I-Apache Software Foundation kunye neProjekthi ye-Apache HTTP Server kutshanje ibhengeze ukukhutshwa kwenguqulelo entsha ye Iseva ye-Apache ye-HTTP 2.4.54, ukuba le nguqulo ye-Apache yinguqulo ye-GA yamva nje yeApache HTTPD yesizukulwana esilandelayo 2.4.x yesebe kwaye imele iminyaka elishumi elinesihlanu yokwenziwa kwezinto ezintsha yiprojekthi kwaye iyacetyiswa kuzo zonke iinguqulelo zangaphambili. Oku kukhutshwa kwe-Apache lukhuseleko, uphawu, kunye nokukhululwa kokulungiswa kwe-bug.
Inguqulelo entsha ethi se iveza 19 utshintsho kwaye ilungisa 8 semngciphekweni, apho abanye babo bavumela ukufikelela kwidatha, kunokukhokelela ekukhanyeni inkonzo, phakathi kwezinye izinto.
Iimpawu eziphambili ezintsha ze-Apache HTTP Server 2.4.54
Kolu guqulelo lutsha oluvezwa ngeApache HTTP Server 2.4.54 kwi-mod_md, umyalelo weMDCertificateAuthority uvumela ngaphezu kwegama elinye le-CA kunye ne-URL, ngaphandle koko yongeza imiyalelo emitsha: MDRetryDelay (ichaza ulibaziseko phambi kokuthumela isicelo sokuphinda uzame) kunye ne-MDTryFailover (ichaza inani lokuzama kwakhona xa ukusilela phambi kokukhetha enye i-CA).
Olunye utshintsho olubonakalayo kukuba kwimodyuli I-mod_http2 icociwe kwikhowudi engasetyenziswanga nengakhuselekanga, ngelixa i-mod_proxy umboniso we-port yenethiwekhi ye-backend ngoku inikwe kwimiyalezo yephutha ebhaliweyo kwilogi kwaye kwi-mod_heartmonitor ixabiso leparameter ye-HeartbeatMaxServers itshintshiwe ukusuka kwi-0 ukuya kwi-10 (ukuqaliswa kwe-slots ye-10 yememori ekwabelwana ngayo).
Kwelinye icala, sinokuyifumana loo nto ukongeza inkxaso yesimo "esizenzekelayo" xa ubonisa amaxabiso kwifomati "isitshixo: ixabiso", kunye nokukwazi ukulawula izatifikethi zabasebenzisi be-Tailscale Secure VPN kwanikezelwa.
Kwimod_ssl, imowudi ye-SSL FIPS ngoku yenzelwe ukuxhasa i-OpenSSL 3.0, kwaye into eluncedo ye-ab iphinda iphumeze inkxaso ye-TLSv1.3 (ifuna ukuqhagamshelwa kwilayibrari ye-SSL exhasa lo mthetho womthetho).
Kwinxalenye yolungiso lwebug olwenziwe kolu guqulelo lutsha:
- I-CVE-2022-31813: Umngcipheko kwi-mod_proxy evumela ukuvala ukuthunyelwa kwe-X-Forwarded-* iiheader ngolwazi malunga nedilesi ye-IP apho isicelo sokuqala sivela khona. Umba ungasetyenziselwa ukudlula izithintelo zokufikelela ngokusekelwe kwiidilesi ze-IP.
- I-CVE-2022-30556: Ukuba sesichengeni kwi mod_lua evumela ufikelelo kwidatha engaphandle kwesithinteli esinikiweyo ngokusetyenziswa kobuchule nge r:wsread() umsebenzi kwizikripthi zesiLua ezikhomba ngaphaya kwesiphelo sogcino olunikiweyo. Le bug ingasetyenziswa kwi-Apache HTTP Server 2.4.53 kunye neenguqulelo zangaphambili.
- I-CVE-2022-30522: ukwaliwa kwenkonzo (inkumbulo enganelanga ekhoyo) xa kusetyenzwa idatha ethile nge-mod_sed. Ukuba i-Apache HTTP Server 2.4.53 iqwalaselwe ukwenza iinguqu nge mod_sed kwiimeko apho igalelo kwi mod_sed inokuba kakhulu
enkulu, i-mod_sed inokwenza ulwabiwo lwenkumbulo enkulu ngokugqithisileyo kwaye ibangele ukuqhomfa. - I-CVE-2022-29404: Ukukhanyela kwenkonzo mod_lua kusetyenziswe ngokuthumela izicelo ezenziwe ngokukodwa kubaphathi beLua usebenzisa i-r:parsebody(0) ifowuni.
- CVE-2022-28615, CVE-2022-28614: Ukwaliwa kwenkonzo okanye ukufikelela kwedatha kwimemori yenkqubo ngenxa yeempazamo kwi ap_strcmp_match() kunye ne ap_rwrite() imisebenzi, ekhokelela ekubeni ummandla ufundwe ngaphandle komda webuffer.
- I-CVE-2022-28330: Ukuvuza kolwazi ngaphandle kwemida kwi-mod_isapi (umba uvela kuphela kwiqonga leWindows).
- I-CVE-2022-26377: Imodyuli ye-mod_proxy_ajp isengozini yokuhlaselwa kweklasi "ye-HTTP yokuThuthukiswa kweSicelo" kwiinkqubo ze-front-end-backend, ezivumela umxholo wezicelo zabasebenzisi ukuba zicutshungulwe kwintambo efanayo phakathi kwe-front-end kunye ne-back end.
Kufanelekile ukukhankanya ukuba olu guqulelo lufuna i-Apache Portable Runtime (APR), ubuncinane benguqulo 1.5.x, kunye ne-APR-Util, ubuncinane benguqulo 1.5.x. Ezinye iimpawu zinokufuna inguqulelo 1.6.x ye-APR kunye ne-APR-Util. Amathala eencwadi e-APR kufuneka ahlaziywe ukuze yonke imisebenzi ye-httpd isebenze ngokufanelekileyo.
Gqibela ukuba unomdla wokwazi okungakumbi ngayo malunga nolu guqulelo olutsha lomncedisi we-Apache HTTP, unokujonga iinkcukacha Kule khonkco ilandelayo.