ProHoster > Ibhulogi > iindaba ze-intanethi > I-Apache 2.4.46 ye-http yokukhutshwa komncedisi kunye nobuthathaka obulungisiweyo

I-Apache 2.4.46 ye-http yokukhutshwa komncedisi kunye nobuthathaka obulungisiweyo

ipapashiwe ukukhululwa kwe-Apache HTTP iseva 2.4.46 (ukukhutshwa kwe-2.4.44 kunye ne-2.4.45 kwaqatywa), eyazisa 17 utshintsho kwaye isusiwe 3 ubuthathaka:

  • I-CVE-2020-11984 - i-buffer iphuphuma kwimodyuli ye-mod_proxy_uwsgi, engakhokelela ekuvuzeni kolwazi okanye ukuphunyezwa kwekhowudi kumncedisi xa uthumela isicelo esenziwe ngokukodwa. Ukuba sesichengeni kusetyenziswe ngokuthumela isihloko eside kakhulu seHTTP. Ukukhusela, ukuvinjelwa kweentloko ezinde kune-16K yongezwe (umda ochazwe kwinkcazo yeprotocol).
  • I-CVE-2020-11993 - ubuthathaka kwimodyuli ye-mod_http2 evumela inkqubo ukuba iphazamiseke xa ithumela isicelo ngesihloko esikhethekileyo se-HTTP/2. Ingxaki izibonakalisa xa i-debugging okanye i-tracing ivuliwe kwimodyuli ye-mod_http2 kwaye ibonakaliswe kwinkohlakalo yomxholo wememori ngenxa yemeko yobuhlanga xa ugcina ulwazi kwilogi. Ingxaki ayibonakali xa iLogLevel isetelwe β€œkwingcaciso”.
  • I-CVE-2020-9490 - ubuthathaka kwimodyuli ye-mod_http2 evumela inkqubo ukuba iphazamiseke xa ithumela isicelo nge-HTTP/2 enexabiso lesihloko esilungiselelwe ngokukhethekileyo 'Cache-Digest' (ukuphazamiseka kwenzeka xa uzama ukwenza umsebenzi we-HTTP/2 PUSH kwisixhobo) . Ukuvala ukuba sesichengeni, ungasebenzisa isethingi "H2Push off".
  • I-CVE-2020-11985 - Ubungozi be-mod_remoteip, ekuvumela ukuba uchithe iidilesi ze-IP ngexesha lokusebenzisa i-mod_remoteip kunye ne-mod_rewrite. Ingxaki ibonakala kuphela kukukhutshwa kwe-2.4.1 ukuya ku-2.4.23.

Olona tshintsho luqaphelekayo olungakhuselekanga lu:

  • Inkxaso yengcaciso eyidrafti isusiwe kwi-mod_http2 kazuho-h2-cache-digest, ukunyuswa kwakhe kuyekiwe.
  • Utshintshe indlela yokuziphatha yomyalelo we-"LimitRequestFields" kwi-mod_http2; ichaza ixabiso elingu-0 ngoku livala umda.
  • I-mod_http2 ibonelela ngokuqhubekekiswa kweprayimari neyesibini (enkosi/yesibini) uqhagamshelo kunye nokumakishwa kweendlela ngokuxhomekeke ekusebenziseni.
  • Ukuba isiqulatho seheader esilungisiweyo esingalunganga sifunyenwe kwiskripthi seFCGI/CGI, le header iyasuswa ngoku kunokuba ifakwe endaweni ye Unix epoch time.
  • I ap_parse_strict_length() umsebenzi wongezwe kwikhowudi ukucazulula ngokungqongqo ubungakanani bomxholo.
  • Mod_proxy_fcgi's ProxyFCGISetEnvIf iqinisekisa ukuba izinto eziguquguqukayo zemekobume ziyasuswa ukuba intetho enikiweyo ibuya Bubuxoki.
  • Kulungiswe imeko yogqatso kunye nokungqubana kwe-mod_ssl enokwenzeka xa usebenzisa isatifikethi somthengi esixelwe nge-SSLProxyMachineCertificateFile setting.
  • Ukuvuza kwememori ezinzileyo kwi-mod_ssl.
  • mod_proxy_http2 ibonelela ngokusetyenziswa kweparamitha yommeli "pingΒ» xa ujonga ukusebenza koqhagamshelwano olutsha okanye oluphinde lwasetyenziswa ngasemva.
  • Kuyeke ukubopha i-httpd ngokhetho lwe-"-lsystemd" xa i-mod_systemd yenziwe.
  • mod_proxy_http2 iqinisekisa ukuba isicwangciso se-ProxyTimeout sithathelwa ingqalelo xa silinde idatha engenayo ngokudibanisa kwi-backend.

umthombo: opennet.ru

Yongeza izimvo