Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > Apache 2.4.54 http kumasulidwa kwa seva yokhala ndi zovuta zokhazikika

Apache 2.4.54 http kumasulidwa kwa seva yokhala ndi zovuta zokhazikika

Kutulutsidwa kwa seva ya Apache 2.4.53 HTTP kwasindikizidwa, komwe kumayambitsa zosintha 19 ndikukonza zovuta 8:

  • CVE-2022-31813 ndi chiwopsezo mu mod_proxy chomwe chingalepheretse kutumiza kwa X-Forwarded-* mitu yokhala ndi chidziwitso chokhudza adilesi ya IP komwe pempho loyambirira linachokera. Vutoli litha kugwiritsidwa ntchito kudutsa ziletso zolowera kutengera ma adilesi a IP.
  • CVE-2022-30556 ndi chiwopsezo mu mod_lua chomwe chimalola mwayi wopeza deta kunja kwa buffer yomwe idaperekedwa kudzera mukusintha ndi r:wsread() ntchito m'malemba a Lua.
  • CVE-2022-30522 - Kukana ntchito (yopanda kukumbukira) ndikukonza zina ndi mod_sed.
  • CVE-2022-29404 - mod_lua kukana ntchito zomwe zimagwiritsidwa ntchito potumiza zopempha zopangidwa mwapadera kwa ogwira ntchito ku Lua pogwiritsa ntchito foni ya r:parsebody(0).
  • CVE-2022-28615, CVE-2022-28614 - Kukana kwa ntchito kapena kupezeka kwa data mu memory memory chifukwa cha zolakwika mu ntchito za ap_strcmp_match() ndi ap_rwrite(), zomwe zimapangitsa kuwerenga kuchokera kudera lomwe lili kunja kwa malire a buffer.
  • CVE-2022-28330 - Zambiri zakutuluka mu mod_isapi (vuto limangowoneka papulatifomu ya Windows).
  • CVE-2022-26377 - Mod_proxy_ajp module imatha kugwidwa ndi "HTTP Request Smuggling" pamakina akutsogolo-kumapeto omwe amalola kuti zopempha za ena ogwiritsa ntchito zilowerere pa ulusi womwewo pakati pa kutsogolo ndi kumbuyo. .

Zosintha zodziwika kwambiri zopanda chitetezo ndi:

  • mod_ssl imapangitsa kuti mawonekedwe a SSL FIPS agwirizane ndi OpenSSL 3.0.
  • The ab utility imagwiritsa ntchito chithandizo cha TLSv1.3 (imafuna kumangiriza laibulale ya SSL yomwe imathandizira protocol iyi).
  • Mu mod_md, malangizo a MDCertificateAuthority amalola mayina opitilira CA amodzi ndi URL. Malangizo owonjezera: MDRetryDelay (imatanthauzira kuchedwa musanatumize pempho loyesanso) ndi MDRetryFailover (imatanthauzira kuchuluka kwa zoyesereranso ngati zalephera musanasankhe CA ina). Thandizo lowonjezera la "auto" state mukamawonetsa zikhalidwe mumtundu wa "key: value". Zinapereka kuthekera kosamalira ziphaso za ogwiritsa ntchito otetezeka a VPN a Tailscale.
  • Mod_http2 module yatsukidwa ku code yosagwiritsidwa ntchito komanso yosatetezeka.
  • mod_proxy imapereka chithunzithunzi cha doko la backend network mu mauthenga olakwika olembedwa pa chipika.
  • Mu mod_heartmonitor, mtengo wa HeartbeatMaxServers parameter wasinthidwa kuchoka ku 0 kupita ku 10 (kuyambitsa kwa 10 kugawana nawo kukumbukira).

Source: opennet.ru

Kuwonjezera ndemanga