I-Apache HTTP 2.4.52 isombulule ubuthathaka obu-2 kunye notshintsho oluninzi

Darkcrizt

Imizuzu ye4

Kwiintsuku ezininzi ezidlulileyo ukukhululwa kwenguqulo entsha ye-Apache HTTP 2.4.52 iseva yabhengezwa apho malunga notshintsho lwe-25 lwenziwa kwaye ukongeza ulungiso lwenziwa lwe-2 vulnerabilities.

Kulabo abangekakwazi umncedisi we-Apache HTTP, kufuneka bazi ukuba lo ngumthombo ovulekileyo, umncedisi wewebhu we-HTTP we-cross-platform osebenzisa i-HTTP / 1.1 protocol kunye nombono wendawo ebonakalayo ngokwe-RFC 2616 standard.

Yintoni entsha kwi-Apache HTTP 2.4.52?

Kolu guqulelo lutsha lomncedisi singayifumana loo nto inkxaso eyongeziweyo yokwakha ngethala leencwadi le-OpenSSL 3 kwimod_sslUkongeza, ukufumanisa kwaphuculwa kwilayibrari ye-OpenSSL kwizikripthi ze-autoconf.

Enye into entsha ebalaseleyo kule nguqulo intsha ikwi proxy ukuhambisa iprothokholi, kuyenzeka ukuvala ulwalathiso lolunye udibaniso lwe-TCP isiqingatha sivalwe ngokuseta iparamitha ye "SetEnv proxy-nohalfclose".

En mod_proxy_connect kunye ne-mod_proxy, akuvumelekanga ukutshintsha ikhowudi yesimo emva kokuyithumela kumthengi.

Ngethuba mod_dav yongeza inkxaso yezandiso zeCalDAV, Ekufuneka ithathele ingqalelo zombini uxwebhu kunye nezinto zepropathi xa kusenziwa ipropati. Imisebenzi emitsha ye-dav_validate_root_ns (), dav_find_child_ns (), dav_find_next_ns (), dav_find_attr_ns () kunye ne-dav_find_attr () imisebenzi iye yongezwa, enokuthiwa kwezinye iimodyuli.

En mod_http2, utshintsho lwangasemva olukhokelela ekuziphatheni okungalunganga lulungisiwe xa uphethe i-MaxRequestsPerChild kunye ne-MaxConnectionsPerChild imiqobo.

Kwakhona kubonakala ukuba amandla emodyuli ye-mod_md, esetyenziselwa ukuzenzekelayo ukufumana kunye nokugcinwa kweziqinisekiso nge-ACME protocol (i-Automatic Certificate Management Environmental), iye yandiswa:

Inkxaso eyongeziweyo yendlela ye-ACME Ukubophelela kwe-Akhawunti yaNgaphandle (EAB), eyenziwa ngumyalelo we-MDExternalAccountBinding. Amaxabiso e-EAB anokugcinwa kwifayile ye-JSON yangaphandle ukwenzela ukuba iiparamitha zokungqinisisa zingavezwa kwifayile yoqwalaselo lomncedisi oyintloko.

Isikhokelo 'MDCertificateAuthority' ibonelela ngoqinisekiso lwe isalathiso kwiparamitha yeurl http / https okanye elinye lamagama achazwe kwangaphambili ('LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' kunye 'Buypass-Test').

Kolunye utshintsho olugqamileyo kolu guqulelo lutsha:

  • Kongezwe uqwalaselo olongezelelweyo ukuba ii-URIs ezingamiselwanga njengommeli ziqulathe i-http / https yenkqubo, kodwa ezo zimiselwe ummeli ziqulathe igama lenginginya.
  • Ukuthumela iimpendulo zethutyana emva kokufumana izicelo ngesihloko esithi "Lindela: 100-Qhubeka" kunikezelwa ukubonisa isiphumo se-"100 Qhubeka" isimo endaweni yemeko yangoku yesicelo.
  • I-Mpm_event isombulula ingxaki yokumisa iinkqubo zomntwana ezingasebenziyo emva komthwalo womncedisi.
  • Kuvumelekile ukuba ucacise umyalelo we-MDContactEmail phakathi kwecandelo .
  • Ziliqela iibugs ezilungisiweyo, kuquka ukuvuza kwenkumbulo okwenzeka xa iqhosha labucala lingalayishwanga.

Ngokuphathelele ubuthathaka obuye balungiswa kolu guqulelo lutsha oku kulandelayo kukhankanyiwe:

  • CVE 2021-44790: Isithinteli siyaphuphuma kwi-mod_lua, izicelo zokwahlula-hlula zibonakalisiwe, eziquka iinxalenye ezininzi (ziphindaphinda). Ukuba sesichengeni kuchaphazela uqwalaselo apho izikripthi zeLua zibiza i-r: parsebody () umsebenzi wokwahlulahlula umzimba wesicelo kwaye uvumele umhlaseli afezekise ukuphuphuma kwebuffer ngokuthumela isicelo esenziwe ngokukodwa. Iinyani zobukho bokuxhaphaza azikachongwa, kodwa ingxaki inokukhokelela ekubeni ikhowudi yakho yenziwe kwiseva.
  • Ukuba sesichengeni kweSSRF (I-Server Side Application Forgery): kwi-mod_proxy, evumela, kuqwalaselo kunye ne "ProxyRequests kwi" ukhetho, ngesicelo esivela kwi-URI eyenziwe ngokukodwa, ukuhambisa isicelo komnye umlawuli kumncedisi ofanayo owamkela uxhulumaniso nge-socket Unix. ithambeka. Ingxaki ingasetyenziselwa ukubangela ukuphahlazeka ngokudala iimeko zokususa isalathiso kwisalathisi esingenanto. Ingxaki ichaphazela iinguqulelo ze-httpd ze-Apache ukususela kwi-2.4.7.

Okokugqibela, ukuba unomdla wokwazi ngakumbi ngale nguqulelo intsha ikhutshiweyo, ungajonga iinkcukacha kuyo eli khonkco lilandelayo.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.