Chiwopsezo mu NPM chomwe chimalola mafayilo osasintha kuti asinthidwe pakuyika phukusi

Pakusintha kwa woyang'anira phukusi wa NPM 6.13.4, wophatikizidwa mugawo la Node.js ndipo amagwiritsidwa ntchito kugawa ma module muchilankhulo cha JavaScript, kuthetsedwa zovuta zitatu (CVE-2019-16775, CVE-2019-16776 и CVE-2019-16777), yomwe imalola kuti mafayilo amachitidwe osasinthika asinthe kapena kulembedwanso pakuyika phukusi lokonzedwa ndi wowukira. Monga njira yodzitetezera, mutha kuyiyika ndi njira ya "-ignore-scripts", yomwe imaletsa kukhazikitsidwa kwa phukusi lothandizira. Madivelopa a NPM adasanthula mapaketi omwe ali m'malo osungiramo zinthu ndipo sanapeze zovuta zomwe zidadziwika zomwe zimagwiritsidwa ntchito popanga ziwonetsero.

CVE-2019-16777 zikuwoneka m'mabuku asanafike 6.13.4 ndipo amakulolani kuti mulembenso mafayilo omwe angathe kuchitidwa panthawi ya kukhazikitsa phukusi lonse. Mutha kusintha mafayilo omwe ali mufoda yomwe mukufuna kuti mafayilo omwe asungidwe amayikidwa (nthawi zambiri /usr/local/bin).

CVE-2019-16775 и CVE-2019-16776 kuwonekera m'mabuku asanafike 6.13.3 ndikukulolani kuti mulembe fayilo yosasinthika popanga ulalo wophiphiritsa wamafayilo omwe ali kunja kwa chikwatu chokhala ndi ma module (node_modules) kapena kuwongolera gawo la bin mu package.json (njira zokhala ndi "/../" zinali zololedwa m'munda wa bin).

Source: opennet.ru