I-ProHoster > Блог > izindaba ze-inthanethi > Ukukhishwa kweseva ye-Apache 2.4.52 http enokulungiswa kokuchichima kwe-buffer ku-mod_lua

Ukukhishwa kweseva ye-Apache 2.4.52 http enokulungiswa kokuchichima kwe-buffer ku-mod_lua

Iseva ye-Apache HTTP 2.4.52 isikhishiwe, yethula izinguquko ezingama-25 futhi isusa ubungozi obu-2:

  • I-CVE-2021-44790 iwukuchichima kwebhafa ku-mod_lua eyenzeka lapho kudluliswa izicelo zezingxenye eziningi. Ukuba sengozini kuthinta ukulungiselelwa lapho imibhalo ye-Lua kubiza khona umsebenzi othi r:parsebody() ukuze kuncozululwe indikimba yesicelo, okuvumela umhlaseli ukuthi abangele ukuchichima kwebhafa ngokuthumela isicelo esiklanywe ngokukhethekile. Abukho ubufakazi bokuxhaphaza obutholakele okwamanje, kodwa inkinga ingase iholele ekusetshenzisweni kwekhodi yayo kuseva.
  • I-CVE-2021-44224 - Ukuba sengozini kwe-SSRF (Server Side Request Forgery) ku-mod_proxy, evumela, ekucushweni ngokulungiselelwa kwe-“ProxyRequests on”, ngesicelo se-URI eklanywe ngokukhethekile, ukufeza isicelo sokuqondiswa kabusha kwesinye isibambi ngokufanayo. iseva eyamukela ukuxhumana nge-Unix Domain Socket. Udaba lungaphinda lusetshenziselwe ukubangela ukuphahlazeka ngokudala izimo zokudereferensi kwesikhombi esingenalutho. Inkinga ithinta izinguqulo ze-Apache httpd kusukela kunguqulo 2.4.7.

Izinguquko ezingavikeleki eziphawuleka kakhulu yilezi:

  • Kwengezwe usekelo lokwakha ngelabhulali ye-OpenSSL 3 ku-mod_ssl.
  • Ukutholwa kwelabhulali ye-OpenSSL okuthuthukisiwe kumaskripthi we-autoconf.
  • Ku-mod_proxy, kumaphrothokholi omhubhe, kungenzeka ukukhubaza ukuqondisa kabusha kokuxhumeka kwe-TCP okuvalwe ingxenye ngokusetha ipharamitha ye-“SetEnv proxy-nohalfclose”.
  • Kwengezwe ukuhlola okwengeziwe ukuthi ama-URI ayengahloselwe ukwenza ummeleli aqukethe uhlelo lwe-http/https, futhi lawo ahloselwe ukwenza ummeleli aqukethe igama lomsingathi.
  • I-mod_proxy_connect kanye ne-mod_proxy azikuvumeli ikhodi yesimo ukuthi ishintshe ngemva kokuthi ithunyelwe kuklayenti.
  • Uma uthumela izimpendulo ezimaphakathi ngemva kokuthola izicelo ngesihloko esithi "Lindela: 100-Qhubeka", qinisekisa ukuthi umphumela ubonisa isimo sokuthi "100 Qhubeka" kunesimo samanje sesicelo.
  • I-mod_dav yengeza usekelo lwezandiso ze-CalDAV, ezidinga kokubili izici zedokhumenti kanye nezakhi zesakhiwo ukuthi zicatshangelwe lapho kwakhiwa isakhiwo. Kwengezwe imisebenzi emisha ethi dav_validate_root_ns(), dav_find_child_ns(), dav_find_next_ns(), dav_find_attr_ns() kanye ne-dav_find_attr(), engabizwa kwamanye amamojula.
  • Ku-mpm_event, inkinga yokumisa izinqubo zengane ezingenzi lutho ngemva kokuxazululwa komthwalo weseva.
  • I-Mod_http2 inezinguquko ezilungisiwe zokuhlehla ezibangele ukuziphatha okungalungile lapho uphatha imikhawulo ye-MaxRequestsPerChild kanye ne-MaxConnectionsPerChild.
  • Amandla emojula ye-mod_md, esetshenziselwa ukwenza ngokuzenzakalelayo ukwamukela nokugcinwa kwezitifiketi kusetshenziswa iphrothokholi ye-ACME (Automatic Certificate Management Environment), anwetshiwe:
    • Usekelo olungeziwe lwendlela ye-ACME External Account Binding (EAB), enikwe amandla kusetshenziswa imiyalelo ye-MDExternalAccountBinding. Amanani we-EAB angalungiswa kusuka kufayela le-JSON langaphandle, ngokugwema ukuveza amapharamitha wokuqinisekisa kufayela eliyinhloko lokulungiselela iseva.
    • Iziqondiso ze-'MDCertificateAuthority' ziqinisekisa ukuthi ipharamitha ye-URL iqukethe i-http/https noma elinye lamagama achazwe ngaphambilini ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' kanye ne-'Buypass-Test').
    • Ivunyelwe ukucacisa imiyalelo ye-MDContactEmail ngaphakathi kwesigaba .
    • Iziphazamisi ezimbalwa zilungisiwe, okuhlanganisa ukuvuza kwememori okungenzeka uma ukulayisha ukhiye oyimfihlo kwehluleka.

Source: opennet.ru

Engeza amazwana