarin aiwatar da harin maye gurbin LDAP.
  • A mpm_event, an kawar da maƙullin da ke faruwa lokacin sake farawa ko wuce iyakar MaxConnectionsPerChild akan tsarin da aka ɗora nauyi.

source: budenet.ru

Add a comment