Ukuba sengozini kwesibili okubalulekile kudalulwe ku-GitLab esikhathini esingaphansi kwesonto

Darkcrizt

Imizuzu ye-4

Gitlab

U-Gitlab uhlushwa yinkinga yesibili yokuphepha esikhathini esingaphansi kwesonto

Esikhathini esingaphansi kwesonto Abathuthukisi be-Gitlab kudingeke ukuthi behle ukuze basebenze, Nokho, ezinsukwini ezimbalwa ezedlule izibuyekezo zokulungisa ze-GitLab Collaborative Development Platform 15.3.1, 15.2.3 kanye no-15.1.5 zakhululwa, okuxazulule ukuba sengozini okubucayi.

ohlwini ngaphansi I-CVE-2022-2884, lobu bungozi bungavumela umsebenzisi ogunyaziwe ukuthi afinyelele i-GitHub Import API sebenzisa ukude ikhodi kuseva. Ayikho imininingwane yokusebenza esikhishiwe. Ukuba sengozini kukhonjwe umcwaningi wezokuvikela njengengxenye yohlelo lwenzuzo yokuba sengozini lwe-HackerOne.

Njengendlela yokusebenza, umlawuli welulekwa ukuthi akhubaze ukungenisa okuvela kusici se-GitHub (kuhlelo lwewebhu lwe-GitLab: “Imenyu” -> “Umphathi” -> “Izilungiselelo” -> “Okuvamile” -> “Ukubonakala nokulawula ukufinyelela » -> «Ngenisa imithombo» -> khubaza «GitHub»).

Ngemva kwalokho futhi esikhathini esingaphansi kwesonto I-GitLab Ngishicilela uchungechunge olulandelayo lwezibuyekezo zokulungisa kunkundla yabo yokuthuthukisa yokuhlanganyela: 15.3.2, 15.2.4, kanye no-15.1.6, elungisa ukuba sengozini kwesibili okubalulekile.

ohlwini ngaphansi I-CVE-2022-2992, lobu bungozi buvumela umsebenzisi ogunyaziwe ukuthi akhiphe ikhodi ukude kuseva. Njengokuba sengcupheni kwe-CVE-2022-2884 okwalungiswa ngesonto eledlule, kunenkinga entsha ye-API yokungenisa idatha kusuka kusevisi ye-GitHub. Ukuba sengozini kuzibonakalisa, phakathi kwezinye izinto, ekukhishweni okungu-15.3.1, 15.2.3, no-15.1.5, lapho ukuba sengozini kokuqala kukhodi yokungenisa evela ku-GitHub kwalungiswa khona.

Ayikho imininingwane yokusebenza esikhishiwe. Ukuba sengozini kuhanjiswe ku-GitLab njengengxenye yohlelo lwenzuzo yokuba sengozini ye-HackerOne, kodwa ngokungafani nodaba lwangaphambilini, kukhonjwe omunye umnikeli.

Njengendlela yokusebenza, umlawuli utuswa ukuthi akhubaze ukungenisa okuvela esicini se-GitHub (kusixhumi esibonakalayo sewebhu se-GitLab: “Imenyu” -> “Umphathi” -> “Izilungiselelo” -> “Okuvamile” -> “Ukubonakala nokulawula ukufinyelela » -> «Ngenisa imithombo» -> khubaza «GitHub»).

Futhi, izibuyekezo ezihlongozwayo zilungisa ukukhubazeka okwengeziwe okungu-14, ezimbili zazo ezimakwe njengeziyingozi, eziyishumi zinezinga eliphakathi lokuqina kanti ezimbili zimakwe njengezingeyona ingozi.

Okulandelayo kubonwa njengokuyingozi: ukuba sengozini I-CVE-2022-2865, ekuvumela ukuthi ungeze ikhodi yakho ye-JavaScript emakhasini aboniswe kwabanye abasebenzisi ngokukhohlisa amalebula ombala,

Kube nokwenzeka ukuthi kusetshenziswe ubungozi ngokumisa isici sombala welebula esingase siholele ku-XSS egciniwe evumela abahlaseli ukuthi benze izenzo ezingafanele egameni lezisulu ohlangothini lweklayenti. 

Obunye ubungozi obuxazululiwe ngochungechunge olusha lokulungiswa, i I-CVE-2022-2527, eyenza kube nokwenzeka ukushintsha okuqukethwe kwayo ngenkambu yencazelo kumugqa wesikhathi wesikali sesigameko). Ubungozi obumaphakathi buhlobene ngokuyinhloko nokunqatshelwa kwamandla wesevisi.

Ukuntuleka kokuqinisekisa ubude ezincazelweni ze-Snippet ku-GitLab CE/EE okuthinta zonke izinguqulo zangaphambi kuka-15.1.6, zonke izinguqulo kusukela ku-15.2 ngaphambi kuka-15.2.4, zonke izinguqulo ezisuka ku-15.3 ngaphambi kuka-15.3.2 zivumela umhlaseli ogunyaziwe ukuthi enze amazwibela amakhulu anonya. ukuthi, uma iceliwe ngokugunyazwa noma ngaphandle kokuqinisekisa, kubangela umthwalo oweqile kuseva, okungase kuholele ekunqatshelweni kwesevisi.

Kobunye ubungozi ezaxazululwa:

  • Ukubhaliswa kwephakethe akuhloniphi ngokugcwele uhlu lokuvumela i-IP yeqembu, i-GitLab ayizange iqinisekise ngokufanelekile ngokuphikisana ne-Package Registry lapho imikhawulo yekheli le-IP ilungiswa, okuvumela umhlaseli osevele ephethe ithokheni evumelekile yokuphakela ukuthi ayisebenzise kabi kunoma iyiphi indawo.
  • Ukusebenzisa kabi izingcingo ze-Gitaly.GetTreeEntries kuholela ekwenqatshweni kwesevisi, okuvumela umsebenzisi ogunyaziwe futhi ogunyaziwe ukuthi aqede izinsiza zeseva ngokungenisa iphrojekthi enonya.
  • Izicelo ezingaba khona ze-HTTP ku-.ipynb Notebook enamathegi efomu anonya, okuvumela umhlaseli ukuthi akhiphe izicelo ze-HTTP ezingafanele.
  • Ukuphikiswa okuvamile kwesevisi ngokufaka okuklanyiwe kuvumele umhlaseli ukuthi acuphe ukusetshenziswa okuphezulu kwe-CPU ngokokufaka okuklanyelwe okwengezwe kunkambu yomlayezo othi Qinisekisa.
  • Ukudalulwa kolwazi ngezinkomba ze-GFM ezimelelwe emicimbini yomugqa wesikhathi wesigameko
  • Funda okuqukethwe kwenqolobane ngomsebenzi we-LivePreview: Bekungenzeka kumsebenzisi ongagunyaziwe ukuthi afunde okuqukethwe kwekhosombe uma ilungu lephrojekthi lisebenzisa isixhumanisi esiklanyiwe.
  • Ukwenqaba Isevisi nge-API lapho kwakhiwa igatsha: Ukuphathwa kwedatha okungalungile ekudalweni kwegatsha bekungase kusetshenziswe ukucupha ukusetshenziswa okuphezulu kwe-CPU.
  • Ukwenqatshelwa kwesevisi ngokubuka kuqala udaba

Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.