Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Apache 2.4.53 http kumasulidwa kwa seva yokhala ndi zovuta zowopsa zokhazikika

Apache 2.4.53 http kumasulidwa kwa seva yokhala ndi zovuta zowopsa zokhazikika

Kutulutsidwa kwa Apache HTTP Server 2.4.53 kwasindikizidwa, komwe kumayambitsa zosintha 14 ndikukonza zovuta zinayi:

  • CVE-2022-22720 - kuthekera kopanga HTTP Request Smuggling attack, yomwe imalola, potumiza zopempha zamakasitomala opangidwa mwapadera, kuti zigwirizane ndi zomwe ogwiritsa ntchito ena apempha kudzera mod_proxy (mwachitsanzo, mutha kukwaniritsa m'malo mwa zoipa JavaScript mu gawo la wogwiritsa ntchito wina patsambalo). Vutoli limayamba chifukwa chosiya maulumikizidwe otseguka obwera atakumana ndi zolakwika pokonza bungwe losavomerezeka.
  • CVE-2022-23943 - Buffer kusefukira mu mod_sed module yomwe imalola kubweza zomwe zili mulu wa kukumbukira ndi data yoyendetsedwa ndi owukira.
  • CVE-2022-22721 - Lembani kunja kwa malire chifukwa chakusefukira komwe kumachitika popereka thupi lokulirapo kuposa 350MB. Vutoli limawonekera pamakina a 32-bit omwe makonda ake mtengo wa LimitXMLRequestBody umakhala wokwera kwambiri (mwachisawawa 1 MB, pakuwukira malire ayenera kukhala apamwamba kuposa 350 MB).
  • CVE-2022-22719 ndi pachiwopsezo mu mod_lua chomwe chimalola kuti muwerenge madera okumbukira mwachisawawa ndikusokoneza njirayo pokonza gulu lopempha lopangidwa mwapadera. Vutoli limayamba chifukwa chogwiritsa ntchito zikhalidwe zosadziwika mu r:parsebody function code.

Zosintha zodziwika kwambiri zopanda chitetezo ndi:

  • Mu mod_proxy, malire pa chiwerengero cha zilembo mu dzina la wogwira ntchito (wogwira ntchito) awonjezeka. Anawonjezera luso lokonzekera nthawi yopuma ya kumbuyo ndi kutsogolo (mwachitsanzo, pokhudzana ndi wogwira ntchito). Pazopempha zotumizidwa kudzera pa ma websockets kapena njira ya CONNECT, nthawi yomaliza yasinthidwa kukhala mtengo wapamwamba wokhazikitsidwa kumbuyo ndi kutsogolo.
  • Kusamalira kosiyana kotsegula mafayilo a DBM ndikukweza dalaivala wa DBM. Pakachitika ngozi, chipikacho tsopano chikuwonetsa zambiri za cholakwikacho ndi dalaivala.
  • mod_md inasiya kukonza zopempha ku /.well-known/acme-challenge/ pokhapokha ngati zosintha za domain zidathandizira kugwiritsa ntchito mtundu wa zovuta za 'http-01'.
  • mod_dav adakonza zosintha zomwe zidapangitsa kuti anthu azikumbukira kwambiri pokonza zinthu zambiri.
  • Anawonjezera kuthekera kogwiritsa ntchito laibulale ya pcre2 (10.x) m'malo mwa pcre (8.x) pokonza mawu okhazikika.
  • Thandizo la kusanthula kwachilendo kwa LDAP lawonjezedwa pazosefera kuti ziwonetsere bwino deta poyesa kuchita ziwopsezo zolowa m'malo mwa LDAP.
  • Mu mpm_event, kutsekeka komwe kumachitika mukayambiranso kapena kupitilira malire a MaxConnectionsPerChild pamakina odzaza kwambiri akhazikitsidwa.

Source: opennet.ru

Kuwonjezera ndemanga