ProHoster > Ibhulogi > iindaba ze-intanethi > I-Apache ye-http yokukhutshwa komncedisi 2.4.43

I-Apache ye-http yokukhutshwa komncedisi 2.4.43

ipapashiwe ukukhululwa kweseva ye-Apache HTTP 2.4.43 (ukukhululwa kwe-2.4.42 yatsitywa), eyazisa 34 utshintsho kwaye isusiwe 3 ubuthathaka:

  • I-CVE-2020-1927: ubuthathaka kwi-mod_rewrite evumela ukuba umncedisi asetyenziselwe ukuthumela izicelo kwezinye izibonelelo (vula ukuqondisa kwakhona). Ezinye iisetingi ze-mod_rewrite zisenokubangela ukuba umsebenzisi athunyelwe kwelinye ikhonkco, elifakwe ngekhowudi kusetyenziswa umbhalo omtsha ngaphakathi kweparameter esetyenziswe kwindlela ekhoyo yokwalathisa.
  • I-CVE-2020-1934: ukuba sesichengeni kwi-mod_proxy_ftp. Ukusebenzisa amaxabiso angabonakaliyo kunokukhokelela kwimemori evuzayo xa ucela izicelo kumncedisi weFTP olawulwa ngumhlaseli.
  • Inkumbulo evuzayo kwi-mod_ssl eyenzekayo xa udibanisa izicelo ze-OCSP.

Olona tshintsho luqaphelekayo olungakhuselekanga lu:

  • Imodyuli entsha yongeziwe mod_systemd, ebonelela ngokudityaniswa nomphathi wenkqubo ye-systemd. Imodyuli ikuvumela ukuba usebenzise i-httpd kwiinkonzo ezinodidi lwe-"Type=notify".
  • Inkxaso yokuhlanganiswa komnqamlezo yongezwe kwii-apxs.
  • Ubunakho bemodyuli ye-mod_md, ephuhliswe yiprojekthi ye-Let Encrypted to automate ricet kunye nokugcinwa kwezatifikethi usebenzisa i-ACME (i-Automatic Certificate Management Environmental) protocol, yandisiwe:
    • Yongezwe umyalelo we-MDContactEmail, apho unokucacisa i-imeyile yoqhagamshelwano engahambelaniyo nedatha evela kumyalelo we-ServerAdmin.
    • Kuyo yonke inginginya yenyani, inkxaso yeprotocol esetyenziswayo xa uthethathethwano ngejelo lonxibelelwano elikhuselekileyo (“tls-alpn-01”) liyaqinisekiswa.
    • Vumela i-mod_md imiyalelo ukuba isetyenziswe kwiibhloko Kwaye .
    • Uqinisekisa ukuba useto lwexesha elidlulileyo luyabhalwa ngaphezulu xa kusetyenziswa kwakhona i-MDCACChallenges.
    • Kongezwe ukukwazi ukuqwalasela i-url ye-CTLog Monitor.
    • Kwimiyalelo echazwe kumyalelo we-MDMessageCmd, umnxeba onengxoxo "efakiweyo" inikezelwa xa kuvula isatifikethi esitsha emva kokuqaliswa komncedisi (umzekelo, sinokusetyenziselwa ukukopa okanye ukuguqula isatifikethi esitsha kwezinye izicelo).
  • mod_proxy_hcheck yongeze inkxaso ye-%{Content-Type} imaski kwi-check expressions.
  • I-CookieSameSite, i-CookieHTTPOnly kunye neendlela ze-CookieSecure zongezwe kwi-mod_usertrack ukulungiselela ukusetyenzwa kwe-cookie yomsebenzisi.
  • mod_proxy_ajp iphumeza "imfihlo" ukhetho kubaphathi beproxy ukuxhasa iprothokholi yoqinisekiso ye-AJP13 yelifa.
  • Ulungelelwaniso olongeziweyo lweseti ye-OpenWRT.
  • Inkxaso eyongeziweyo kwi-mod_ssl yokusebenzisa izitshixo zabucala kunye nezatifikethi ezivela kwi-OpenSSL ENGINE ngokucacisa i-PKCS#11 URI kwi-SSLCertificateFile/KeyFile.
  • Uvavanyo oluphunyeziweyo kusetyenziswa inkqubo yokudibanisa eqhubekayo Travis CI.
  • Ukwahlulwahlulwa kwemibhalo engasentla kweNguqulelo-Khowudi kuqinisiwe.
  • I-mod_ssl ibonelela ngothethwano lwe-TLS yeprotocol ngokunxulumene neenginginya ezinenyani (ixhaswa xa yakhiwe nge-OpenSSL-1.1.1+.
  • Ngokusebenzisa i-hashing yeetafile zomyalelo, ukuqaliswa kwakhona kwimowudi "yobabalo" kuyakhawuleza (ngaphandle kokuphazamisa abaqhubekisi bemibuzo).
  • Itheyibhile ezongeziweyo zokufunda-kuphela r:headers_in_table, r:headers_out_table, r:err_headers_out_table, r:notes_table kunye r:subprocess_env_table to mod_lua. Vumela iitheyibhile ukuba zinikwe ixabiso "nil".
  • Kwi-mod_authn_socache umda kubungakanani bomgca ogciniweyo unyuswe ukusuka kwi-100 ukuya kwi-256.

umthombo: opennet.ru

Yongeza izimvo