ProHoster > Blog > litaba tsa inthanete > Apache 2.4.49 http ea ho lokolloa ha seva e nang le bofokoli bo tsitsitseng

Apache 2.4.49 http ea ho lokolloa ha seva e nang le bofokoli bo tsitsitseng

Seva ea Apache HTTP 2.4.49 e lokollotsoe, e hlahisa liphetoho tse 27 le ho felisa bofokoli ba 5:

  • CVE-2021-33193 - mod_http2 e ka hlaseloa ke mofuta o mocha oa tlhaselo ea "HTTP Request Smuggling", e lumellang, ka ho romela likōpo tse khethehileng tsa bareki, ho ikamahanya le likahare tsa likopo tse tsoang ho basebelisi ba bang tse fetisitsoeng ka mod_proxy (mohlala, o ka fihlella ho kenya khoutu e mpe ea JavaScript nakong ea mosebelisi e mong oa sebaka sa marang-rang).
  • CVE-2021-40438 ke ts'oaetso ea SSRF (Server Side Request Forgery) ho mod_proxy, e lumellang hore kopo e fetisetsoe ho seva se khethiloeng ke mohlaseli ka ho romela kopo e entsoeng ka mokhoa o khethehileng oa uri-path.
  • CVE-2021-39275 - Buffer e tletse ts'ebetsong ea ap_escape_quotes. Bofokoli bo tšoailoe e le bofokoli hobane li-module tsohle tse tloaelehileng ha li fetise data ea kantle mosebetsing ona. Empa ho ka etsahala hore ebe ho na le li-module tsa mokha oa boraro tseo tlhaselo e ka etsoang ka tsona.
  • CVE-2021-36160 - Ho tsoa meeling ho baloa mojuleng oa mod_proxy_uwsgi e bakang ho senyeha.
  • CVE-2021-34798 - A NULL pointer dereference e bakang ho senyeha ha ts'ebetso ha o sebetsana le likopo tse entsoeng ka mokhoa o ikhethileng.

Liphetoho tse hlokomelehang haholo tse sa sireletsehang ke:

  • Ho na le liphetoho tse ngata tsa kahare ho mod_ssl. Litlhophiso "ssl_engine_set", "ssl_engine_disable" le "ssl_proxy_enable" li tlositsoe ho tloha mod_ssl ho ea ho tlatsa ka sehloohong (core). Hoa khoneha ho sebelisa li-module tse ling tsa SSL ho sireletsa likhokahano ka mod_proxy. E kenyellelitse bokhoni ba ho kenya linotlolo tsa poraefete, tse ka sebelisoang ho wireshark ho sekaseka sephethephethe se patiloeng.
  • Ho mod_proxy, ho pharalla ha litsela tsa unix socket tse fetiselitsoeng ho "proxy:" URL e potlakisitsoe.
  • Bokhoni ba mojule oa mod_md, o sebelisetsoang ho iketsetsa risiti le tlhokomelo ea litifikeiti ho sebelisa protocol ea ACME (Automatic Certificate Management Environment) e atolositsoe. E lumelloa ho pota-pota libaka tse nang le mantsoe a qotsitsoeng ho le ho fana ka ts'ehetso bakeng sa tls-alpn-01 bakeng sa mabitso a li-domain a sa amaneng le baamoheli ba sebele.
  • E kentse paramethara ea StrictHostCheck, e thibelang ho hlakisa mabitso a moamoheli a sa lokisoang har'a likhang tsa lenane la "lumella".

Source: opennet.ru

Eketsa ka tlhaloso