Esikhathini esingaphansi kwesonto Abathuthukisi be-Gitlab kudingeke ukuthi behle ukuze basebenze, Nokho, ezinsukwini ezimbalwa ezedlule izibuyekezo zokulungisa ze-GitLab Collaborative Development Platform 15.3.1, 15.2.3 kanye no-15.1.5 zakhululwa, okuxazulule ukuba sengozini okubucayi.
ohlwini ngaphansi I-CVE-2022-2884, lobu bungozi bungavumela umsebenzisi ogunyaziwe ukuthi afinyelele i-GitHub Import API sebenzisa ukude ikhodi kuseva. Ayikho imininingwane yokusebenza esikhishiwe. Ukuba sengozini kukhonjwe umcwaningi wezokuvikela njengengxenye yohlelo lwenzuzo yokuba sengozini lwe-HackerOne.
Njengendlela yokusebenza, umlawuli welulekwa ukuthi akhubaze ukungenisa okuvela kusici se-GitHub (kuhlelo lwewebhu lwe-GitLab: “Imenyu” -> “Umphathi” -> “Izilungiselelo” -> “Okuvamile” -> “Ukubonakala nokulawula ukufinyelela » -> «Ngenisa imithombo» -> khubaza «GitHub»).
Ngemva kwalokho futhi esikhathini esingaphansi kwesonto I-GitLab Ngishicilela uchungechunge olulandelayo lwezibuyekezo zokulungisa kunkundla yabo yokuthuthukisa yokuhlanganyela: 15.3.2, 15.2.4, kanye no-15.1.6, elungisa ukuba sengozini kwesibili okubalulekile.
ohlwini ngaphansi I-CVE-2022-2992, lobu bungozi buvumela umsebenzisi ogunyaziwe ukuthi akhiphe ikhodi ukude kuseva. Njengokuba sengcupheni kwe-CVE-2022-2884 okwalungiswa ngesonto eledlule, kunenkinga entsha ye-API yokungenisa idatha kusuka kusevisi ye-GitHub. Ukuba sengozini kuzibonakalisa, phakathi kwezinye izinto, ekukhishweni okungu-15.3.1, 15.2.3, no-15.1.5, lapho ukuba sengozini kokuqala kukhodi yokungenisa evela ku-GitHub kwalungiswa khona.
Ayikho imininingwane yokusebenza esikhishiwe. Ukuba sengozini kuhanjiswe ku-GitLab njengengxenye yohlelo lwenzuzo yokuba sengozini ye-HackerOne, kodwa ngokungafani nodaba lwangaphambilini, kukhonjwe omunye umnikeli.
Njengendlela yokusebenza, umlawuli utuswa ukuthi akhubaze ukungenisa okuvela esicini se-GitHub (kusixhumi esibonakalayo sewebhu se-GitLab: “Imenyu” -> “Umphathi” -> “Izilungiselelo” -> “Okuvamile” -> “Ukubonakala nokulawula ukufinyelela » -> «Ngenisa imithombo» -> khubaza «GitHub»).
Futhi, izibuyekezo ezihlongozwayo zilungisa ukukhubazeka okwengeziwe okungu-14, ezimbili zazo ezimakwe njengeziyingozi, eziyishumi zinezinga eliphakathi lokuqina kanti ezimbili zimakwe njengezingeyona ingozi.
Okulandelayo kubonwa njengokuyingozi: ukuba sengozini I-CVE-2022-2865, ekuvumela ukuthi ungeze ikhodi yakho ye-JavaScript emakhasini aboniswe kwabanye abasebenzisi ngokukhohlisa amalebula ombala,
Kube nokwenzeka ukuthi kusetshenziswe ubungozi ngokumisa isici sombala welebula esingase siholele ku-XSS egciniwe evumela abahlaseli ukuthi benze izenzo ezingafanele egameni lezisulu ohlangothini lweklayenti.
Obunye ubungozi obuxazululiwe ngochungechunge olusha lokulungiswa, i I-CVE-2022-2527, eyenza kube nokwenzeka ukushintsha okuqukethwe kwayo ngenkambu yencazelo kumugqa wesikhathi wesikali sesigameko). Ubungozi obumaphakathi buhlobene ngokuyinhloko nokunqatshelwa kwamandla wesevisi.
Ukuntuleka kokuqinisekisa ubude ezincazelweni ze-Snippet ku-GitLab CE/EE okuthinta zonke izinguqulo zangaphambi kuka-15.1.6, zonke izinguqulo kusukela ku-15.2 ngaphambi kuka-15.2.4, zonke izinguqulo ezisuka ku-15.3 ngaphambi kuka-15.3.2 zivumela umhlaseli ogunyaziwe ukuthi enze amazwibela amakhulu anonya. ukuthi, uma iceliwe ngokugunyazwa noma ngaphandle kokuqinisekisa, kubangela umthwalo oweqile kuseva, okungase kuholele ekunqatshelweni kwesevisi.
Kobunye ubungozi ezaxazululwa:
- Ukubhaliswa kwephakethe akuhloniphi ngokugcwele uhlu lokuvumela i-IP yeqembu, i-GitLab ayizange iqinisekise ngokufanelekile ngokuphikisana ne-Package Registry lapho imikhawulo yekheli le-IP ilungiswa, okuvumela umhlaseli osevele ephethe ithokheni evumelekile yokuphakela ukuthi ayisebenzise kabi kunoma iyiphi indawo.
- Ukusebenzisa kabi izingcingo ze-Gitaly.GetTreeEntries kuholela ekwenqatshweni kwesevisi, okuvumela umsebenzisi ogunyaziwe futhi ogunyaziwe ukuthi aqede izinsiza zeseva ngokungenisa iphrojekthi enonya.
- Izicelo ezingaba khona ze-HTTP ku-.ipynb Notebook enamathegi efomu anonya, okuvumela umhlaseli ukuthi akhiphe izicelo ze-HTTP ezingafanele.
- Ukuphikiswa okuvamile kwesevisi ngokufaka okuklanyiwe kuvumele umhlaseli ukuthi acuphe ukusetshenziswa okuphezulu kwe-CPU ngokokufaka okuklanyelwe okwengezwe kunkambu yomlayezo othi Qinisekisa.
- Ukudalulwa kolwazi ngezinkomba ze-GFM ezimelelwe emicimbini yomugqa wesikhathi wesigameko
- Funda okuqukethwe kwenqolobane ngomsebenzi we-LivePreview: Bekungenzeka kumsebenzisi ongagunyaziwe ukuthi afunde okuqukethwe kwekhosombe uma ilungu lephrojekthi lisebenzisa isixhumanisi esiklanyiwe.
- Ukwenqaba Isevisi nge-API lapho kwakhiwa igatsha: Ukuphathwa kwedatha okungalungile ekudalweni kwegatsha bekungase kusetshenziswe ukucupha ukusetshenziswa okuphezulu kwe-CPU.
- Ukwenqatshelwa kwesevisi ngokubuka kuqala udaba
Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.