Nyaya yekuchengetedza (CVE-2021-41077) yakaonekwa muTravis CI inoenderera mberi yekubatanidza sevhisi, yakagadzirirwa kuyedza uye kuvaka mapurojekiti akagadziridzwa paGitHub neBitbucket, iyo inobvumira zviri mukati mezvakaoma nharaunda zvinosiyana zvenzvimbo dzeveruzhinji vachishandisa Travis CI kuti zviratidzwe. . Pakati pezvimwe zvinhu, kusazvibata kunobvumidza iwe kuti uwane makiyi anoshandiswa muTravis CI kugadzira masiginecha edhijitari, makiyi ekuwana uye tokens yekuwana iyo API.
Dambudziko raivepo muTravis CI kubva munaGunyana 3 kusvika Gunyana 10. Zvinokosha kuziva kuti ruzivo rwekusagadzikana rwakaendeswa kuvagadziri musi wa7 Gunyana, asi mumhinduro vakangogamuchira mhinduro ine kurudziro yekushandisa kiyi kutenderera. Sezvo vasina kugamuchira mhinduro dzakakwana, vaongorori vakabatana neGitHub uye vakakurudzira kutema Travis. Dambudziko rakagadziriswa chete munaGunyana 10 mushure mehuwandu hwezvichemo zvakagamuchirwa kubva kumapurojekiti akasiyana. Mushure mechiitiko ichi, mushumo unopfuura unoshamisa nezvedambudziko wakaburitswa pawebhusaiti yeTravis CI, iyo, pachinzvimbo chekuzivisa nezve gadziriso yekusagadzikana, yaingove nekurudziro yekunze-ye-mamiriro ekuchinja makiyi ekuwana cyclic.
Kutevera kuchema-chema pamusoro pekuvharidzirwa nemapurojekiti akati wandei, chirevo chakadzama chakaburitswa paTravis CI forum yekutsigira, yambiro kuti muridzi weforogo yechero nzvimbo yeruzhinji anogona, nekuendesa chikumbiro chekudhonza, kukonzeresa maitiro ekuvaka uye kuwana. kupinda kusingatenderwi kune zvinonzwisiswa nharaunda zvinoshanduka zvepakutanga repository. , yakaiswa panguva yegungano zvichienderana neminda kubva ku ".travis.yml" faira kana inotsanangurwa kuburikidza neTravis CI web interface. Misiyano yakadaro inochengetwa mune encrypted fomu uye inodhindwa chete panguva yekuungana. Dambudziko rakangobata pachena marepositori ane maforogo (akavanzika repositori haatani kurwiswa).
Source: opennet.ru