Iyo yakaipa kodhi yakaonekwa mukuzorora-mutengi uye gumi mamwe maRuby mapakeji

Mune yakakurumbira gem package kuzorora-mutengi, ine huwandu hwe113 miriyoni yekudhawunirodha, kuzivikanwa Kutsiva kweiyo yakaipa kodhi (CVE-2019-15224) iyo inodhawunirodha mirairo inogoneka uye inotumira ruzivo kune wekunze mugamuchiri. Kurwisa kwacho kwakaitwa kuburikidza compromise developer account rest-client in the rubygems.org repository, mushure mezvo vanopikisa vakabudisa zvinyorwa 13-14 musi waAugust 1.6.10 uye 1.6.13, iyo yaisanganisira kuchinja kwakashata. Mavhezheni akashata asati avharwa, vangangoita chiuru vashandisi vakakwanisa kuadhawunirodha (vapambi vakaburitsa zvigadziriso kune ekare mavhezheni kuitira kuti vasatarise).

Shanduko yakaipa inodarika nzira ye "#authenticate" mukirasi
Identity, mushure meiyo nzira yega yega yekufona inoguma neemail uye password inotumirwa panguva yekuyedza yechokwadi kutumirwa kune vanorwisa. Nenzira iyi, maparamendi ekupinda evashandisi vebasa vachishandisa Identity kirasi uye nekuisa vhezheni isina njodzi yeibhurari yevatengi-yekuzorora inobatwa, iyo Featured sekutsamira mumapakeji akawanda akakurumbira eRuby, anosanganisira ast (64 miriyoni downloads), oauth (32 miriyoni), fastlane (18 miriyoni), uye kubeclient (3.7 miriyoni).

Pamusoro pezvo, imba yekumashure yakawedzerwa kune kodhi, ichibvumira kupokana kweRuby kodhi kuti iitwe kuburikidza neiyo eval basa. Iyo kodhi inofambiswa kuburikidza neCookie yakasimbiswa nekiyi yemurwi. Kuzivisa vanorwisa nezvekuiswa kwepasuru ine hutsinye pane wekunze muenzi, iyo URL yehurongwa hwemunhu akabatwa uye sarudzo yeruzivo nezve nharaunda, senge mapassword akachengetwa eDBMS uye Cloud masevhisi, anotumirwa. Kuedza kudhawunirodha zvinyorwa zvekuchera cryptocurrency zvakarekodhwa pachishandiswa kodhi yakashata yataurwa pamusoro.

Mushure mekudzidza iyo yakaipa kodhi yaive pachenakuti shanduko dzakafanana dziripo mukati 10 mapakeji muRuby Gems, asina kubatwa, asi akanyatsogadzirirwa nevanorwisa zvichienderana nemamwe maraibhurari ane mukurumbira ane mazita akafanana, umo mutsetse wakatsiviwa ne underscore kana zvinopesana (semuenzaniso, zvichibva pa cron-parser pasuru yakaipa cron_parser yakagadzirwa, uye zvichibva pa doge_coin Doge-coin malicious package). Dambudziko pasuru:

• coin_base: 4.2.2, 4.2.1
• blockchain_wallet: 0.0.6, 0.0.7
• zvinoshamisa-bot: 1.18.0
• doge-coin: 1.0.2
• capistrano-mavara: 0.5.5
• bitcoin_vanity: 4.3.3
• lita_coin: 0.0.3
• kuuya manje: 0.2.8
• omniauth_amazon: 1.0.1
• cron_parser: 1.0.12, 1.0.13, 0.1.4

Yekutanga hutsinye pasuru kubva pane iyi runyorwa yakatumirwa muna Chivabvu 12, asi mazhinji acho akaonekwa muna Chikunguru. Pakazara, mapakeji aya akatorwa kanenge ka2500.

Source: opennet.ru