I-ProHoster > Блог > izindaba ze-inthanethi > I-Apache 2.4.49 http yokukhululwa kweseva enokukhubazeka okulungisiwe

I-Apache 2.4.49 http yokukhululwa kweseva enokukhubazeka okulungisiwe

Iseva ye-Apache HTTP 2.4.49 isikhishiwe, yethula izinguquko eziyi-27 futhi isusa ubungozi obuyi-5:

  • I-CVE-2021-33193 - mod_http2 isengozini yokuhlaselwa okusha kokuhlaselwa kwe-"HTTP Request Smuggling", okuvumela, ngokuthumela izicelo zeklayenti eziklanywe ngokukhethekile, ukuzihlanganisa nokuqukethwe kwezicelo ezivela kwabanye abasebenzisi ezithunyelwa nge-mod_proxy (isibonelo, ungakwazi ukufeza ukufakwa kwekhodi ye-JavaScript enonya esikhathini somunye umsebenzisi wesayithi) .
  • I-CVE-2021-40438 isengozini ye-SSRF (Server Side Request Forgery) ku-mod_proxy, evumela isicelo ukuthi siqondiswe kabusha kuseva ekhethwe umhlaseli ngokuthumela isicelo esakhiwe ngokukhethekile se-uri-path.
  • I-CVE-2021-39275 - Ukuchichima kwebhafa kumsebenzi we-ap_escape_quotes. Ukuba sengozini kumakwe njengokuyingozi ngoba wonke amamojula ajwayelekile awadlulisi idatha yangaphandle kulo msebenzi. Kodwa ngokwethiyori kungenzeka ukuthi kukhona amamojula weqembu lesithathu lapho ukuhlasela kungenziwa khona.
  • I-CVE-2021-36160 - Ngaphandle kwemingcele ifundeka kumojuli ye-mod_proxy_uwsgi okubangela ukuphahlazeka.
  • I-CVE-2021-34798 - I-null pointer dereference ebangela ukuphahlazeka kwenqubo lapho kucutshungulwa izicelo eziklanywe ngokukhethekile.

Izinguquko ezingavikeleki eziphawuleka kakhulu yilezi:

  • Izinguquko eziningi zangaphakathi ku-mod_ssl. Izilungiselelo “ssl_engine_set”, “ssl_engine_disable” kanye “ssl_proxy_enable” zisusiwe ku-mod_ssl zayiswa ekugcwalisweni okuyinhloko (core). Kungenzeka ukusebenzisa amanye amamojula e-SSL ukuvikela ukuxhumana nge-mod_proxy. Kwengezwe ikhono lokungena okhiye abayimfihlo, abangasetshenziswa ku-wireshark ukuhlaziya ithrafikhi ebethelwe.
  • Ku-mod_proxy, ukuhlukaniswa kwemizila yesokhethi engu-unix kudluliselwe “kummeleli:” URL kusheshisiwe.
  • Amakhono emojula ye-mod_md, esetshenziselwa ukwenza ngokuzenzakalelayo ukwamukela nokugcinwa kwezitifiketi kusetshenziswa iphrothokholi ye-ACME (Automatic Certificate Management Environment), anwetshiwe. Kuvunyelwe ukuzungeza izizinda ngezingcaphuno ngaphakathi futhi inikeze ukusekelwa kwe-tls-alpn-01 kumagama esizinda angahlotshaniswa nababungazi ababonakalayo.
  • Kwengezwe ipharamitha ye-StrictHostCheck, evimbela ukucacisa amagama omethuleli angalungisiwe phakathi kwama-agumenti ohlu "vumela".

Source: opennet.ru

Engeza amazwana