Iseva ye-Apache HTTP 2.4.52 isikhishiwe, yethula izinguquko ezingama-25 futhi isusa ubungozi obu-2:
- I-CVE-2021-44790 iwukuchichima kwebhafa ku-mod_lua eyenzeka lapho kudluliswa izicelo zezingxenye eziningi. Ukuba sengozini kuthinta ukulungiselelwa lapho imibhalo ye-Lua kubiza khona umsebenzi othi r:parsebody() ukuze kuncozululwe indikimba yesicelo, okuvumela umhlaseli ukuthi abangele ukuchichima kwebhafa ngokuthumela isicelo esiklanywe ngokukhethekile. Abukho ubufakazi bokuxhaphaza obutholakele okwamanje, kodwa inkinga ingase iholele ekusetshenzisweni kwekhodi yayo kuseva.
- I-CVE-2021-44224 - Ukuba sengozini kwe-SSRF (Server Side Request Forgery) ku-mod_proxy, evumela, ekucushweni ngokulungiselelwa kwe-“ProxyRequests on”, ngesicelo se-URI eklanywe ngokukhethekile, ukufeza isicelo sokuqondiswa kabusha kwesinye isibambi ngokufanayo. iseva eyamukela ukuxhumana nge-Unix Domain Socket. Udaba lungaphinda lusetshenziselwe ukubangela ukuphahlazeka ngokudala izimo zokudereferensi kwesikhombi esingenalutho. Inkinga ithinta izinguqulo ze-Apache httpd kusukela kunguqulo 2.4.7.
Izinguquko ezingavikeleki eziphawuleka kakhulu yilezi:
- Kwengezwe usekelo lokwakha ngelabhulali ye-OpenSSL 3 ku-mod_ssl.
- Ukutholwa kwelabhulali ye-OpenSSL okuthuthukisiwe kumaskripthi we-autoconf.
- Ku-mod_proxy, kumaphrothokholi omhubhe, kungenzeka ukukhubaza ukuqondisa kabusha kokuxhumeka kwe-TCP okuvalwe ingxenye ngokusetha ipharamitha ye-“SetEnv proxy-nohalfclose”.
- Kwengezwe ukuhlola okwengeziwe ukuthi ama-URI ayengahloselwe ukwenza ummeleli aqukethe uhlelo lwe-http/https, futhi lawo ahloselwe ukwenza ummeleli aqukethe igama lomsingathi.
- I-mod_proxy_connect kanye ne-mod_proxy azikuvumeli ikhodi yesimo ukuthi ishintshe ngemva kokuthi ithunyelwe kuklayenti.
- Uma uthumela izimpendulo ezimaphakathi ngemva kokuthola izicelo ngesihloko esithi "Lindela: 100-Qhubeka", qinisekisa ukuthi umphumela ubonisa isimo sokuthi "100 Qhubeka" kunesimo samanje sesicelo.
- I-mod_dav yengeza usekelo lwezandiso ze-CalDAV, ezidinga kokubili izici zedokhumenti kanye nezakhi zesakhiwo ukuthi zicatshangelwe lapho kwakhiwa isakhiwo. Kwengezwe imisebenzi emisha ethi dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() kanye ne-dav_find_attr(), engabizwa kwamanye amamojula.
- Ku-mpm_event, inkinga yokumisa izinqubo zengane ezingenzi lutho ngemva kokuxazululwa komthwalo weseva.
- I-Mod_http2 inezinguquko ezilungisiwe zokuhlehla ezibangele ukuziphatha okungalungile lapho uphatha imikhawulo ye-MaxRequestsPerChild kanye ne-MaxConnectionsPerChild.
- Amandla emojula ye-mod_md, esetshenziselwa ukwenza ngokuzenzakalelayo ukwamukela nokugcinwa kwezitifiketi kusetshenziswa iphrothokholi ye-ACME (Automatic Certificate Management Environment), anwetshiwe:
- Usekelo olungeziwe lwendlela ye-ACME External Account Binding (EAB), enikwe amandla kusetshenziswa imiyalelo ye-MDExternalAccountBinding. Amanani we-EAB angalungiswa kusuka kufayela le-JSON langaphandle, ngokugwema ukuveza amapharamitha wokuqinisekisa kufayela eliyinhloko lokulungiselela iseva.
- Iziqondiso ze-'MDCertificateAuthority' ziqinisekisa ukuthi ipharamitha ye-URL iqukethe i-http/https noma elinye lamagama achazwe ngaphambilini ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' kanye ne-'Buypass-Test').
- Ivunyelwe ukucacisa imiyalelo ye-MDContactEmail ngaphakathi kwesigaba .
- Iziphazamisi ezimbalwa zilungisiwe, okuhlanganisa ukuvuza kwememori okungenzeka uma ukulayisha ukhiye oyimfihlo kwehluleka.
Source: opennet.ru