🥇Ho lokolloa ha Apache 2.4.46 http seva e nang le bofokoli bo tsitsitseng

e hatisitsoeng Ho lokolloa ha Apache HTTP Server 2.4.46 (lihlahisoa tsa 2.4.44 le 2.4.45 li ile tsa tlotsoa), tse ileng tsa hlahisa 17 liphetoho le ho felisoa 3 bofokoli:

CVE-2020-11984 - "buffer" e phalla ka har'a mod_proxy_uwsgi module, e ka lebisang ho phatloheng ha tlhahisoleseling kapa ts'ebetsong ea khoutu ho seva ha o romella kopo e entsoeng ka mokhoa o khethehileng. Ho ba kotsing ho sebelisoa hampe ka ho fetisa hlooho e telele haholo ea HTTP. Bakeng sa ts'ireletso, ho thibela lihlooho tse telele ho feta 16K (moeli o hlalositsoeng ka mokhoa oa protocol) ho ekelitsoe.
CVE-2020-11993 - ho ba kotsing mojuleng oa mod_http2 o lumellang ts'ebetso ho senyeha ha o romella kopo ka hlooho e hlophisitsoeng ka ho khetheha ea HTTP/2. Bothata bo iponahatsa ha debugging kapa tracing e nolofalitsoe ho mod_http2 module mme e bontšoa ka bobolu ba mohopolo ka lebaka la boemo ba morabe ha u boloka boitsebiso ho log. Bothata ha bo iponahatse ha LogLevel e behiloe ho "info".
CVE-2020-9490 - ho ba kotsing ho mod_http2 module e lumellang mokhoa oa ho senyeha ha o romela kopo ka HTTP/2 e nang le sehlooho se khethehileng sa 'Cache-Digest' (ho senyeha ho etsahala ha u leka ho etsa ts'ebetso ea HTTP/2 PUSH bakeng sa mohloli). Ho ba kotsing ho ka thijoa ka ho sebelisa "H2Push off".
CVE-2020-11985 - bofokoli ba mod_remoteip bo lumellang ho senyeha ha aterese ea IP ha o etsa proxy o sebelisa mod_remoteip le mod_rewrite. Bothata bo hlaha feela ho litokollo tsa 2.4.1 ho isa ho 2.4.23.

Liphetoho tse hlokomelehang haholo tse sa sireletsehang ke:

Ts'ehetso e hlophisitsoeng e tlositsoeng ho mod_http2 kazuho-h2-cache-digest, eo ho phahamisoa ha eona ho khaotsoe.
Boitšoaro ba taelo ea "LimitRequestFields" ho mod_http2 bo fetotsoe, ho hlalosa boleng ba 0 joale ho tima moeli.
mod_http2 e fana ka ts'ebetso ea likhokahano tsa master/secondary le ho tšoaea mekhoa ho latela ts'ebeliso.
Haeba litaba tsa hlooho tse sa sebetseng tsa ho Qetela li amohetsoe ho tsoa ho mongolo oa FCGI/CGI, sehlooho se tla tlosoa ho fapana le ho nkeloa sebaka ka nako ea Unix epoch.
Mosebetsi oa ap_parse_strict_length() o kentsoe khoutu bakeng sa ho arola ka thata boholo ba litaba.
Ho mod_proxy_fcgi, ProxyFCGISetEnvIf e netefatsa hore mefuta e fapaneng ea tikoloho e tlositsoe haeba polelo e fanoeng e khutla e le Bohata.
Lokisa maemo a lebelo le ho senyeha ho ka bang teng mod_ssl ha o sebelisa setifikeiti sa moreki se boletsoeng ka tlhophiso ea SSLProxyMachineCertificateFile.
Lokisa ho lutla ha memori ho mod_ssl.
Ho mod_proxy_http2 ts'ebeliso ea parameter ea proxy "e fanoabi»ha o hlahloba bophelo bo botle ba khokahano e ncha kapa e sebelisitsoeng hape ho backend.
E emisitse ho hokahanya httpd le "-lsystemd" khetho haeba mod_systemd e nolofalitsoe.
mod_proxy_http2 hona joale e hlompha boemo ba ProxyTimeout ha u emetse data e kenang ka li-backend connections.

Source: opennet.ru

Apache 2.4.46 http ea ho lokolloa ha seva e nang le bofokoli bo tsitsitseng