Ukukhululwa kwe-http server lighttpd 1.4.76 engasindi kushicilelwe, kugxile ekuhlanganiseni ukusebenza okuphezulu, ukuphepha, ukuhambisana nezindinganiso kanye nokuguquguquka kokucushwa. I-Lighttpd ilungele ukusetshenziswa kumasistimu alayishwe kakhulu futhi ihloselwe inkumbulo ephansi kanye nokusetshenziswa kwe-CPU. Ikhodi yephrojekthi ibhalwe ngo-C futhi isatshalaliswa ngaphansi kwelayisensi ye-BSD.
Enguqulweni entsha:
- Kunikezwe ukutholwa kokuhlaselwa "kwezikhukhula eziqhubekayo" okwenziwe ngokuthumela ku isifiso Ukusakazwa okuqhubekayo kwe-HTTP/2 kwamafreyimu e-CONTINUATION ngaphandle kokusetha ifulegi le-END_HEADERS. Lokhu kuhlasela kuthiwa akubanga nomphumela wokunqatshelwa kwesevisi ku-lighttpd, kodwa ukutholwa kanye nempendulo ye-GO_AWAY kuye kwengezwa njengendlela yokunciphisa okwengeziwe.
- Isigameko esibandakanya ukwethulwa kwe-backdoor kuphakheji ye-xz sinakiwe. Lapho kwakhiwa ukukhishwa kokuhlanganisa okuncikayo, ikhodi manje isitholakele ku-Git kusetshenziswa umyalo othi “git archive” ngokuqinisekiswa kusetshenziswa omaka bokukhululwa nangaphandle kokulanda izingobo zomlando ezenziwe ngomumo ngekhodi.
- Ngokuzenzakalelayo, ifayela le-mimetype.assign eyakhelwe ngaphakathi linikezwa.
- Usekelo olungeziwe lwesandiso se-MPTCP (MultiPath TCP), esingavunyelwe ngokuzenzakalela.
- Usekelo oluthuthukisiwe lwezingxenyekazi ze-GNU/Hurd kanye ne-NetBSD 10.
- Inombolo yezingcingo zesistimu ezenziwe uma kuxhunywa ku-backend yehlisiwe.
- Ekukhishweni okuzayo, kuhlelwe ukusetha i-TLSv1.3 njengenguqulo encane emisiwe esekelwe yephrothokholi ye-TLS (okwamanje ipharamitha ye-MinProtocol isethwe ukuze ithi TLSv1.2). Ngokuzayo, isibambi se-server.error-handler-404 sizokhawulelwa ekuphatheni amaphutha angu-404 kuphela (okwamanje siphatha kokubili 404 kanye ne-403).
Ungakwazi futhi ukuqaphela ukukhishwa kweseva ye-Apache HTTP 2.4.59, eyethule izinguquko ezingu-21 futhi yalungisa ubungozi obuthathu:
- I-CVE-2024-27316 iwukuba sengcupheni okuholela ekukhathaleni kwenkumbulo yamahhala ngesikhathi sokuhlasela "Izikhukhula eziqhubekayo".
- I-CVE-2024-24795, CVE-2023-38709 - ithuba lokwenza ukuhlasela okuhlukanisayo kwe-HTTP kumasistimu angaphambili-emuva-emuva, okuvumela ukufakwa esikhundleni kwezihloko zezimpendulo ezengeziwe noma ukuhlukaniswa kwezimpendulo ukuze kuhlanganiswe okuqukethwe. yezimpendulo kwabanye abasebenzisi ezicutshungulwe kuchungechunge olufanayo phakathi kwe-frontend ne-backend.
- Ipharamitha ye-CGIScriptTimeout yengezwe kumojuli ye-mod_cgi ukuze kusethwe isikhathi sokuvala sokwenza iskripthi.
- I-mod_xml2enc inikeza ukuhambisana ne-libxml2 2.12.0 kanye nokukhishwa kwakamuva.
- Ku-mod_ssl, imisebenzi ejwayelekile ye-OpenSSL isetshenziselwa ukuhlanganisa uhlu lwamagama eziphathimandla zokunikeza izitifiketi lapho kucutshungulwa iziqondiso ze-SSLCACertificatePath kanye ne-SSLCADNRequestPath.
- I-mod_xml2enc inikeza ukucutshungulwa kwe-XML kwanoma yimuphi umbhalo/* kanye nezinhlobo ze-XML MIME ukuvimbela ukonakala kwedatha kumafomethi e-Microsoft OOXML.
- Kuhlelo lwe-htcacheclean, lapho ucacisa izinketho ze-a/-A, kungenzeka ukubala wonke amafayela ohlwini lwemibhalo olungaphansi ngalunye.
- Ku-mod_ssl, iziqondiso ze-SSLProxyMachineCertificateFile/Path zivumela ireferensi kumafayela aqukethe izitifiketi zegunya lokunikeza izitifiketi.
- Amadokhumenti ezinsiza ze-htpasswd, htdbm kanye ne-dbmmanage acacisa ukuthi zisebenzisa i-hashing, hhayi ukubethela kwephasiwedi.
- I-htpasswd yengeze usekelo lokucubungula ama-hashi ephasiwedi isebenzisa i-algorithm ye-SHA-2.
- I-mod_env ivumela ukweqa okuguquguqukayo kwemvelo yesistimu.
- I-mod_ldap isebenzisa i-HTML ephuma kunhlokweni yesimo se-ldap.
- mod_ssl ithuthukisa ukuhambisana ne-OpenSSL 3 futhi iqinisekisa ukuthi inkumbulo ekhululiwe ibuyiselwa ohlelweni.
- I-mod_proxy ivumela ukusetha i-TTL ukuthi ilungiselele impilo yonke yokungena kunqolobane yempendulo ye-DNS.
- Ku-mod_proxy, usekelo lwe-agumenti yesithathu lwengezwe kupharamitha ye-ProxyRemote, ongakwazi ngayo ukulungisa izifakazelo zokuqinisekisa Okuyisisekelo okudluliselwa kummeleli wangaphandle.
Source: opennet.ru
