ProHoster > Blog > litaba tsa inthanete > Apache 2.4.46 http ea ho lokolloa ha seva e nang le bofokoli bo tsitsitseng

Apache 2.4.46 http ea ho lokolloa ha seva e nang le bofokoli bo tsitsitseng

e hatisitsoeng ho lokolloa ha seva sa Apache HTTP 2.4.46 (litokollo tsa 2.4.44 le 2.4.45 li ile tsa tlōla), tse ileng tsa hlahisa 17 liphetoho le ho felisoa 3 bofokoli:

  • CVE-2020-11984 - buffer e phalla ka har'a mod_proxy_uwsgi module, e ka lebisang ho lutla ha tlhahisoleseding kapa ho phethahatsa khoutu ho seva ha o romela kopo e entsoeng ka ho khetheha. Ho ba kotsing ho sebelisoa hampe ka ho romella hlooho e telele haholo ea HTTP. Bakeng sa ts'ireletso, ho thibela lihlooho tse telele ho feta 16K ho kentsoe (moeli o hlalosoang ka mokhoa oa protocol).
  • CVE-2020-11993 - ho ba kotsing ho mod_http2 module e lumellang hore ts'ebetso e senyehe ha e romela kopo ka sehlooho se khethehileng sa HTTP/2. Bothata bo iponahatsa ha debugging kapa tracing e nolofalitsoe ho mod_http2 module mme e bontšoa ka bobolu ba dikahare tsa memori ka lebaka la boemo ba morabe ha o boloka tlhahisoleseding ho log. Bothata ha bo hlahe ha LogLevel e behiloe ho "info".
  • CVE-2020-9490 - ho ba tlokotsing mojuleng oa mod_http2 o lumellang ts'ebetso ho senyeha ha o romella kopo ka HTTP/2 ka boleng ba hlooho ea 'Cache-Digest' e etselitsoeng ka ho khetheha (ho oa ho etsahala ha o leka ho etsa ts'ebetso ea HTTP/2 PUSH mohloling) . Ho thibela ho ba kotsing, o ka sebelisa "H2Push off".
  • CVE-2020-11985 - Kotsi ea mod_remoteip, e u lumellang ho senya liaterese tsa IP nakong ea proxying u sebelisa mod_remoteip le mod_rewrite. Bothata bo hlaha feela bakeng sa ho lokolloa 2.4.1 ho 2.4.23.

Liphetoho tse hlokomelehang haholo tse sa sireletsehang ke:

  • Ts'ehetso ea litlhaloso tsa moralo e tlositsoe ho mod_http2 kazuho-h2-cache-digest, eo phahamiso ea hae e emisitsoeng.
  • E fetotse boitšoaro ba "LimitRequestFields" ho mod_http2; ho hlalosa boleng ba 0 hona joale ho tima moeli.
  • mod_http2 e fana ka ts'ebetso ea likhokahano tsa mantlha le tsa bobeli (master/secondary) le ho tšoaea mekhoa ho latela ts'ebeliso.
  • Haeba litaba tsa sehlooho tse sa nepahalang tsa Last-Modified li amohetsoe ho tsoa ho mongolo oa FCGI/CGI, sehlooho sena se se se tlositsoe ho fapana le ho nkeloa sebaka ka nako ea Unix epoch.
  • Mosebetsi oa ap_parse_strict_length() o kentsoe khoutung ho hlalosa boholo ba litaba hantle.
  • Mod_proxy_fcgi's ProxyFCGISetEnvIf e netefatsa hore mefuta e fapaneng ea tikoloho ea tlosoa haeba polelo e fanoeng e khutla e le Bohata.
  • Lokisa maemo a lebelo le ho senyeha ho ka bang teng mod_ssl ha o sebelisa setifikeiti sa moreki se boletsoeng ka tlhophiso ea SSLProxyMachineCertificateFile.
  • Leak e tsitsitseng ea memori ho mod_ssl.
  • mod_proxy_http2 e fana ka ts'ebeliso ea paramente ea proxy "bi»ha o hlahloba ts'ebetso ea khokahano e ncha kapa e sebelisitsoeng hape ho backend.
  • E emisitse ho tlama httpd ka khetho ea "-lsystemd" ha mod_systemd e nolofalitsoe.
  • mod_proxy_http2 e netefatsa hore boemo ba ProxyTimeout bo nkoa e le ba bohlokoa ha u emetse data e kenang ka ho hokahanya le backend.

Source: opennet.ru

Eketsa ka tlhaloso