Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Apache 2.4.49 http kumasulidwa kwa seva yokhala ndi zovuta zokhazikika

Apache 2.4.49 http kumasulidwa kwa seva yokhala ndi zovuta zokhazikika

Kutulutsidwa kwa seva ya Apache 2.4.49 HTTP kwasindikizidwa, komwe kumayambitsa zosintha 27 ndikukonza zovuta 5:

  • CVE-2021-33193 - mod_http2 imatha kutengeka ndi mtundu watsopano wa "HTTP Request Smuggling", yomwe imalola, potumiza zopempha zamakasitomala opangidwa mwapadera, kuti zilowerere pazopempha kuchokera kwa ogwiritsa ntchito ena kudzera mod_proxy (mwachitsanzo, mutha kukwaniritsa kuyika kwa JavaScript code yoyipa mu gawo la wogwiritsa ntchito wina patsambalo) .
  • CVE-2021-40438 ndi chiwopsezo cha SSRF (Server Side Request Forgery) mu mod_proxy, chomwe chimalola kuti pempho litumizidwenso ku seva yosankhidwa ndi wowukirayo potumiza pempho lopangidwa mwaluso la uri-path.
  • CVE-2021-39275 - Buffer kusefukira mu ntchito ya ap_escape_quotes. Chiwopsezochi chimadziwika kuti ndi chabwino chifukwa ma module onse okhazikika samadutsa deta yakunja ku ntchitoyi. Koma ndizotheka kuti pali ma module a chipani chachitatu omwe angawonongedwe.
  • CVE-2021-36160 - Kutuluka kwa malire kumawerengedwa mu mod_proxy_uwsgi module kuchititsa ngozi.
  • CVE-2021-34798 - NULL pointer dereference yomwe imayambitsa kusokonekera pokonza zopempha zopangidwa mwapadera.

Zosintha zodziwika kwambiri zopanda chitetezo ndi:

  • Zosintha zambiri zamkati mu mod_ssl. Zokonda "ssl_engine_set", "ssl_engine_disable" ndi "ssl_proxy_enable" zasunthidwa kuchoka ku mod_ssl kupita kudzaza kwakukulu (core). Ndizotheka kugwiritsa ntchito ma module a SSL kuti muteteze kulumikizana kudzera mod_proxy. Anawonjezera luso lolemba makiyi achinsinsi, omwe angagwiritsidwe ntchito mu wireshark kusanthula magalimoto obisika.
  • Mu mod_proxy, kuphatikizika kwa njira zolumikizira unix zomwe zadutsa mu "proxy:" URL kwafulumizitsa.
  • Kuthekera kwa mod_md module, yomwe imagwiritsidwa ntchito popanga ma risiti ndi kukonza ziphaso pogwiritsa ntchito protocol ya ACME (Automatic Certificate Management Environment) yakulitsidwa. Imaloledwa kuzungulira madambwe okhala ndi ma quotes mkati ndikupereka chithandizo cha tls-alpn-01 cha mayina amadomeni osagwirizana ndi omwe ali nawo.
  • Anawonjezera StrictHostCheck parameter, yomwe imaletsa kutchula mayina osasinthika pakati pa mikangano ya "lolani".

Source: opennet.ru

Kuwonjezera ndemanga