Kwiintsuku ezithile ezidlulileyo ukukhutshwa kwe uguqulelo olutsha lolungiso lomncedisi Apache HTTP 2.4.53, eyazisa iinguqu ezili-14 kunye nokulungiswa kobuthathaka obu-4. Kwisaziso sale nguqulelo intsha kukhankanyiwe ukuba kukukhululwa kokugqibela kwesebe 2.4.x ukukhutshwa kwe-Apache HTTPD kwaye imele iminyaka elishumi elinesihlanu yokwenziwa kwezinto ezintsha yiprojekthi, kwaye kuyacetyiswa kuzo zonke iinguqulelo zangaphambili.
Kwabo bangaziyo ngeApache, kufuneka bazi ukuba oku kunjalo iseva yewebhu edumileyo ye-HTTP, Efumaneka kumaqonga e-Unix (i-BSD, i-GNU / iLinux, njl. njl.), IMicrosoft yeWindows, iMacintosh kunye nezinye.
Yintoni entsha kwi-Apache 2.4.53?
Ekukhutshweni kolu guqulelo lutsha lwe-Apache 2.4.53 olona tshintsho luphawulekayo lungenalo ukhuseleko kwi-mod_proxy, apho umda wenani labalinganiswa bonyuswe egameni lomlawuli, kunye nokukwazi ukwenza amandla nako kongezwa qwalasela ngokukhethiweyo amaxesha okuphuma ngasemva kunye nangaphambili (umzekelo, ngokunxulumene nomsebenzi). Kwizicelo ezithunyelwe nge-websockets okanye indlela ye-CONNECT, ixesha lokuphuma litshintshiwe ukuya kwelona xabiso liphezulu limiselwe i-backend kunye ne-frontend.
Olunye lotshintsho olubonakalayo kule nguqulo intsha yi ukuphathwa okwahlukileyo kokuvula iifayile zeDBM kunye nokulayisha umqhubi weDBM. Kwimeko yengozi, i-log ngoku ibonisa ulwazi oluthe kratya malunga nempazamo kunye nomqhubi.
En I-mod_md iyekile ukuqhubekeka izicelo ukuya /.well-known/acme-challenge/ ngaphandle kokuba uqwalaselo lwesizinda lwenza ngokucacileyo ukusetyenziswa kohlobo lomngeni 'http-01', ngelixa kwi-mod_dav ubuyiselo lwalungiswa olubangele ukusetyenziswa kwememori ephezulu xa kusetyenzwa inani elikhulu lemithombo.
Kwelinye icala, kukwagxininiswa ukuba i ukukwazi ukusebenzisa ilayibrari ye-pcre2 (10.x) endaweni ye-pcre (8.x) ukucubungula intetho eqhelekileyo kwaye yongeze inkxaso ye-LDAP engaqhelekanga yokwahlula ukubuza izihluzi ukuhluza ngokuchanekileyo idatha xa uzama ukwenza i-LDAP yokwakha uhlaselo lokubuyisela kwaye loo mpm_isiganeko silungise ukuvalwa okwenzekayo xa kuqalwa ngokutsha okanye kugqithwa umda weMaxConnectionsPerChild kwi iinkqubo ezilayishwe kakhulu.
Ngobuthathaka eziye zasonjululwa kolu guqulelo lutsha, oku kulandelayo kukhankanyiwe:
- I-CVE-2022-22720: oku kwavumela ithuba lokukwazi ukwenza uhlaselo "lwe-HTTP lwesicelo sokuthutyeleziswa", oluvumela, ngokuthumela izicelo zabathengi ezenziwe ngokukodwa, ukugqekeza kumxholo wezicelo zabanye abasebenzisi ezithunyelwa nge-mod_proxy (umzekelo, inokufikelela endaweni ikhowudi yeJavaScript engalunganga kwiseshoni yomnye umsebenzisi wesiza). Umba ubangelwa luqhagamshelo olungenayo oluye lushiywe luvuliwe emva kokudibana neempazamo ekuqhubeni iqumrhu lesicelo elingasebenziyo.
- I-CVE-2022-23943: oku ibisisithintelo sokuphuphuma sesichengeni kwimodyuli mod_sed evumela inkumbulo yemfumba ukuba ibhalwe ngaphezulu ngedatha elawulwa ngumhlaseli.
- I-CVE-2022-22721: Obu buthathaka buvumele ukukwazi ukubhalela isithinteli ngaphandle kwemida ngenxa yokuphuphuma okupheleleyo okwenzekayo xa kugqithiswa isicelo somzimba omkhulu kuno-350 MB. Ingxaki izibonakalisa kwiinkqubo ze-32-bit apho ixabiso le-LimitXMLRequestBody libunjwe phezulu kakhulu (ngokungagqibekanga 1 MB, kuhlaselo umda kufuneka ube mkhulu kuno-350 MB).
- I-CVE-2022-22719: oku kubuthathaka kwi-mod_lua evumela ukuba kufundwe iindawo zememori ezingacwangciswanga kunye nokuthintela inkqubo xa iqumrhu lesicelo elenziwe ngokukodwa liqhutywa. Ingxaki ibangelwa kukusetyenziswa kwamaxabiso angasetyenziswanga kwikhowudi ye-r:parsebody function.
Gqibela ukuba ufuna ukwazi ngakumbi ngayo malunga noku kukhutshwa okutsha, ungakhangela iinkcukacha kwi eli khonkco lilandelayo.
Ukukhuphela
Unokufumana ingxelo entsha ngokuya kwiwebhusayithi esemthethweni ye-Apache kwaye kwicandelo lokukhuphela uya kufumana ikhonkco kwinguqulelo entsha.