Apache HTTP seva 2.4.52 yatulutsidwa, ikubweretsa zosintha 25 ndikuchotsa ziwopsezo ziwiri:
- CVE-2021-44790 ndikusefukira kwa buffer mu mod_lua komwe kumachitika popereka zopempha zambiri. Kusatetezekaku kumakhudza masanjidwe omwe malemba a Lua amatcha r:parsebody() ntchito kuti awone gulu la pempho, kulola wowukira kuti apangitse buffer kusefukira potumiza pempho lopangidwa mwapadera. Palibe umboni wopezerapo mwayi womwe wadziwika, koma vuto likhoza kuyambitsa kukhazikitsidwa kwa code yake pa seva.
- CVE-2021-44224 - Chiwopsezo cha SSRF (Server Side Request Forgery) mu mod_proxy, chomwe chimalola, pokonzekera ndi "ProxyRequests on", kupyolera mu pempho la URI yopangidwa mwapadera, kuti akwaniritse pempho kwa wothandizira wina yemweyo. seva yomwe imavomereza kulumikizana kudzera pa Unix Domain Socket. Vutoli lingagwiritsidwenso ntchito kuyambitsa kuwonongeka popanga mikhalidwe ya null pointer dereference. Nkhaniyi ikukhudza mitundu ya Apache httpd kuyambira mtundu 2.4.7.
Zosintha zodziwika kwambiri zopanda chitetezo ndi:
- Zowonjezera zothandizira kumanga ndi laibulale ya OpenSSL 3 ku mod_ssl.
- Kuzindikira kwa library ya OpenSSL mu autoconf scripts.
- Mu mod_proxy, pakuwongolera ma protocol, ndizotheka kuletsa kulumikizidwa kwa TCP kotseka kwa theka mwa kukhazikitsa gawo la "SetEnv proxy-nohalfclose".
- Macheke owonjezera omwe ma URI sanapangidwe kuti aziyimira ali ndi http/https, ndipo omwe amapangidwa kuti aziyimilira ali ndi dzina lothandizira.
- mod_proxy_connect ndi mod_proxy sizilola kuti code code isinthe itatumizidwa kwa kasitomala.
- Mukatumiza mayankho apakatikati mutalandira zopempha ndi mutu wakuti "Yembekezerani: 100-Pitirizani", onetsetsani kuti zotsatira zikuwonetsa "100 Pitirizani" osati momwe pempholi lilili.
- mod_dav imawonjezera chithandizo chazowonjezera za CalDAV, zomwe zimafuna kuti zolemba zonse ndi katundu ziganizidwe popanga katundu. Zowonjezera zatsopano dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() ndi dav_find_attr(), zomwe zitha kutchedwa kuchokera kumagawo ena.
- Mu mpm_event, vuto loyimitsa njira za ana osagwira ntchito pambuyo pakuwonjezeka kwa seva yathetsedwa.
- Mod_http2 yasintha zosintha zomwe zidayambitsa machitidwe olakwika pogwira zoletsa za MaxRequestsPerChild ndi MaxConnectionsPerChild.
- Kuthekera kwa module ya mod_md, yomwe imagwiritsidwa ntchito popanga ma risiti ndi kukonza ziphaso pogwiritsa ntchito protocol ya ACME (Automatic Certificate Management Environment) yakulitsidwa:
- Thandizo lowonjezera pamakina a ACME External Account Binding (EAB), omwe amathandizidwa pogwiritsa ntchito malangizo a MDExternalAccountBinding. Makhalidwe a EAB amatha kukhazikitsidwa kuchokera ku fayilo yakunja ya JSON, kupewa kuwonetsa magawo otsimikizika mufayilo yayikulu yosinthira seva.
- Lamulo la 'MDCertificateAuthority' limaonetsetsa kuti parameter ya URL ili ndi http/https kapena limodzi mwa mayina omwe afotokozedwatu ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test').
- Amaloledwa kufotokoza malangizo a MDContactEmail mkati mwa gawo la .
- Nsikidzi zingapo zakonzedwa, kuphatikiza kutayikira kwa kukumbukira komwe kumachitika mukatsitsa kiyi yachinsinsi ikalephera.
Source: opennet.ru