Ngaphantsi kweveki Abaphuhlisi beGitlab kuye kwafuneka behle baye emsebenzini, Ewe, kwiintsuku ezimbalwa ezidlulileyo uhlaziyo oluchanekileyo lwe-GitLab Collaborative Development Platform 15.3.1, 15.2.3 kunye ne-15.1.5 zakhululwa, ezisombulule ubuthathaka obubalulekileyo.
zidweliswe ngaphantsi CVE-2022-2884, obu buthathaka bunokuvumela umsebenzisi oqinisekisiweyo ukufikelela kwiGitHub Import API sebenzisa ikhowudi kwiseva. Akukho zinkcukacha zokusebenza sele zikhutshiwe. Ukuba sesichengeni kwachongwa ngumphandi wokhuseleko njengenxalenye yenkqubo ye-bounty ye-HackerOne yomngcipheko.
Njengomsebenzi wokusebenza, umlawuli uye wacetyiswa ukuba akhubaze ukungenisa kwe-GitHub (kwi-intanethi ye-GitLab: "Imenyu" -> "Umlawuli" -> "Useto" -> "Ngokubanzi" -> "Ukubonakala kunye nolawulo lokufikelela" -> «Imithombo yokungenisa ngaphandle» -> khubaza «GitHub»).
Emva koko kwaye ngaphantsi kweveki GitLab Ndipapasha uluhlu olulandelayo lokulungisa uhlaziyo kwiqonga labo lophuhliso lwentsebenziswano: 15.3.2, 15.2.4, kunye ne-15.1.6, elungisa ubuthathaka besibini obubalulekileyo.
zidweliswe ngaphantsi CVE-2022-2992, obu buthathaka buvumela umsebenzisi oqinisekisiweyo ukuba enze ikhowudi ukude kwiseva. Njengomngcipheko we-CVE-2022-2884 owenziwe kwiveki ephelileyo, kukho umba omtsha we-API wokungenisa idatha kwinkonzo yeGitHub. Ubuthathaka buzibonakalisa, phakathi kwezinye izinto, ekukhutshweni kwe-15.3.1, 15.2.3, kunye ne-15.1.5, apho ubuthathaka bokuqala kwikhowudi yokungenisa evela kwi-GitHub yalungiswa.
Akukho zinkcukacha zokusebenza sele zikhutshiwe. Ukuba sesichengeni kungeniswe kwi-GitLab njengenxalenye yenkqubo ye-bounty ye-HackerOne, kodwa ngokungafaniyo nomba wangaphambili, ichongiwe ngomnye umxhasi.
Njengomsebenzi wokusebenza, umlawuli uyacetyiswa ukuba akhubaze ukungenisa elizweni kwinqaku le-GitHub (kwi-intanethi ye-GitLab: "Imenyu" -> "Ulawulo" -> "Useto" -> "Ngokubanzi" -> "Ukubonakala kunye nolawulo lokufikelela" -> «Imithombo yokungenisa ngaphandle» -> khubaza «GitHub»).
Kwakhona, uhlaziyo olucetywayo lungisa 14 ubuthathaka ngakumbi, ezimbini kuzo ziphawulwe njengeziyingozi, ishumi zinenqanaba lobunzima obuphakathi kwaye ezimbini ziphawulwe njengezingekho yingozi.
Oku kulandelayo kubonwa njengokuyingozi: ukuba sesichengeni CVE-2022-2865, ekuvumela ukuba wongeze ikhowudi yakho yeJavaScript kumaphepha aboniswe kwabanye abasebenzisi ngokuguqulwa kweelebhile zemibala,
Bekunokwenzeka ukuxhaphaza ubuthathaka ngokuqwalasela uphawu lombala weleyibhile enokukhokelela kwi-XSS egciniweyo evumele abahlaseli ukuba benze iintshukumo ezithandabuzekayo egameni lamaxhoba kwicala lomxhasi.
Olunye ubuthathaka obuthe basonjululwa ngothotho olutsha lwezilungiso, yi I-CVE-2022-2527, eyenza kube lula ukutshintsha umxholo wayo ngokusebenzisa inkalo yenkcazo kuluhlu lwexesha lwesikali seZehlo). Ubuthathaka obuphakathi bunxulumene ikakhulu nokwalelwa ukubakho kwenkonzo.
Ukunqongophala kobungqina bobude kwiinkcazo ze-Snippet kwi-GitLab CE/EE echaphazela zonke iinguqulelo ngaphambi kwe-15.1.6, zonke iinguqulelo ukusuka kwi-15.2 ngaphambi kwe-15.2.4, zonke iinguqulelo ukusuka kwi-15.3 ngaphambi kwe-15.3.2 ivumela umhlaseli oqinisekisiweyo ukuba enze i-snippet enkulu ngokukhohlakeleyo. ukuba, xa iceliwe kunye okanye ngaphandle koqinisekiso, ibangele umthwalo ogqithisileyo kumncedisi, onokuthi ukhokhelele ekwaliwe kwenkonzo.
Kobunye ubuthathaka ezasonjululwa:
- Ubhaliso lwepakethe aluhloniphi ngokupheleleyo uluhlu lweqela lokuvumela i-IP, i-GitLab ayizange iqinisekise ngokufanelekileyo ngokuchasene nePackage Registry xa izithintelo zedilesi ye-IP zicwangcisiwe, ukuvumela umhlaseli osele enophawu lokusasaza olusebenzayo ukuba ayisebenzise gwenxa nakweyiphi na indawo.
- Ukusebenzisa kakubi iifowuni ze-Gitaly.GetTreeEntries zikhokelela ekukhanyeni kwenkonzo, ukuvumela umsebenzisi oqinisekisiweyo kunye nogunyazisiweyo ukuba akhuphe izixhobo zomncedisi ngokungenisa iprojekthi enobungozi.
- Izicelo ezinokubakho ze-HTTP ezinokubakho kwi-.ipynb Notebook enethegi yefomu enobungozi, evumela umhlaseli ukuba akhuphe izicelo ezingafanelekanga ze-HTTP.
- Ukwaliwa kwenkonzo rhoqo ngegalelo eliyiliweyo kuvumele umhlaseli aqalise ukusetyenziswa kwe-CPU ephezulu ngegalelo elenziwe ngobuchule elongezwe kwindawo yokuqinisekisa umyalezo.
- Ukubhengezwa kolwazi kusetyenziswa iimbekiselo ze-GFM ezinganyanzelekanga ezimelwe kwiziganeko zomda weziganeko
- Funda umxholo wogcino ngokusebenzisa umsebenzi we-LivePreview: Kwakunokwenzeka ukuba umsebenzisi ongagunyaziswanga afunde umxholo wogcino ukuba ilungu leprojekthi lisebenzise ikhonkco elenziwe.
- Ukwala iNkonzo nge-API xa usenza isebe: Ukuphathwa kwedatha engafanelekanga ekudalweni kwesebe kwakunokusetyenziswa ukubangela ukusetyenziswa kwe-CPU ephezulu.
- Ukwalelwa kwenkonzo ngokujonga umba
Okokugqibela, ukuba unomdla wokwazi okungakumbi ngayo, unokujonga kwiinkcukacha Kule khonkco ilandelayo.