ho lokolloa ha seva sa Apache HTTP 2.4.41 (ho lokolloa 2.4.40 ho ile ha tlōloa), e ileng ea hlahisa le ho felisoa :
- ke taba ho mod_http2 e ka lebisang bobolung ba mohopolo ha o romella likopo tsa push qalong haholo. Ha u sebelisa "H2PushResource", hoa khoneha ho hlakola memori ka letamo la ts'ebetso ea kopo, empa bothata bo lekanyelitsoe ho senyeha hobane data e ngotsoeng ha ea itšetleha ka boitsebiso bo fumanoeng ho mofani;
- - kgahlamelo ya morao tjena Bofokoli ba DoS lits'ebetsong tsa HTTP/2.
Mohlaseli a ka qeta mohopolo o fumanehang ts'ebetsong mme a theha mojaro o boima oa CPU ka ho bula fensetere ea HTTP / 2 e thellang bakeng sa seva ho romela data ntle le lithibelo, empa ho boloka fensetere ea TCP e koetsoe, ho thibela data hore e se ke ea ngoloa ho socket; - - bothata ho mod_rewrite, e leng se u lumellang hore u sebelise seva ho fetisetsa likōpo ho lisebelisoa tse ling (ho bula hape). Litlhophiso tse ling tsa mod_rewrite li ka etsa hore mosebelisi a fetisetsoe sehokelong se seng, se kentsoeng ka sebopeho se secha ka har'a paramethara e sebelisitsoeng ho redirect e teng. Ho thibela bothata ho RegexDefaultOptions, o ka sebelisa folakha ea PCRE_DOTALL, e seng e behiloe ka ho sa feleng;
- - bokhoni ba ho etsa mongolo oa libaka tse fapaneng maqepheng a liphoso a bontšitsoeng ke mod_proxy. Maqepheng ana, sehokelo se na le URL e fumanoeng ho tsoa kopo, moo mohlaseli a ka kenyang khoutu ea HTML e sa reroang ka ho phonyoha litlhaku;
- - stack overflow and NULL pointer dereference in mod_remoteip, e sebelisitsoe hampe ka ho qhekella hlooho ea protocol ea PROXY. Tlhaselo e ka etsoa feela ho tloha ka lehlakoreng la seva sa proxy se sebelisoang litlhophisong, eseng ka kopo ea bareki;
- - ho ba kotsing ho mod_http2 e lumellang, ka nako ea ho khaotsa ho hokahanya, ho qala ho bala litaba tse tsoang sebakeng sa memori se seng se lokolotsoe (bala-kamora-mahala).
Liphetoho tse hlokomelehang haholo tse sa sireletsehang ke:
- mod_proxy_balancer e ntlafalitse tšireletso khahlanong le litlhaselo tsa XSS/XSRF ho tsoa ho lithaka tse tšepahalang;
- Setlhophiso sa SessionExpiryUpdateInterval se kenyellelitsoe ho mod_session ho fumana nako ea ho ntlafatsa nako ea nako ea ho fela ha li-cookie;
- Maqephe a nang le liphoso a ile a hloekisoa, e reretsoeng ho felisa pontšo ea tlhahisoleseding ho tsoa likōpong tse maqepheng ana;
- mod_http2 e nka bohlokoa ba "LimitRequestFieldSize" parameter, eo pele e neng e sebetsa feela bakeng sa ho hlahloba masimo a lihlooho tsa HTTP/1.1;
- E netefatsa hore mod_proxy_hcheck e hlophisitsoe ha e sebelisoa ho BalancerMember;
- Ho fokotsa tšebeliso ea memori ho mod_dav ha u sebelisa taelo ea PROPFIND pokellong e kholo;
- Ho mod_proxy le mod_ssl, mathata a ho hlalosa setifikeiti le litlhophiso tsa SSL ka hare ho proxy block a rarollotsoe;
- mod_proxy e lumella litlhophiso tsa SSLProxyCheckPeer* hore li sebelisoe ho li-module tsohle tsa proxy;
- Bokhoni ba mojule bo atolohile , Ha re Encrypt projeke ea ho fumana le ho boloka litifikeiti ka bo eona re sebelisa protocol ea ACME (Automatic Certificate Management Environment):
- E kentse mofuta oa bobeli oa protocol , eo hona joale e leng ea kamehla le likopo tse se nang letho tsa POST sebakeng sa GET.
- Tšehetso e ekelitsoeng bakeng sa netefatso e thehiloeng ho katoloso ea TLS-ALPN-01 (RFC 7301, Application-Layer Protocol Negotiation), e sebelisoang ho HTTP/2.
- Ts'ehetso ea mokhoa oa netefatso ea 'tls-sni-01' e emisitsoe (ka lebaka la ).
- Litaelo tse ekelitsoeng bakeng sa ho theha le ho pshatla cheke ho sebelisa mokhoa oa 'dns-01'.
- Tšehetso e ekelitsoeng litifikeiting ha netefatso e thehiloeng ho DNS e lumelletsoe ('dns-01').
- 'md-status' e kentsoe tšebetsong le leqephe la boemo ba setifikeiti 'https://domain/.httpd/certificate-status'.
- E kenyellelitsoe "MDCertificateFile" le "MDCertificateKeyFile" litaelo bakeng sa ho hlophisa liparamente tsa marang-rang ka lifaele tse tsitsitseng (ntle le ts'ehetso ea ho iphelisa).
- E kentse taelo ea "MDMessageCmd" ho letsetsa litaelo tsa kantle ha liketsahalo tse 'nchafatsoang', 'feela' kapa 'phoso' li etsahala.
- E kentse taelo ea "MDWarnWindow" ho hlophisa molaetsa oa temoso mabapi le ho felloa ke nako ea setifikeiti;
Source: opennet.ru