Ezinsukwini ezithile ezedlule ukukhishwa kwe inguqulo entsha yokulungisa yeseva I-HTTP Apache 2.4.53, eyethula izinguquko ezingu-14 futhi ilungise ubungozi obu-4. Esimemezelweni sale nguqulo entsha kubalulwe ukuthi wukukhululwa kokugcina kwegatsha 2.4.x ukukhishwa kwe-Apache HTTPD futhi kumele iminyaka eyishumi nanhlanu yokuqanjwa kabusha kwephrojekthi, futhi kunconywa kuzo zonke izinguqulo zangaphambilini.
Kulabo abangazi nge-Apache, kufanele bazi ukuthi lokhu kunjalo iseva yewebhu ye-HTTP yomthombo ovulekile odumile, etholakala kuzingxenyekazi ze-Unix (i-BSD, i-GNU / i-Linux, njll.), iMicrosoft Windows, iMacintosh nezinye.
Yini okusha ku-Apache 2.4.53?
Ekukhishweni kwale nguqulo entsha ye-Apache 2.4.53 izinguquko eziphawuleka kakhulu ezihlobene nokungavikeleki yilezi. ku-mod_proxy, lapho umkhawulo enanini lezinhlamvu unyuswe khona egameni lesilawuli, kanye namandla okwenza amandla nakho kwengeziwe ngokukhetha lungiselela ukuphela kwesikhathi kwe-backend ne-frontend (isibonelo, maqondana nomsebenzi). Ezicelweni ezithunyelwe ngama-websockets noma indlela ye-CONNECT, isikhathi sokuvala sishintshiwe saba senani eliphezulu elibekiwe le-backend ne-frontend.
Olunye ushintsho olugqamile kule nguqulo entsha yi- ukuphatha okuhlukene kokuvula amafayela e-DBM nokulayisha umshayeli we-DBM. Uma kwenzeka kuba nengozi, ilogi manje ikhombisa imininingwane enemininingwane ngephutha kanye nomshayeli.
En mod_md iyeke ukucubungula izicelo ku-/.well-known/acme-challenge/ ngaphandle uma ukucushwa kwesizinda kunikeze amandla ngokusobala ukusetshenziswa kohlobo lwenselelo ye-'http-01', ngenkathi ku-mod_dav ukuhlehla kwalungiswa okubangele ukusetshenziswa kwememori okuphezulu lapho kucutshungulwa inani elikhulu lezisetshenziswa.
Ngakolunye uhlangothi, kuphinde kugqanyiswe ukuthi i ikhono lokusebenzisa umtapo wezincwadi we-pcre2 (10.x) esikhundleni se-pcre (8.x) ukuze kucutshungulwe izinkulumo ezivamile futhi yengeza ukwesekwa kokuhlaziya okudidayo kwe-LDAP ukuze ubuze izihlungi ukuze zihlunge kahle idatha lapho izama ukwenza ukuhlasela kokushintshanisa kwe-LDAP futhi leyo mpm_event ilungise i-deadlock eyenzeka lapho kuqaliswa kabusha noma kweqa umkhawulo we-MaxConnectionsPerChild on amasistimu alayishwe kakhulu.
Ngobuthakathaka ezixazululiwe kule nguqulo entsha, kubaluliwe okulandelayo:
- I-CVE-2022-22720: lokhu kuvumele ithuba lokukwazi ukwenza ukuhlasela kwe-"HTTP application smuggling", okuvumela, ngokuthumela izicelo zeklayenti eziklanywe ngokukhethekile, ukungena ngaphakathi kwezicelo zabanye abasebenzisi ezithunyelwa nge-mod_proxy (ngokwesibonelo, ingafinyelela esikhundleni se- ikhodi ye-JavaScript enonya kuseshini yomunye umsebenzisi wesayithi). Inkinga ibangelwa ukuxhumana okungenayo okushiywa kuvuliwe ngemva kokuhlangabezana namaphutha ekucubunguleni indikimba yesicelo engavumelekile.
- I-CVE-2022-23943: lokhu kube sengozini yokuchichima kwebhafa kumojuli ye-mod_sed evumela inkumbulo yenqwaba ukuthi ibhalwe phezu kwedatha elawulwa umhlaseli.
- I-CVE-2022-22721: Lokhu kuba sengozini kuvumele ikhono lokubhalela isilondolozi ngaphandle kwemingcele ngenxa yokuchichima okuphelele okwenzeka lapho kudlula indikimba yesicelo enkulu kuno-350 MB. Inkinga izibonakalisa kumasistimu angu-32-bit lapho inani LimitXMLRequestBody limiswa libe phezulu kakhulu (ngokuzenzakalelayo 1 MB, ekuhlaselweni umkhawulo kufanele ube mkhulu kuno-350 MB).
- I-CVE-2022-22719: lokhu kuba sengozini ku-mod_lua evumela ukufunda izindawo zenkumbulo ezingahleliwe futhi kuvinjwe inqubo lapho indikimba yesicelo eklanywe ngokukhethekile icutshungulwa. Inkinga ibangelwa ukusetshenziswa kwamanani angaqaliswanga kukhodi ye-r:parsebody function.
Okokugcina uma ufuna ukwazi kabanzi ngayo mayelana nalokhu kukhishwa okusha, ungabheka imininingwane ku- isixhumanisi esilandelayo.
Landa
Ungathola inguqulo entsha ngokuya kuwebhusayithi esemthethweni ye-Apache futhi esigabeni sayo sokulanda uzothola isixhumanisi senguqulo entsha.