Masu haɓaka ɗakin karatu na LiteLLM Python, wanda ke da saukarwa miliyan 95 a kowane wata da kuma miliyan 3.5 a cikin awanni 24 da suka gabata, sun ba da rahoton wani sulhu a kan aikin. Masu kai hari sun sami damar kutse bayanan mai kula da su kuma suka buga sake-saken ɓarna guda biyu zuwa PyPI—1.82.7 da 1.82.8—wadanda ke ɗauke da lambar satar maɓallai da kalmomin shiga daga tsarin masu amfani. Yanzu an cire nau'ikan ɓarna daga PyPI, kuma an dakatar da aikin na ɗan lokaci har sai an kammala bincike.
Masu kai hari sun yi wa alamar shiga asusun LiteLLM a kan PyPI katsalandan saboda amfani da na'urar daukar hoton tsaro ta trivvy a cikin tsarin haɗin kai mai ci gaba. Kafin wannan, a ƙarshen Fabrairu, maharan sun sami damar shiga kayayyakin aikin Trivy ta hanyar amfani da rauni a cikin mai sarrafa pull_request_target, wanda ke gudana a cikin tsarin haɗin kai mai ci gaba na Trivy. Bayan sulhun, maharan sun buga ɓarnar Trivy 0.69-0.69, sun yi wa mai sarrafa GitHub Action na trivy-action, kuma suka tura hoton Docker da aka gyara wanda ke ɗauke da Trivy.
A ranar 24 ga Maris da ƙarfe 11:30 na safe (MSK), an yi amfani da takardun shaidar da aka kame na mai kula da LiteLLM (krrishdholakia) don buga fitowar LiteLLM 1.82.7 da 1.82.8 kai tsaye zuwa PyPI, ta hanyar ketare tsarin GitHub CI/CD na hukuma. Ma'ajiyar aikin GitHub ba ta shafi komai ba; an lura da ayyukan mugunta ne kawai akan PyPI. A cikin fitowar LiteLLM 1.82.7, an saka lambar mugunta a cikin fayil ɗin litelm/proxy/proxy_server.py kuma an kunna shi bayan shigo da litelm.proxy. A cikin fitowar 1.82.8, an haɗa fayil ɗin rukunin yanar gizo/litelm_init.pth, kuma an ƙara mai kula da shi, wanda aka cika a cikin tsarin base64 kuma an kunna shi lokacin da aka ƙaddamar da shi, zuwa fayil ɗin proxy_server.py.
An ƙara lambar ɓarnar da aka yi amfani da ita wajen duba bayanai masu mahimmanci kuma aka aika su. Maɓallan SSH da SSL/TLS, abubuwan da ke canza yanayin muhalli, takardun shaidar AWS, GCP, Azure, da K8s, maɓallan cryptowallet, kalmomin shiga na DBMS, tarihin aikin mai fassara umarni, da fayilolin daidaitawa daga Git, CI/CD, manajojin kunshin, da Docker. An ɓoye bayanan da aka gano ta amfani da AES-256-CBC da RSA-4096 kuma an aika su ta hanyar buƙatar HTTP POST zuwa gidan yanar gizon "https://models.litellm.cloud/" (yanki An yi rijistar litelm.cloud awanni da yawa kafin a buga munanan sake-saken).
Ana shawartar masu amfani da LiteLLM da su tabbatar da cewa fayil ɗin litelm_init.pth bai wanzu a cikin kundin adireshi na rukunin yanar gizo ba, su sabunta duk maɓallai da takaddun shaida idan suna shigar da sigar 1.82.7 ko 1.82.8, su sanya takamaiman nau'ikan LiteLLM a cikin sigogin lodawa na dogaro, kuma su duba sakin LiteLLM da suke amfani da shi akan lambar saki akan GitHub.
source: budenet.ru
