ProHoster > Ibhulogi > iindaba ze-intanethi > Ukukhutshwa kwe-Apache 2.4.53 iseva ye-http kunye nokupheliswa kobuthathaka obunobungozi

Ukukhutshwa kwe-Apache 2.4.53 iseva ye-http kunye nokupheliswa kobuthathaka obunobungozi

Iseva ye-Apache HTTP 2.4.53 ikhutshiwe, yazisa utshintsho lwe-14 kunye nokuphelisa ubuthathaka obu-4:

  • I-CVE-2022-22720-ukwenzeka kohlaselo lwe- "HTTP Isicelo sokuThweba", evumela, ngokuthumela izicelo zabathengi ezilungiselelwe ngokukodwa, ukuba bangene kwimixholo yezicelo ezivela kwabanye abasebenzisi ezithunyelwa nge-mod_proxy (umzekelo, ungafezekisa ukufakwa kwekhowudi yeJavaScript enobungozi kwiseshoni yomnye umsebenzisi wesiza). Ingxaki ibangelwa kukushiya uqhagamshelo olungenayo luvuliwe emva kokuba kwenzeke iimpazamo xa kusenziwa isicelo esingasebenziyo.
  • I-CVE-2022-23943 I-buffer iphuphuma kwimodyuli ye-mod_sed ivumela imixholo yememori yemfumba ukuba ibhalwe ngaphezulu ngedatha elawulwa ngumhlaseli.
  • CVE-2022-22721 Kukho ukubhalwa ngaphandle kwemida okunokwenzeka ngenxa yokuphuphuma okupheleleyo okwenzekayo xa kudlula isicelo somzimba omkhulu kuno-350MB. Ingxaki ibonakala kwiinkqubo ze-32-bit kwiisethingi apho ixabiso le-LimitXMLRequestBody libekwe phezulu kakhulu (ngokungagqibekanga 1 MB, kuhlaselo umda kufuneka ube phezulu kune-350 MB).
  • I-CVE-2022-22719 bubuthathaka kwi-mod_lua evumela ukufundwa kwememori engacwangciswanga kunye nokuphazamiseka kwenkqubo xa kusetyenzwa ngomzimba wesicelo owenziwe ngokukodwa. Ingxaki ibangelwa kukusetyenziswa kwamaxabiso angasetyenziswanga kwi-r:parsebody ikhowudi yokusebenza.

Olona tshintsho luqaphelekayo olungakhuselekanga lu:

  • Kwi-mod_proxy, umda kwinani labalinganiswa egameni lomsebenzi (umsebenzi) uye wanda. Ukongezwa ukukwazi ukuqwalasela ngokukhethiweyo ixesha lokuphuma kwi-backend kunye ne-frontend (umzekelo, ngokunxulumene nomsebenzi). Kwizicelo ezithunyelwe nge-websockets okanye indlela ye-CONNECT, ixesha lokuvala liye latshintshwa ukuya kwelona xabiso liphezulu limiselwe i-backend kunye ne-frontend.
  • Ukuqhutyelwa kokuvula iifayile zeDBM kunye nokulayisha umqhubi weDBM kwahluliwe. Kwimeko yokusilela, ilogi ngoku ibonisa ulwazi oluthe kratya malunga nempazamo kunye nomqhubi.
  • Kwi-mod_md, izicelo eziya ku-/.well-known/acme-challenge/ ziye zamiswa ukuba zicutshungulwe ukuba useto thambeka Ukusetyenziswa kohlobo lokuqinisekisa 'http-01' akusebenzi ngokucacileyo.
  • I-Mod_dav iye yalungisa ukuhlehliswa okubangele ukusetyenziswa kwememori ephezulu xa ubamba inani elikhulu lemithombo.
  • Kongezwe amandla okusebenzisa ilayibrari ye-pcre2 (10.x) endaweni ye-pcre (8.x) yokusetyenzwa kweentetho eziqhelekileyo.
  • Inkxaso yohlalutyo olugwenxa lweprothokholi ye-LDAP yongezwe ukuze kucelwe izihluzi ukuba zikhuse ngokuchanekileyo idatha xa uzama ukwenza uhlaselo lokutshintsha kwe-LDAP.
  • Kwi-mpm_event, i-deadlock eyenzeka xa kuphinda kuqalwe okanye kugqithwe umda we-MaxConnectionsPerChild kwiinkqubo ezilayishwe kakhulu kuphelisiwe.

umthombo: opennet.ru