Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Apache 2.4.41 http kumasulidwa kwa seva yokhala ndi zovuta zokhazikika

Apache 2.4.41 http kumasulidwa kwa seva yokhala ndi zovuta zokhazikika

Lofalitsidwa kutulutsidwa kwa seva ya Apache HTTP 2.4.41 (kutulutsa 2.4.40 kudalumphidwa), komwe kunayambitsa 23 kusintha ndi kuthetsedwa 6 zofooka:

  • CVE-2019-10081 ndi vuto mu mod_http2 lomwe lingayambitse kuwonongeka kwamakumbukiro mukatumiza zopempha zikadali koyambirira kwambiri. Mukamagwiritsa ntchito "H2PushResource", ndizotheka kulembera kukumbukira mu dziwe lokonzekera zopempha, koma vuto limakhala lochepa chifukwa cha kuwonongeka chifukwa deta yomwe ikulembedwa sichichokera ku chidziwitso cholandiridwa kuchokera kwa kasitomala;
  • CVE-2019-9517 - Kuwonetsedwa kwaposachedwa adalengeza Zowopsa za DoS pakukhazikitsa kwa HTTP/2.
    Wowukira akhoza kuthetsa chikumbukiro chomwe chilipo ku ndondomeko ndikupanga katundu wolemera wa CPU mwa kutsegula zenera lotsegula la HTTP / 2 kuti seva itumize deta popanda zoletsa, koma kusunga mawindo a TCP kutsekedwa, kuteteza deta kuti isalembedwe kwenikweni ku socket;

  • CVE-2019-10098 - vuto mod_rewrite, lomwe limakupatsani mwayi wogwiritsa ntchito seva kutumiza zopempha kuzinthu zina (kutsegulanso kuwongolera). Zokonda zina za mod_rewrite zitha kupangitsa kuti wogwiritsa ntchito atumizidwe ku ulalo wina, wosungidwa pogwiritsa ntchito mzere watsopano mkati mwa gawo lomwe limagwiritsidwa ntchito pakuwongolera komwe kulipo. Kuti mutseke vuto mu RegexDefaultOptions, mutha kugwiritsa ntchito mbendera ya PCRE_DOTALL, yomwe tsopano yakhazikitsidwa mwachisawawa;
  • CVE-2019-10092 - kuthekera kolemba zolemba pamasamba olakwika owonetsedwa ndi mod_proxy. Pamasamba awa, ulalowu uli ndi ulalo womwe wapezedwa kuchokera ku pempho, momwe wowukira atha kuyikamo ma code a HTML mosagwirizana ndi kuthawa kwa zilembo;
  • CVE-2019-10097 - Kusefukira kwa stack ndi NULL pointer dereference mu mod_remoteip, yogwiritsidwa ntchito mwachinyengo cha mutu wa protocol wa PROXY. Kuwukirako kumatha kuchitika kuchokera kumbali ya seva ya proxy yomwe imagwiritsidwa ntchito pazosintha, osati kudzera pa pempho la kasitomala;
  • CVE-2019-10082 - Chiwopsezo cha mod_http2 chomwe chimalola, panthawi yotha kulumikizana, kuyambitsa kuwerenga zomwe zili m'dera la kukumbukira lomwe lamasulidwa kale (kuwerenga pambuyo-kwaulere).

Zosintha zodziwika kwambiri zopanda chitetezo ndi:

  • mod_proxy_balancer yathandizira chitetezo ku XSS/XSRF kuchokera kwa anzanu odalirika;
  • Kukonzekera kwa SessionExpiryUpdateInterval kwawonjezedwa ku mod_session kuti mudziwe nthawi yosinthira gawoli / nthawi yothera cookie;
  • Masamba okhala ndi zolakwika adatsukidwa, cholinga chake ndikuchotsa chiwonetsero chazidziwitso kuchokera pazopempha patsamba lino;
  • mod_http2 imaganizira za mtengo wa "LimitRequestFieldSize" parameter, yomwe poyamba inali yovomerezeka poyang'ana minda yamutu wa HTTP/1.1;
  • Kuonetsetsa kuti mod_proxy_hcheck kasinthidwe amapangidwa pamene ntchito BalancerMember;
  • Kuchepetsa kukumbukira kukumbukira mu mod_dav mukamagwiritsa ntchito lamulo la PROPFIND pagulu lalikulu;
  • Mu mod_proxy ndi mod_ssl, mavuto ofotokoza satifiketi ndi zoikamo za SSL mkati mwa Proxy block zathetsedwa;
  • mod_proxy imalola makonda a SSLProxyCheckPeer* kuti agwiritsidwe ntchito pama module onse a proxy;
  • Ma module amawonjezeredwa mod_md, otukuka Tiyeni Tilembetse pulojekiti kuti tizingolandira ndi kukonza ziphaso pogwiritsa ntchito protocol ya ACME (Automatic Certificate Management Environment):
    • Anawonjezera mtundu wachiwiri wa protocol ACMEv2, yomwe tsopano ndiyosakhazikika ndipo amagwiritsa POST zopempha zopanda kanthu m'malo mwa GET.
    • Thandizo lowonjezera potsimikizira kutengera kukulitsa kwa TLS-ALPN-01 (RFC 7301, Application-Layer Protocol Negotiation), yomwe imagwiritsidwa ntchito mu HTTP/2.
    • Thandizo la njira yotsimikizira ya 'tls-sni-01' yathetsedwa (chifukwa cha zofooka).
    • Onjezani malamulo okhazikitsa ndi kuswa cheke pogwiritsa ntchito njira ya 'dns-01'.
    • Thandizo lowonjezera masks m'masatifiketi pamene chitsimikiziro chochokera ku DNS chayatsidwa ('dns-01').
    • Kukhazikitsidwa kwa 'md-status' ndi tsamba la satifiketi 'https://domain/.httpd/certificate-status'.
    • Onjezani "MDCertificateFile" ndi "MDCertificateKeyFile" malangizo okonzekera magawo a domain kudzera pamafayilo osasunthika (popanda chithandizo chodzipangira okha).
    • "MDMessageCmd" idawonjezedwa kuti muyitane malamulo akunja zikachitika 'zosinthidwa', 'zotha' kapena 'zolakwika' zikuchitika.
    • Wowonjezera "MDWarnWindow" malangizo kuti mukonze uthenga wochenjeza za kutha kwa satifiketi;

Source: opennet.ru

Kuwonjezera ndemanga