Seva ea Apache HTTP 2.4.52 e lokollotsoe, e hlahisa liphetoho tse 25 le ho felisa bofokoli ba 2:
- CVE-2021-44790 ke buffer e phallang ho mod_lua e etsahalang ha ho etsoa likopo tse ngata. Kotsi e ama litlhophiso tseo ho tsona lingoloa tsa Lua li bitsang r:parsebody() ts'ebetso ho hlalosa sehlopha sa kopo, ho lumella mohlaseli ho etsa hore buffer e fete ka ho romela kopo e entsoeng ka boqhetseke. Ha ho na bopaki ba tšebeliso e mpe e seng e tsebisitsoe, empa bothata bo ka lebisa ts'ebetsong ea khoutu ea eona ho seva.
- CVE-2021-44224 - SSRF (Server Side Request Forgery) tlokotsing ho mod_proxy, e lumellang, ka tlhophiso le "ProxyRequests on", ka kopo ea URI e entsoeng ka mokhoa o khethehileng, ho finyella kopo ea ho khutlisetsa kopo ho motho e mong ea sebetsang ka tsela e tšoanang. seva e amohelang likhokahano ka Unix Domain Socket. Taba e ka boela ea sebelisoa ho baka ho oa ka ho theha maemo a ho se be le pono ea letho. Taba ena e ama mefuta ea Apache httpd ho qala ka mofuta oa 2.4.7.
Liphetoho tse hlokomelehang haholo tse sa sireletsehang ke:
- Ts'ehetso e ekelitsoeng ea ho aha ka laeborari ea OpenSSL 3 ho mod_ssl.
- Ho ntlafala ha laeborari ea OpenSSL ho lingoliloeng tsa autoconf.
- Ho mod_proxy, bakeng sa li-protocol tsa tunneling, hoa khoneha ho thibela ho tsamaisa li-connections tsa TCP tse haufi-ufi ka ho beha parameter ea "SetEnv proxy-nohalfclose".
- Litlhahlobo tse ling tse kentsoeng tsa hore URIs e sa rereloa ho sebetsa e na le http/https scheme, 'me tse reretsoeng ho ba moemeli li na le lebitso la moamoheli.
- mod_proxy_connect le mod_proxy ha li lumelle khoutu ea boemo hore e fetohe ka mor'a hore e romelloe ho mofani.
- Ha u romela likarabo tse ka hare ka mor'a ho fumana likōpo ka "Lebella: 100-Continue" hlooho, etsa bonnete ba hore sephetho se bontša boemo ba "100 Tsoela pele" ho e-na le boemo ba hona joale ba kopo.
- mod_dav e eketsa ts'ehetso bakeng sa likeketso tsa CalDAV, tse hlokang hore likarolo tsa tokomane le thepa li hlokomeloe ha ho etsoa thepa. E kentse mesebetsi e mecha dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() le dav_find_attr(), e ka bitsoa ho tsoa ho likarolo tse ling.
- Ho mpm_event, bothata ba ho emisa lits'ebetso tsa bana ba sa sebetseng kamora hore ts'ebetso e eketsehileng ea seva e rarolloe.
- Mod_http2 e na le liphetoho tse tsitsitseng tsa ho khutlela morao tse bakileng boitšoaro bo fosahetseng ha u sebetsana le lithibelo tsa MaxRequestsPerChild le MaxConnectionsPerChild.
- Bokhoni ba mojule oa mod_md, bo sebelisetsoang ho fumana le ho boloka litifikeiti ka boits'oaro bo sebelisang protocol ea ACME (Automatic Certificate Management Environment) bo atolositsoe:
- Tšehetso e ekelitsoeng bakeng sa mochini oa ACME External Account Binding (EAB), o nolofalitsoeng ho sebelisoa taelo ea MDExternalAccountBinding. Boleng ba EAB bo ka hlophisoa ho tsoa faeleng ea JSON ea kantle, ho qoba ho pepesa liparamente tsa netefatso faeleng e kholo ea tlhophiso ea seva.
- Taelo ea 'MDCertificateAuthority' e netefatsa hore paramethara ea URL e na le http/https kapa le leng la mabitso a boletsoeng esale pele ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' le 'Buypass-Test').
- E lumelletsoe ho hlakisa taelo ea MDContactEmail kahare ho karolo .
- Litšitšili tse 'maloa li lokisitsoe, ho kenyelletsa le ho lutla ha memori ho etsahalang ha ho kenya konopo ea poraefete ho hloleha.
Source: opennet.ru