Apache HTTP server 2.4.52 tau raug tso tawm, qhia 25 qhov kev hloov pauv thiab tshem tawm 2 qhov tsis zoo:
- CVE-2021-44790 yog qhov tsis txaus nyob rau hauv mod_lua uas tshwm sim thaum parsing multipart thov. Qhov tsis zoo cuam tshuam rau kev teeb tsa uas Lua scripts hu rau r: parsebody() ua haujlwm los txheeb xyuas lub cev thov, tso cai rau tus neeg tawm tsam ua rau muaj qhov tsis txaus los ntawm kev xa daim ntawv thov tshwj xeeb. Tsis muaj pov thawj ntawm kev siv dag zog tseem tau txheeb xyuas, tab sis qhov teeb meem tuaj yeem ua rau muaj kev ua tiav ntawm nws cov cai ntawm lub server.
- CVE-2021-44224 - SSRF (Server Side Request Forgery) vulnerability nyob rau hauv mod_proxy, uas tso cai rau, nyob rau hauv configurations nrog lub "ProxyRequests on" chaw, los ntawm kev thov rau ib tug tshwj xeeb tsim URI, kom ua tiav ib tug thov redirection rau lwm tus neeg tuav ntawm tib yam. server uas lees txais kev sib txuas ntawm Unix Domain Socket. Qhov teeb meem kuj tuaj yeem siv los ua kom muaj kev sib tsoo los ntawm kev tsim cov xwm txheej rau qhov tsis muaj qhov taw qhia tsis ncaj ncees. Qhov teeb meem cuam tshuam rau versions ntawm Apache httpd pib los ntawm version 2.4.7.
Qhov tseem ceeb tshaj plaws kev hloov pauv tsis muaj kev ruaj ntseg yog:
- Ntxiv kev txhawb nqa rau lub tsev nrog OpenSSL 3 lub tsev qiv ntawv rau mod_ssl.
- Txhim kho OpenSSL tsev qiv ntawv nrhiav pom hauv autoconf scripts.
- Hauv mod_proxy, rau tunneling raws tu qauv, nws muaj peev xwm lov tes taw redirection ntawm ib nrab-kaw TCP kev sib txuas los ntawm kev teeb tsa "SetEnv proxy-nohalfclose" parameter.
- Ntxiv cov tshev mis ntxiv uas URIs tsis npaj rau kev tso npe muaj qhov http / https scheme, thiab cov uas npaj rau proxying muaj lub npe tswv.
- mod_proxy_connect thiab mod_proxy tsis tso cai rau cov xwm txheej hloov pauv tom qab nws tau xa mus rau tus neeg siv khoom.
- Thaum xa cov lus teb nruab nrab tom qab tau txais kev thov nrog "Tshaj Tawm: 100-Txuas ntxiv" header, xyuas kom meej tias qhov tshwm sim qhia txog qhov xwm txheej ntawm "100 Txuas ntxiv" dua li qhov tam sim no ntawm qhov kev thov.
- mod_dav ntxiv kev txhawb nqa rau CalDAV txuas ntxiv, uas xav tau ob qho tib si cov ntaub ntawv thiab cov khoom vaj khoom tsev yuav tsum raug coj mus rau hauv tus account thaum tsim cov cuab yeej. Ntxiv cov haujlwm tshiab dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() thiab dav_find_attr(), uas tuaj yeem raug hu los ntawm lwm cov qauv.
- Hauv mpm_event, qhov teeb meem nrog kev tso tseg cov txheej txheem me nyuam tsis ua haujlwm tom qab muaj kev nce siab hauv server load tau raug daws.
- Mod_http2 tau kho qhov kev hloov pauv hloov pauv uas ua rau tus cwj pwm tsis raug thaum tuav MaxRequestsPerChild thiab MaxConnectionsPerChild txwv.
- Lub peev xwm ntawm mod_md module, siv los ua kom tau txais kev lees paub thiab kev saib xyuas cov ntawv pov thawj siv ACME (Automatic Certificate Management Environment) raws tu qauv, tau nthuav dav:
- Ntxiv kev txhawb nqa rau ACME External Account Binding (EAB) mechanism, qhib siv MDExternalAccountBinding cov lus qhia. Qhov tseem ceeb rau EAB tuaj yeem teeb tsa los ntawm cov ntaub ntawv JSON sab nraud, tsis txhob nthuav tawm cov ntaub ntawv pov thawj pov thawj hauv cov ntaub ntawv server tseem ceeb.
- Cov lus qhia 'MDCertificateAuthority' ua kom ntseeg tau tias qhov URL tsis muaj http / https lossis ib lub npe teev ua ntej ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' thiab 'Buypass-Test').
- Tso cai kom qhia meej txog MDContactEmail cov lus qhia hauv ntu .
- Ob peb kab tau raug kho, suav nrog lub cim xeeb xau uas tshwm sim thaum thauj tus yuam sij ntiag tug ua tsis tiav.
Tau qhov twg los: opennet.ru