Kusintha koyipa kudapezeka mu phukusi la node-ipc NPM (CVE-2022-23812), ndikuthekera kwa 25% kuti zomwe zili m'mafayilo onse omwe ali ndi mwayi wolembera zilowe m'malo ndi "β€οΈ". Khodi yoyipa imatsegulidwa pokhapokha ikakhazikitsidwa pamakina okhala ndi ma adilesi a IP ochokera ku Russia kapena Belarus. Phukusi la node-ipc lili ndi zotsitsa pafupifupi miliyoni imodzi pa sabata ndipo zimagwiritsidwa ntchito ngati kudalira mapaketi 354, kuphatikiza vue-cli. Ntchito zonse zomwe zili ndi node-ipc monga kudalira zimakhudzidwanso ndi vutoli.
Khodi yoyipa idatumizidwa kunkhokwe ya NPM monga gawo la node-ipc 10.1.1 ndi 10.1.2 zotulutsidwa. Kusintha koyipa kudatumizidwa kumalo osungirako ntchito a Git m'malo mwa wolemba ntchito masiku 11 apitawo. Dzikoli lidatsimikiziridwa mu code poyimba api.ipgeolocation.io service. Kiyi yomwe idafikiridwa ndi ipgeolocation.io API kuchokera pakuyika koyipa tsopano yathetsedwa.
M'mawu ake ku chenjezo lokhudza mawonekedwe okayikitsa, wolemba ntchitoyo adati kusinthaku kukufanana ndi kuwonjezera fayilo pakompyuta yomwe ikuwonetsa uthenga woyitanitsa mtendere. M'malo mwake, kachidindoyo adafufuza mobwereza bwereza ndikuyesa kulembanso mafayilo onse omwe adakumana nawo.
Zotulutsidwa za node-ipc 11.0.0 ndi 11.1.0 pambuyo pake zidatumizidwa kunkhokwe ya NPM, yomwe idalowa m'malo mwa code yoyipa yomwe idamangidwa ndikudalira kunja, "peacenotwar," yoyendetsedwa ndi wolemba yemweyo ndikuperekedwa kuti iphatikizidwe ndi osunga phukusi omwe akufuna. kulowa nawo pachionetserocho. Zimanenedwa kuti phukusi lamtendere lamtendere limangowonetsa uthenga wokhudza mtendere, koma poganizira zomwe wolembayo adachita kale, zomwe zili mu phukusili sizikudziwika bwino ndipo kusowa kwa kusintha kowononga sikutsimikiziridwa.
Panthawi imodzimodziyo, kusintha kwa nthambi yokhazikika ya node-ipc 9.2.2, yomwe imagwiritsidwa ntchito ndi polojekiti ya Vue.js, inatulutsidwa. Mu kumasulidwa kwatsopano, kuwonjezera pa mtendere notwar, phukusi la mitundu linawonjezeredwanso pamndandanda wazomwe zimadalira, wolemba zomwe zimagwirizanitsa zowononga zowonongeka mu code mu January. Layisensi yoyambira kumasulidwa kwatsopano yasinthidwa kuchoka ku MIT kupita ku DBAD.
Popeza zochita zina za wolemba ndizosayembekezereka, ogwiritsa ntchito node-ipc akulimbikitsidwa kukonza zodalira pa mtundu wa 9.2.1. Ndikulimbikitsidwanso kukonza zomasulira zazinthu zina ndi wolemba yemweyo yemwe adasunga mapaketi 41. Ena mwamaphukusi omwe amasungidwa ndi wolemba yemweyo (js-queue, stack-stack, js-message, event-pubsub) amatsitsa pafupifupi miliyoni imodzi pa sabata.
Zowonjezera: Kuyesa kwina kwalembedwa kuti awonjezere zochita pamaphukusi osiyanasiyana otseguka omwe samakhudzana ndi magwiridwe antchito achindunji ndipo amalumikizidwa ndi ma adilesi a IP kapena malo amtundu. Zosintha zopanda vuto kwambiri (es5-ext, rete, PHP composer, PHPUnit, Redis Desktop Manager, Awesome Prometheus Alerts, verdaccio, filestash) zimagwera pakuwonetsa mafoni kuti athetse nkhondo ya ogwiritsa ntchito ku Russia ndi Belarus. Panthawi imodzimodziyo, mawonetseredwe owopsa kwambiri amadziwikanso, mwachitsanzo, encryptor inawonjezeredwa ku phukusi la AWS Terraform modules ndi zoletsa zandale zinayambitsidwa mu chilolezo. Firmware ya Tasmota pazida za ESP8266 ndi ESP32 ili ndi chizindikiro chokhazikika chomwe chingalepheretse kugwiritsa ntchito zida. Amakhulupirira kuti izi zitha kufooketsa chidaliro cha mapulogalamu otseguka.
Source: opennet.ru