I-ProHoster > Π‘Π»ΠΎΠ³ > izindaba ze-inthanethi > Ukukhishwa kweseva ye-Apache 2.4.53 http ngokususa ubungozi obuyingozi

Ukukhishwa kweseva ye-Apache 2.4.53 http ngokususa ubungozi obuyingozi

Ukukhishwa kweseva ye-Apache 2.4.53 HTTP kushicilelwe, okwethula izinguquko eziyi-14 futhi kulungiswe ubungozi obu-4:

  • I-CVE-2022-22720 - ithuba lokwenza ukuhlasela kwe-HTTP Application Smuggling, okuvumela, ngokuthumela izicelo zeklayenti eziklanywe ngokukhethekile, ukuthi zingene kokuqukethwe kwezicelo zabanye abasebenzisi ezidluliselwa nge-mod_proxy (isibonelo, ungafinyelela esikhundleni se-malicious). Ikhodi yeJavaScript kuseshini yomunye umsebenzisi wesayithi). Inkinga ibangelwa ukushiya ukuxhumana okungenayo okuvulekile ngemva kokuhlangabezana namaphutha ngenkathi kucutshungulwa indikimba yesicelo engavumelekile.
  • I-CVE-2022-23943 - Ukuchichima kwebhafa kumojuli ye-mod_sed evumela ukubhala ngaphezulu okuqukethwe kwenqwaba yememori ngedatha elawulwa umhlaseli.
  • I-CVE-2022-22721 - Bhala ngaphandle kwemingcele ngenxa yokuchichima okuphelele okwenzeka lapho kudlula umzimba wesicelo omkhulu kuno-350MB. Inkinga izibonakalisa kumasistimu angu-32-bit okusethiwe inani le-LimitXMLRequestBody libe phezulu kakhulu (ngokuzenzakalelayo 1 MB, ekuhlaselweni umkhawulo kufanele ube ngaphezu kuka-350 MB).
  • I-CVE-2022-22719 isengozini ku-mod_lua evumela ukufunda izindawo zenkumbulo ezingahleliwe futhi kuphazamiseke inqubo lapho kucutshungulwa indikimba yesicelo eklanywe ngokukhethekile. Inkinga ibangelwa ukusetshenziswa kwamanani angaqaliswanga ku-r:khodi yokusebenza ye-parsebody.

Izinguquko ezingavikeleki eziphawuleka kakhulu yilezi:

  • Ku-mod_proxy, umkhawulo enanini lezinhlamvu egameni lesiphathi (isisebenzi) unyusiwe. Kwengezwe ikhono lokumisa ngokukhetha ukuphela kwesikhathi kwe-backend ne-frontend (isibonelo, ngokuhlobene nomsebenzi). Ezicelweni ezithunyelwe ngama-websockets noma indlela ye-CONNECT, isikhathi sokuvala sishintshiwe saba senani eliphezulu elibekiwe le-backend ne-frontend.
  • Ukuphatha okuhlukene kokuvula amafayela e-DBM nokulayisha umshayeli we-DBM. Esimeni sokuphahlazeka, ilogi manje isiveza imininingwane enemininingwane mayelana nephutha kanye nomshayeli.
  • I-mod_md iyeke ukucubungula izicelo ku-/.well-known/acme-challenge/ ngaphandle kwalapho izilungiselelo zesizinda zivumele ngokusobala ukusetshenziswa kohlobo lwenselelo ye-'http-01'.
  • I-mod_dav ilungise ukuhlehla okubangele ukusetshenziswa kwememori okuphezulu lapho kucutshungulwa inani elikhulu lezinsiza.
  • Kwengezwe amandla okusebenzisa ilabhulali ye-pcre2 (10.x) esikhundleni se-pcre (8.x) ukuze kucutshungulwe izinkulumo ezivamile.
  • Usekelo lokuhlaziya okudidayo kwe-LDAP lwengezwe ezihlungini zemibuzo ukuze kuhlungwe idatha ngendlela efanele lapho kuzanywa ukuhlaselwa esikhundleni se-LDAP.
  • Ku-mpm_event, i-deadlock eyenzeka lapho iqalwa kabusha noma yeqa umkhawulo we-MaxConnectionsPerChild kumasistimu alayishwe kakhulu isilungisiwe.

Source: opennet.ru

Engeza amazwana