ProHoster > Блог > ozi ịntanetị > Ntọhapụ nke ihe nkesa http Apache 2.4.52 nwere ihe nkpuchi njupụta na mod_lua

Ntọhapụ nke ihe nkesa http Apache 2.4.52 nwere ihe nkpuchi njupụta na mod_lua

A tọhapụrụ sava Apache HTTP 2.4.52, na-ewebata mgbanwe 25 na iwepụ adịghị ike 2:

  • CVE-2021-44790 bụ ihe njupụta na mod_lua na-eme mgbe a na-enyocha arịrịọ multipart. Ọdịmma ahụ na-emetụta nhazi nke ederede Lua na-akpọ ọrụ r: parsebody() iji mebie ahụ arịrịọ ahụ, na-enye onye na-awakpo ohere ime ka ihe nchekwa na-ejupụta site na izipu arịrịọ ahaziri ahazi. Ọnweghị ihe akaebe nke nrigbu ka amatabeghị, mana nsogbu ahụ nwere ike bute mmezu koodu ya na sava ahụ.
  • CVE-2021-44224 - SSRF (Server Side Request Forgery) adịghị ike na mod_proxy, nke na-enye ohere, na nhazi ya na ntọala "ProxyRequests on", site na arịrịọ maka URI ahaziri ahazi, iji nweta ntụgharị arịrịọ nye onye njikwa ọzọ n'otu aka ahụ. ihe nkesa na-anabata njikọ site na Unix Domain Socket. Enwere ike iji okwu a kpata ndakpọ site na ịmepụta ọnọdụ maka nkwụsịtụ pointer efu. Okwu a na-emetụta ụdị Apache httpd malite na ụdị 2.4.7.

Mgbanwe ndị kacha ama ama na-abụghị nchekwa bụ:

  • Nkwado agbakwunyere maka iji ụlọ akwụkwọ OpenSSL 3 wuo na mod_ssl.
  • Nchọpụta ọbaakwụkwọ OpenSSL emelitere na edemede autoconf.
  • Na mod_proxy, maka usoro iwu tunneling, ọ ga-ekwe omume gbanyụọ redirection nke njikọ TCP ọkara dị nso site na ịtọ ntọala "SetEnv proxy-nohalfclose".
  • Nlebanya agbakwunyere na URI echereghị maka proxy nwere atụmatụ http/https, ndị echere maka proxy nwere aha nnabata.
  • mod_proxy_connect na mod_proxy anaghị ekwe ka koodu ọnọdụ gbanwee mgbe ezigara ya onye ahịa.
  • Mgbe ị na-eziga nzaghachi nke etiti mgbe ị nwetasịrị arịrịọ na "atụ anya: 100-Gaa n'ihu" nkụnye eji isi mee, hụ na nsonaazụ ya na-egosi ọkwa nke "100 Continue" karịa ọnọdụ arịrịọ ugbu a.
  • mod_dav na-agbakwụnye nkwado maka ndọtị CalDAV, nke chọrọ ma ihe akwụkwọ na ihe onwunwe ka eburu n'uche mgbe ị na-emepụta ihe. Agbakwunyere ọrụ ọhụrụ dav_validate_root_ns (), dav_find_child_ns (), dav_find_next_ns (), dav_find_attr_ns () na dav_find_attr (), nke enwere ike ịkpọ site na modul ndị ọzọ.
  • Na mpm_event, nsogbu dị n'ịkwụsị usoro ụmụaka na-abaghị uru mgbe a kwụsịrị ibu ihe nkesa.
  • Mod_http2 enweela mgbanwe ngbanwe nke butere omume na-ezighi ezi mgbe ị na-ejikwa mmachi MaxRequestsPerChild na MaxConnectionsPerChild.
  • Ike nke modul mod_md, nke a na-eji arụ ọrụ nnata na mmezi nke asambodo site na iji protocol ACME (Automatic Certificate Management Environment), agbasawanye:
    • Nkwado agbakwunyere maka usoro ACME Mpụga Akaụntụ Binding (EAB), agbanyere site na iji ntuziaka MDexternalAccountBinding. Enwere ike ịhazi ụkpụrụ maka EAB site na faịlụ JSON dị na mpụga, na-ezere ikpughe paramita nyocha na faịlụ nhazi ihe nkesa bụ isi.
    • Ntuziaka 'MDCertificateAuthority' na-achọpụta na oke URL nwere http/https ma ọ bụ otu n'ime aha eburu ụzọ kọwaa ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' na 'Buypass-Test').
    • Ekwenyere ka ezipụta ntuziaka MDContactEmail n'ime ngalaba .
    • Edozila ọtụtụ chinchi, gụnyere ntapu ebe nchekwa na-eme mgbe itinye igodo nzuzo dara.

isi: opennet.ru

Tinye a comment