Apache 2.4.56 HTTP seva e lokolloa e se e hatisitsoe, e hlahisang liphetoho tse 6 le ho lokisa bofokoli ba 2 bo amanang le monyetla oa ho etsa litlhaselo tsa HTTP Kopa Smuggling ho litsamaiso tse ka pele-morao tse re lumellang ho kenella ka har'a litaba tsa likopo tse tsoang ho basebelisi ba bang. se sebedisoa ka khoele e tshoanang pakeng tsa bokapele le bokamorao. Tlhaselo e ka sebelisoa ho qoba lits'ebetso tsa taolo ea phihlello kapa ho kenya khoutu e mpe ea JavaScript kopanong e nang le sebaka se molaong.
Kotsi ea pele (CVE-2023-27522) e ama mod_proxy_uwsgi module mme e lumella moemeli hore a arole karabo ka likarolo tse peli ka ho kenya litlhaku tse khethehileng sehloohong sa HTTP se khutliselitsoeng ke backend.
Kotsi ea bobeli (CVE-2023-25690) e teng ho mod_proxy mme e iponahatsa ha melao e meng ea kopo ea ho ngola hape e sebelisoa ho sebelisoa taelo ea RewriteRule e fanoeng ke mod_rewrite module, kapa mekhoa e itseng ho ProxyPassMatch directive. Bofokoli bo ka fella ka hore moemeli a kope lisebelisoa tsa ka hare tse ke keng tsa fumaneha ka moemeli, kapa chefo likahare tsa cache. Hore bofokoli bo bonahale, hoa hlokahala hore datha e tsoang ho URL e sebelisoe melaong ea kopo ea ho ngola bocha, ebe e kenngoa kopong e rometsoeng ho ea pele. Mohlala: RewriteEngine on RewriteRule "^/here/(.*)" » http://example.com:8080/elsewhere?$1″ http://example.com:8080/elsewhere ; [P] ProxyPassReverse /here/ http://example.com:8080/ http://example.com:8080/
Liphetoho tseo e seng tsa ts'ireletso li kenyelletsa:
- Folakha ea "-T" e kenyellelitsoe ts'ebelisong ea li-rotatelogs, e lumellang, ha ho potoloha likutu, ho fokotsa lifaele tsa log tse latelang ntle le ho fokotsa faele ea log ea pele.
- mod_ldap e lumella litekanyetso tse mpe ho taelo ea LDAPConnectionPoolTTL ho hlophisa tšebeliso ea likhokahano tsa khale.
- Mojuleng oa mod_md, o sebelisetsoang ho fumana le ho boloka litifikeiti ka mokhoa o ikemetseng o sebelisa protocol ea ACME (Automatic Certificate Management Environment) ha e hahiloe ka libressl 3.5.0+, tšehetso bakeng sa leano la ho saena la dijithale ED25519 le boikarabello bakeng sa tlhahisoleseling tlalehong ea sechaba. setifikeiti (CT, Certificate Transparency) e kenyelelitsoe. Taelo ea MDChallengeDns01 e lumella ho hlalosa litlhophiso bakeng sa libaka ka bomong.
- mod_proxy_uwsgi e tiisitse ho lekola le ho fana ka likarabo ho tsoa ho li-backend tsa HTTP.
Source: opennet.ru