Ukukhutshwa kwe-http ye-server lighttpd 1.4.76 ekhanyayo ishicilelwe, igxininise ekudibaneni kokusebenza okuphezulu, ukhuseleko, ukuthotyelwa kwemigangatho kunye nokuguquguquka koqwalaselo. I-Lighttpd ilungele ukusetyenziswa kwiinkqubo ezilayishwe kakhulu kwaye ijolise kwimemori ephantsi kunye nokusetyenziswa kwe-CPU. Ikhowudi yeprojekthi ibhalwe kwi-C kwaye isasazwe phantsi kwelayisensi ye-BSD.
Kwinguqulelo entsha:
- Kubonelelwe ngokufunyanwa kohlaselo "lokuqhubeka kwezikhukhula" olwenziwa ngokuthumela ku umncedisi Umsinga oqhubekayo we-HTTP/2 weefreyimu ze-CONTINUATION ngaphandle kokuseta iflegi ye-END_HEADERS. Olu hlaselo kuthiwa aluzange lubangele ukwaliwa kwenkonzo kwi-lighttpd, kodwa ukufunyanwa kunye nempendulo ye-GO_AWAY zongezwe njengesisombululo esongezelelweyo.
- Isiganeko esibandakanya ukuqaliswa kwe-backdoor kwiphakheji ye-xz ithathelwe ingqalelo. Xa usenza ukhupho lokudibanisa ukuxhomekeka, ikhowudi ngoku ifunyenwe kwi-Git usebenzisa "i-git archive" umyalelo kunye nokuqinisekisa usebenzisa iithegi zokukhupha kwaye ngaphandle kokukhuphela oovimba esele benziwe ngekhowudi.
- Ngokungagqibekanga, ifayile ye-mimetype.assign eyakhelwe-ngaphakathi inikezelwe.
- Inkxaso eyongeziweyo yolwandiso lwe-MPTCP (MultiPath TCP), olungenziwanga ngokungagqibekanga.
- Inkxaso ephuculweyo ye-GNU/Hurd kunye ne-NetBSD 10 yamaqonga.
- Inani leefowuni zesistim ezenziweyo xa uqhagamshelwa kwi-backend lincitshisiwe.
- Kukhupho lwexesha elizayo, kucwangciswe ukuseta i-TLSv1.3 njengomlinganiselo osisiseko oxhaswayo weprotocol yeTLS (okwangoku iParameter yeMinProtocol isetelwe kuTLSv1.2). Kwixesha elizayo, umncedisi we-server.error-handler-404 uya kulinganiselwa ekuphatheni kuphela iimpazamo ze-404 (okwangoku iphethe zombini i-404 kunye ne-403).
Unokuqaphela kwakhona ukukhutshwa kweseva ye-Apache HTTP 2.4.59, eyazisa utshintsho lwe-21 kunye nokulungiswa kobuthathaka obuthathu:
- I-CVE-2024-27316 yintlupheko ekhokelela ekuphelelweni kwememori yamahhala ngexesha lokuhlasela "Ukuqhubeka komkhukula".
- I-CVE-2024-24795, i-CVE-2023-38709 - ithuba lokuqhuba uhlaselo lokwahlulahlula impendulo ye-HTTP kwiinkqubo zangaphambili-umva-umva, okuvumela ukutshintshwa kweentloko zeempendulo ezongezelelweyo okanye ukwahlukana kweempendulo ukuze udibanise imixholo. Iimpendulo zabanye abasebenzisi ezicutshungulwe kumsonto omnye phakathi kwe-frontend kunye ne-backend.
- I-CGIScriptTimeout iparameter yongezwe kwimodyuli ye-mod_cgi ukuseta uphumezo lwexesha lokuphuma kweskripthi.
- mod_xml2enc ibonelela ngokuhambelana ne-libxml2 2.12.0 kunye nokukhutshwa kamva.
- Kwi-mod_ssl, imisebenzi eqhelekileyo ye-OpenSSL isetyenziselwa ukudibanisa uluhlu lwamagama abasemagunyeni bezatifikethi xa kusenziwa i-SSLCACertificatePath kunye ne-SSLCADNRequestPath imiyalelo.
- mod_xml2enc ibonelela ngoqhubekeko lwe-XML yayo nayiphi na itekisi/* kunye neentlobo ze-XML MIME ukunqanda ukonakala kwedatha kwiifomathi ze-Microsoft OOXML.
- Kwi-htcacheclean utility, xa ukhankanya i--a/-A iinketho, kunokwenzeka ukubala zonke iifayile kwi-subdirectory nganye.
- Kwi-mod_ssl, imiyalelo ye-SSProxyMachineCertificateFile/Path ivumela ireferensi kwiifayile eziqulethe izatifikethi zegunya lesatifikethi.
- Uxwebhu lwe-htpasswd, i-htdbm kunye ne-dbmmanage eziluncedo lucacisa ukuba zisebenzisa i-hashing, hayi uguqulelo oluntsonkothileyo.
- I-htpasswd yongeze inkxaso yokusetyenzwa kwegama lokugqitha usebenzisa i-algorithm ye-SHA-2.
- I-Mod_env ivumela ukugqithiswa kwezinto eziguquguqukayo zenkqubo.
- mod_ldap iphumeza iHTML ebalekayo kwimo ye-ldap-header.
- mod_ssl iphucula ukuhambelana ne-OpenSSL 3 kwaye iqinisekisa ukuba inkumbulo ekhululweyo ibuyiselwe kwinkqubo.
- mod_proxy ivumela ukuseta i-TTL ukuqwalasela ubomi bokungena kwi-cache yempendulo ye-DNS.
- Kwi-mod_proxy, inkxaso yengxabano yesithathu yongezwe kwiparamitha ye-ProxyRemote, apho ungaqwalasela khona iziqinisekiso zoqinisekiso oluSiseko olugqithiselwe kummeleli wangaphandle.
umthombo: opennet.ru
