Iyo yakareruka http server lighttpd 1.4.64 yakaburitswa. Iyo vhezheni itsva inounza shanduko makumi mapfumbamwe neshanu, kusanganisira shanduko dzakamborongwa kune default tsika uye kucheneswa kwemaitiro echinyakare:
- Iyo yekumisikidza nguva yekutangisa zvine nyasha / kudzima mabasa yakaderedzwa kubva kukusingaperi kusvika kumasekonzi masere. Nguva yekupera inogona kugadzirwa uchishandisa "server.graceful-shutdown-timeout" sarudzo.
- Shanduko yekushandisa gungano nePCRE2 raibhurari (--ine-pcre2) yaitwa; kuti udzokere kune yekare vhezheni yePCRE, unogona kushandisa "--ne-pcre" sarudzo.
- Mamodule akanga amboregwa akabviswa:
- mod_geoip (iwe unofanirwa kushandisa mod_maxminddb),
- mod_authn_mysql (unofanirwa kushandisa mod_authn_dbi),
- mod_mysql_vhost (unofanirwa kushandisa mod_vhostdb_dbi),
- mod_cml (iwe unofanirwa kushandisa mod_magnet),
- mod_flv_streaming (yakarasika chirevo mushure mekunge Adobe Flash yapera),
- mod_trigger_b4_dl (unofanirwa kushandisa kutsiva Lua).
Lighttpd 1.4.64 inogadzirisawo kusagadzikana (CVE-2022-22707) mune mod_extforward module iyo inokonzera 4-byte buffer kuputika paunenge uchigadzirisa data mu Forwarded HTTP header. Sekureva kwevagadziri, dambudziko rinongogumira pakuramba sevhisi uye rinokutendera kuti utange kure kure kumisa kusingaite kwemaitiro ekumashure. Kubiridzira kunogoneka chete kana iyo Forwarded header handler ikagoneswa uye isingaonekwi mukumisikidzwa kwacho.
Source: opennet.ru