Kwiintsuku ezininzi ezidlulileyo ukukhululwa kwenguqulo entsha ye-Apache HTTP 2.4.52 iseva yabhengezwa apho malunga notshintsho lwe-25 lwenziwa kwaye ukongeza ulungiso lwenziwa lwe-2 vulnerabilities.
Kulabo abangekakwazi umncedisi we-Apache HTTP, kufuneka bazi ukuba lo ngumthombo ovulekileyo, umncedisi wewebhu we-HTTP we-cross-platform osebenzisa i-HTTP / 1.1 protocol kunye nombono wendawo ebonakalayo ngokwe-RFC 2616 standard.
Yintoni entsha kwi-Apache HTTP 2.4.52?
Kolu guqulelo lutsha lomncedisi singayifumana loo nto inkxaso eyongeziweyo yokwakha ngethala leencwadi le-OpenSSL 3 kwimod_sslUkongeza, ukufumanisa kwaphuculwa kwilayibrari ye-OpenSSL kwizikripthi ze-autoconf.
Enye into entsha ebalaseleyo kule nguqulo intsha ikwi proxy ukuhambisa iprothokholi, kuyenzeka ukuvala ulwalathiso lolunye udibaniso lwe-TCP isiqingatha sivalwe ngokuseta iparamitha ye "SetEnv proxy-nohalfclose".
En mod_proxy_connect kunye ne-mod_proxy, akuvumelekanga ukutshintsha ikhowudi yesimo emva kokuyithumela kumthengi.
Ngethuba mod_dav yongeza inkxaso yezandiso zeCalDAV, Ekufuneka ithathele ingqalelo zombini uxwebhu kunye nezinto zepropathi xa kusenziwa ipropati. Imisebenzi emitsha ye-dav_validate_root_ns (), dav_find_child_ns (), dav_find_next_ns (), dav_find_attr_ns () kunye ne-dav_find_attr () imisebenzi iye yongezwa, enokuthiwa kwezinye iimodyuli.
En mod_http2, utshintsho lwangasemva olukhokelela ekuziphatheni okungalunganga lulungisiwe xa uphethe i-MaxRequestsPerChild kunye ne-MaxConnectionsPerChild imiqobo.
Kwakhona kubonakala ukuba amandla emodyuli ye-mod_md, esetyenziselwa ukuzenzekelayo ukufumana kunye nokugcinwa kweziqinisekiso nge-ACME protocol (i-Automatic Certificate Management Environmental), iye yandiswa:
Inkxaso eyongeziweyo yendlela ye-ACME Ukubophelela kwe-Akhawunti yaNgaphandle (EAB), eyenziwa ngumyalelo we-MDExternalAccountBinding. Amaxabiso e-EAB anokugcinwa kwifayile ye-JSON yangaphandle ukwenzela ukuba iiparamitha zokungqinisisa zingavezwa kwifayile yoqwalaselo lomncedisi oyintloko.
Isikhokelo 'MDCertificateAuthority' ibonelela ngoqinisekiso lwe isalathiso kwiparamitha yeurl http / https okanye elinye lamagama achazwe kwangaphambili ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' kunye 'Buypass-Test').
Kolunye utshintsho olugqamileyo kolu guqulelo lutsha:
- Kongezwe uqwalaselo olongezelelweyo ukuba ii-URIs ezingamiselwanga njengommeli ziqulathe i-http / https yenkqubo, kodwa ezo zimiselwe ummeli ziqulathe igama lenginginya.
- Ukuthumela iimpendulo zethutyana emva kokufumana izicelo ngesihloko esithi "Lindela: 100-Qhubeka" kunikezelwa ukubonisa isiphumo se-"100 Qhubeka" isimo endaweni yemeko yangoku yesicelo.
- I-Mpm_event isombulula ingxaki yokumisa iinkqubo zomntwana ezingasebenziyo emva komthwalo womncedisi.
- Kuvumelekile ukuba ucacise umyalelo we-MDContactEmail phakathi kwecandelo .
- Ziliqela iibugs ezilungisiweyo, kuquka ukuvuza kwenkumbulo okwenzeka xa iqhosha labucala lingalayishwanga.
Ngokuphathelele ubuthathaka obuye balungiswa kolu guqulelo lutsha oku kulandelayo kukhankanyiwe:
- CVE 2021-44790: Isithinteli siyaphuphuma kwi-mod_lua, izicelo zokwahlula-hlula zibonakalisiwe, eziquka iinxalenye ezininzi (ziphindaphinda). Ukuba sesichengeni kuchaphazela uqwalaselo apho izikripthi zeLua zibiza i-r: parsebody () umsebenzi wokwahlulahlula umzimba wesicelo kwaye uvumele umhlaseli afezekise ukuphuphuma kwebuffer ngokuthumela isicelo esenziwe ngokukodwa. Iinyani zobukho bokuxhaphaza azikachongwa, kodwa ingxaki inokukhokelela ekubeni ikhowudi yakho yenziwe kwiseva.
- Ukuba sesichengeni kweSSRF (I-Server Side Application Forgery): kwi-mod_proxy, evumela, kuqwalaselo kunye ne "ProxyRequests kwi" ukhetho, ngesicelo esivela kwi-URI eyenziwe ngokukodwa, ukuhambisa isicelo komnye umlawuli kumncedisi ofanayo owamkela uxhulumaniso nge-socket Unix. ithambeka. Ingxaki ingasetyenziselwa ukubangela ukuphahlazeka ngokudala iimeko zokususa isalathiso kwisalathisi esingenanto. Ingxaki ichaphazela iinguqulelo ze-httpd ze-Apache ukususela kwi-2.4.7.
Okokugqibela, ukuba unomdla wokwazi ngakumbi ngale nguqulelo intsha ikhutshiweyo, ungajonga iinkcukacha kuyo eli khonkco lilandelayo.