ProHoster > Ibhulogi > iindaba ze-intanethi > I-Apache 2.4.49 ye-http yokukhutshwa komncedisi kunye nobuthathaka obulungisiweyo

I-Apache 2.4.49 ye-http yokukhutshwa komncedisi kunye nobuthathaka obulungisiweyo

I-Apache 2.4.49 i-server yokukhutshwa kwe-HTTP ipapashiwe, ebonisa utshintsho lwe-27 kunye nobuthathaka obusisigxina be-5:

  • I-CVE-2021-33193 - mod_http2 ukuba buthathaka kulwahlulo olutsha lohlaselo lwe-HTTP lweSicelo sokuRhweba, evumela, ngokuthumela izicelo zabathengi eziyilwe ngokukodwa, ukuba bangene kumxholo wezicelo zabanye abasebenzisi ezithunyelwa nge-mod_proxy (umzekelo, unokufezekisa endaweni yekhowudi yeJavaScript engalunganga kwiseshoni yomnye umsebenzisi wesiza) .
  • I-CVE-2021-40438 - I-SSRF (I-Server Side Application Forgery) ubuthathaka kwi-mod_proxy, evumela, ngokuthumela isicelo esikhethekileyo se-uri-path, ukuqondisa kwakhona isicelo kumncedisi okhethwe ngumhlaseli.
  • I-CVE-2021-39275 -I-Buffer overflow in ap_escape_quotes function. Ubuthathaka buphawulwe njengento engeyongozi, ekubeni zonke iimodyuli eziqhelekileyo azidluli idatha yangaphandle kulo msebenzi. Kodwa ngokwethiyori kunokwenzeka ukuba kukho iimodyuli zeqela lesithathu apho uhlaselo lunokwenziwa.
  • I-CVE-2021-36160 - Ngaphandle kwemida ifundeka kwimodyuli ye-mod_proxy_uwsgi, okubangelwa ukuphazamiseka.
  • I-CVE-2021-34798 -Isalathiso se-null esibangela ukuba inkqubo iphazamiseke xa kusingathwa izicelo ezenziwe ngokukodwa.

Olona tshintsho luqaphelekayo olungakhuselekanga lu:

  • Luninzi kakhulu utshintsho lwangaphakathi kwi-mod_ssl. I-"ssl_engine_set", "ssl_engine_disable" kunye ne "ssl_proxy_enable" izicwangciso zisusiwe kwi-mod_ssl ukuya kwizinto eziphambili (ezingundoqo). Ukukwazi ukusebenzisa ezinye iimodyuli ze-SSL ukukhusela uqhagamshelwano nge-mod_proxy inikezelwe. Kongezwe ukukwazi ukuloga izitshixo zabucala, ezinokuthi zisetyenziswe kwi-wireshark ukuhlalutya i-encrypted traffic.
  • I-Mod_proxy ekhawulezileyo yokwahlulahlula kwiindledlana zesokethi ezigqithisiweyo kwi-"proxy:" URLs.
  • Izakhono zemodyuli ye-mod_md, esetyenziselwa ukuzenzekelayo ukufumana kunye nokugcinwa kwezatifikethi usebenzisa i-ACME (i-Automatic Certificate Management Environment) protocol, yandisiwe. Kuvunyelwe ukucaphula imimandla kwi kwaye inike inkxaso ye-tls-alpn-01 yamagama edomeyini engadityaniswanga kwiinginginya ezinenyani.
  • Yongezwe i-StrictHostCheck ukhetho lokuvala iinginginya ezingamiselwanga njengeengxoxo kuluhlu "lokuvumela".

umthombo: opennet.ru

Yongeza izimvo