Khodi yoyipa yapezeka mwa kasitomala wopumula ndi mapaketi ena 10 a Ruby

Mu phukusi lamtengo wapatali lodziwika bwino kupuma-kasitomala, zotsitsa zokwana 113 miliyoni, kudziwika Kusinthitsa khodi yoyipa (CVE-2019-15224) yomwe imatsitsa malamulo omwe angathe kuchitika ndikutumiza zambiri kwa wolandira wakunja. Kuukiraku kunachitika kunyengerera developer account rest-client mu rubygems.org repository, pambuyo pake owukirawo adasindikiza kutulutsa 13-14 pa Ogasiti 1.6.10 ndi 1.6.13, zomwe zidaphatikizapo kusintha koyipa. Mabaibulo oyipa asanatsekedwe, ogwiritsa ntchito pafupifupi chikwi adatha kuwatsitsa (owukirawo adatulutsa zosintha zamitundu yakale kuti asakope chidwi).

Kusintha koyipaku kumaposa njira ya "#authenticate" mkalasi
Identity, pambuyo pake kuyimba kwa njira iliyonse kumabweretsa imelo ndi mawu achinsinsi omwe amatumizidwa panthawi yoyeserera kutumizidwa kwa omwe akuwukirawo. Mwanjira iyi, magawo olowera a ogwiritsa ntchito omwe amagwiritsa ntchito gulu la Identity ndikuyika mtundu wosatetezeka walaibulale yamakasitomala onse amalandidwa, omwe zimaonetsedwa monga kudalira pamapaketi ambiri odziwika a Ruby, kuphatikiza ast (64 miliyoni kutsitsa), oauth (32 miliyoni), fastlane (18 miliyoni), ndi kubeclient (3.7 miliyoni).

Kuphatikiza apo, chitseko chakumbuyo chawonjezedwa ku code, kulola kuti nambala ya Ruby yosagwirizana ichitike kudzera mu ntchito yoyeserera. Khodiyo imafalitsidwa kudzera pa Cookie yotsimikiziridwa ndi kiyi ya wowukirayo. Kudziwitsa omwe akuukira za kukhazikitsidwa kwa phukusi loyipa kwa wolandila wakunja, ulalo wa dongosolo la wozunzidwayo ndikusankha zambiri zokhudzana ndi chilengedwe, monga mapasiwedi osungidwa a DBMS ndi mautumiki amtambo, amatumizidwa. Kuyesera kutsitsa zolemba za cryptocurrency migodi zidajambulidwa pogwiritsa ntchito code yoyipa yomwe tatchulayi.

Pambuyo pophunzira malamulo oyipa anali kuwululidwakuti kusintha kofananako kulipo 10 paketi mu Ruby Gems, zomwe sizinalandidwe, koma zidakonzedwa mwapadera ndi owukira kutengera malaibulale ena otchuka omwe ali ndi mayina ofanana, momwe mzerewo unasinthidwa ndi underscore kapena mosemphanitsa (mwachitsanzo, kutengera cron-parser phukusi loyipa cron_parser lidapangidwa, ndikutengera doge_coin doge-coin malicious package). Phukusi lamavuto:

• coin_base: 4.2.2, 4.2.1
• blockchain_wallet: 0.0.6, 0.0.7
• zodabwitsa-bot: 1.18.0
• doge-ndalama: 1.0.2
• mitundu ya capistrano: 0.5.5
• bitcoin_vanity: 4.3.3
• lita_coin: 0.0.3
• zikubwera posachedwa: 0.2.8
• omniauth_amazon: 1.0.1
• cron_parser1.0.12, 1.0.13, 0.1.4

Phukusi loyamba loyipa kuchokera pamndandandawu lidayikidwa pa Meyi 12, koma ambiri aiwo adawonekera mu Julayi. Pazonse, mapaketiwa adatsitsidwa nthawi pafupifupi 2500.

Source: opennet.ru