ukukhishwa kwe-Apache HTTP Server 2.4.41 (ukukhishwa kwe-2.4.40 kweqiwe), eyethula futhi iqedwe :
- kuyinkinga ku-mod_http2 engaholela ekonakaleni kwenkumbulo lapho uthumela izicelo zokucindezela kusenesikhathi. Uma usebenzisa ukulungiselelwa kwe-"H2PushResource", kuyenzeka ukuthi ubhale phezu kwememori endaweni yokucubungula isicelo, kodwa inkinga ikhawulelwe ekuphahlazekeni ngoba idatha ebhalwayo ayisekelwe olwazini olutholwe kuklayenti;
- - ukuchayeka kwakamuva Ukuba sengozini kwe-DoS ekusetshenzisweni kwe-HTTP/2.
Umhlaseli angakwazi ukukhipha inkumbulo etholakalayo kwinqubo futhi adale umthwalo osindayo we-CPU ngokuvula iwindi le-HTTP/2 elishelelayo ukuze iseva ithumele idatha ngaphandle kwemingcele, kodwa igcine iwindi le-TCP livaliwe, ukuvimbela idatha ukuthi ingabhalwa ngempela kusokhethi; - - inkinga ku-mod_rewrite, evumela ukuthi usebenzise iseva ukuthumela izicelo kwezinye izinsiza (vula ukuqondisa kabusha). Ezinye izilungiselelo ze-mod_rewrite zingase zibangele ukuthi umsebenzisi adluliselwe kwesinye isixhumanisi, esifakwe ikhodi kusetshenziswa uhlamvu lomugqa omusha ngaphakathi kwepharamitha esetshenziswe ekuqondisweni kabusha okukhona. Ukuze uvimbele inkinga ku-RegexDefaultOptions, ungasebenzisa ifulegi le-PCRE_DOTALL, manje osethwe ngokuzenzakalelayo;
- - ikhono lokwenza umbhalo wesayithi eliphambene emakhasini amaphutha aboniswe yi-mod_proxy. Kulawa makhasi, isixhumanisi siqukethe i-URL etholwe esicelweni, lapho umhlaseli angafaka khona ikhodi ye-HTML ngokubalekela uhlamvu;
- - ukuchichima kwesitaki kanye ne-NULL pointer dereference ku-mod_remoteip, kusetshenziswe kabi ngokukhwabanisa kwesihloko sephrothokholi ye-PROXY. Ukuhlasela kungenziwa kuphela ohlangothini lweseva elibamba elisetshenziswa kuzilungiselelo, hhayi ngesicelo seklayenti;
- - ukuba sengozini ku-mod_http2 evumela, ngesikhathi sokunqanyulwa kokuxhumana, ukuqalisa ukufunda okuqukethwe endaweni yenkumbulo evele ikhululiwe (ukufunda ngemva kwamahhala).
Izinguquko ezingavikeleki eziphawuleka kakhulu yilezi:
- I-mod_proxy_balancer ithuthukise ukuvikeleka ekuhlaselweni kwe-XSS/XSRF okuvela kontanga abathembekile;
- Isethingi ye-SessionExpiryUpdateInterval yengezwe ku-mod_session ukuze kunqunywe isikhawu sokubuyekeza isikhathi sokuphela kweseshini/ikhukhi;
- Amakhasi anamaphutha ahlanzwa, okuhloswe ngawo ukususa ukuvezwa kolwazi oluvela ezicelweni kulawa makhasi;
- mod_http2 icabangela inani lepharamitha ye-“LimitRequestFieldSize”, ngaphambilini ebivumeleke kuphela ukuhlola izinkambu zesihloko ze-HTTP/1.1;
- Iqinisekisa ukuthi ukulungiswa kwe-mod_proxy_hcheck kuyadalwa uma kusetshenziswa ku-BalancerMember;
- Ukusetshenziswa kwememori okwehlisiwe ku-mod_dav uma usebenzisa umyalo we-PROPFIND eqoqweni elikhulu;
- Ku-mod_proxy naku-mod_ssl, izinkinga zokucacisa isitifiketi nezilungiselelo ze-SSL ngaphakathi kwebhulokhi yommeleli zixazululiwe;
- i-mod_proxy ivumela izilungiselelo ze-SSProxyCheckPeer* ukuthi zisetshenziswe kuwo wonke amamojula ommeleli;
- Amakhono emojuli anwetshiwe , Masibethele iphrojekthi ukuze sizenzele ngokuzenzakalelayo ukwamukela nokugcinwa kwezitifiketi sisebenzisa iphrothokholi ye-ACME (i-Automatic Certificate Management Environment):
- Kwengezwe inguqulo yesibili yephrothokholi , osekuyikhona manje futhi THUMELA izicelo ezingenalutho esikhundleni se-GET.
- Ukwesekwa okwengeziwe kokuqinisekisa okusekelwe kusandiso se-TLS-ALPN-01 (RFC 7301, Ingxoxo Yephrothokholi Yesingqimba Sohlelo Lokusebenza), esisetshenziswa ku-HTTP/2.
- Ukusekelwa kwendlela yokuqinisekisa ye-'tls-sni-01' kunqanyuliwe (ngenxa yokuthi ).
- Kwengezwe imiyalo yokusetha nokuphula isheke kusetshenziswa indlela ye-'dns-01'.
- Ukwesekwa okwengeziwe ezitifiketini lapho ukuqinisekiswa okusekelwe ku-DNS kunikwe amandla ('dns-01').
- Isibambi se-'md-status' esisetshenzisiwe kanye nekhasi lesitifiketi 'https://domain/.httpd/certificate-status'.
- Kwengezwe iziqondiso ze-"MDCertificateFile" kanye "ne-MDCertificateKeyFile" zokumisa imingcele yesizinda ngokusebenzisa amafayela amile (ngaphandle kokusekelwa kokubuyekeza okuzenzakalelayo).
- Kwengezwe umyalelo othi "MDMessageCmd" ukuze kushayelwe imiyalo yangaphandle uma kwenzeka izenzakalo 'ezivuselelwayo', 'zokuphelelwa yisikhathi' noma 'ezinephutha'.
- Kwengezwe umyalelo othi "MDWarnWindow" ukuze ulungiselele umlayezo oyisixwayiso mayelana nokuphelelwa yisikhathi kwesitifiketi;
Source: opennet.ru