ProHoster > Π‘Π»ΠΎΠ³ > wararka internetka > Apache 2.4.49 http siideynta serverka oo leh baylahda go'an

Apache 2.4.49 http siideynta serverka oo leh baylahda go'an

Server-ka Apache HTTP 2.4.49 waa la siidaayay, isagoo soo bandhigaya 27 isbedel oo meesha ka saaraya dayacanka 5:

  • CVE-2021-33193 - mod_http2 waxay u nugushahay nooc cusub oo weerarka "Codsiga Tahriibka HTTP", kaas oo u ogolaanaya, adoo diraya codsiyo macmiil oo si gaar ah loo habeeyay, inuu naftiisa u dhex galo waxyaabaha ku jira codsiyada isticmaaleyaasha kale ee lagu kala qaado mod_proxy (tusaale ahaan, waxaad ku guuleysan kartaa gelinta koodhka JavaScript xaasidnimada leh ee fadhiga isticmaale kale ee goobta) .
  • CVE-2021-40438 waa nuglaanta SSRF (Server Side Request Forgery) ee mod_proxy, taas oo u ogolaanaysa codsiga in lagu wareejiyo server uu doortay weeraryahanku adoo diraya codsi gaar ah oo uri-dad ah.
  • CVE-2021-39275 - Qulqulka buuxdhaafka ah ee shaqada ap_escape_quotes. Nuglaanta waxaa loo calaamadeeyay mid aan fiicneyn sababtoo ah dhammaan cutubyada caadiga ah uma gudbiyaan xogta dibadda shaqadan. Laakiin aragti ahaan waa suurtogal in ay jiraan qaybo dhinac saddexaad ah oo weerar lagu qaadi karo.
  • CVE-2021-36160 - Ka baxsan xadka waxa lagu akhriyaa moduleka mod_proxy_uwsgi oo keenaya shil.
  • CVE-2021-34798 - Tilmaanta NULL ee ka leexanaysa ee keenaysa shil habsocod marka la habeeyo codsiyada sida gaarka ah loo farsameeyay.

Isbeddellada ugu caansan ee aan amniga ahayn:

  • Isbeddel badan oo gudaha ah ee mod_ssl. Dejinta "ssl_engine_set", "ssl_engine_disable" iyo "ssl_proxy_enable" ayaa laga raray mod_ssl waxaana loo wareejiyay buuxinta ugu weyn (core). Waa suurtogal in la isticmaalo qaybo kale oo SSL ah si loo ilaaliyo isku xidhka mod_proxy. Waxaa lagu daray awoodda lagu galo furayaasha gaarka ah, kuwaas oo loo isticmaali karo wireshark si loo falanqeeyo taraafikada sir ah.
  • Gudaha mod_proxy, kala saarida dariiqyada godka unix ee loo gudbay "wakiilka:" URL waa la dedejiyay.
  • Awoodaha moduleka mod_md, ee loo isticmaalo in lagu farsameeyo rasiidka iyo dayactirka shahaadooyinka iyadoo la adeegsanayo borotokoolka ACME (Automatic Management Environment), waa la balaariyay. Waa la oggol yahay in lagu hareereeyo xayndaabyada xigashooyinka oo ay taageero u fidisay tls-alpn-01 ee magacyada domain-ka ee aan la xidhiidhin martigeliyayaasha casriga ah.
  • Lagu daray cabbirka StrictHostCheck, kaas oo mamnuucaya in la qeexo magacyada martida loo yahay ee aan la habeynin ee ka mid ah doodaha liiska "ogolow".

Source: opennet.ru

Add a comment