Bahlahisi ba laeborari ea LiteLLM Python, e nang le li-download tse limilione tse 95 ka khoeli le tse limilione tse 3.5 lihoreng tse 24 tse fetileng, ba tlalehile tumellano ea projeke. Bahlaseli ba khonne ho thibela mangolo a mohlokomeli le ho phatlalatsa litokollo tse peli tse kotsi ho PyPI—1.82.7 le 1.82.8—tse nang le khoutu ea ho utsoa linotlolo le li-password ho tsoa lits'ebetsong tsa basebelisi. Mefuta e kotsi joale e tlositsoe ho PyPI, 'me projeke e emisitsoe ka nakoana ha ho ntse ho emetsoe lipatlisiso.
Token ea phihlello ea akhaonto ea LiteLLM ho PyPI e ile ea senyeha ke bahlaseli ka lebaka la tšebeliso ea sekenara sa ts'ireletso ea trivvy tsamaisong ea kopanyo e tsoelang pele. Pele ho sena, mafelong a Hlakola, bahlaseli ba ile ba fumana phihlello ea meralo ea motheo ea projeke ea Trivy ka ho sebelisa bofokoli bo ho mohlokomeli oa pull_request_target, o sebetsang tsamaisong ea kopanyo e tsoelang pele ea Trivy. Kamora tumellano, bahlaseli ba ile ba phatlalatsa litokollo tse mpe tsa Trivy 0.69-0.69, ba qhekella mohlokomeli oa GitHub Action ea trivy-action, 'me ba kenya setšoantšo sa Docker se fetotsoeng se nang le Trivy.
Ka la 24 Hlakubele ka 11:30 AM (MSK), mangolo a amohetsoeng a LiteLLM mohlokomedi (krrishdholakia) a sebelisitsoe ho phatlalatsa ka kotloloho litokollo tse kotsi tsa LiteLLM 1.82.7 le 1.82.8 ho PyPI, ho feta sistimi ea semmuso ea GitHub CI/CD. Polokelo ea projeke ea GitHub ha ea ka ea angoa; ts'ebetso e kotsi e bonoe feela ho PyPI. Tokollong ea LiteLLM 1.82.7, khoutu e kotsi e kentsoe faeleng ea litellm/proxy/proxy_server.py mme ea kenngoa tšebetsong ha litellm.proxy e kenngoa. Tokollong ea 1.82.8, faele ea site-packages/litellm_init.pth e kenyelelitsoe, 'me mohlokomeli, ea pakiloeng ka mokhoa oa base64 mme ea kenngoa tšebetsong ha ho qalisoa efe kapa efe, o ile a eketsoa faeleng ea proxy_server.py.
Khoutu e mpe e ekelitsoeng e hlahlobiloe mme e rometse data e hlokolosi. Dinotlolo tsa SSH le SSL/TLS, dikahare tse feto-fetohang tsa tikoloho, mangolo a AWS, GCP, Azure, le K8s, dinotlolo tsa cryptowallet, diphasewete tsa DBMS, nalane ya tshebetso ya mofetoledi wa taelo, le difaele tsa tlhophiso ho tswa ho Git, CI/CD, batsamaisi ba diphuthelwana, le Docker di rometswe. Data e fumanweng e ne e patilwe ka ho sebedisa AES-256-CBC le RSA-4096 mme e rometswe ka kopo ya HTTP POST webosaeteng "https://models.litellm.cloud/" (domain litellm.cloud e ngolisitsoe lihora tse 'maloa pele ho phatlalatsoa litokollo tse kotsi).
Basebelisi ba LiteLLM ba eletsoa ho netefatsa hore faele ea litellm_init.pth ha e eo bukeng ea liphutheloana tsa sebaka, ho ntlafatsa linotlolo tsohle le mangolo a tumello haeba u kenya mofuta oa 1.82.7 kapa 1.82.8, ho kenya mefuta e itseng ea LiteLLM liparamenteng tsa ho jarolla tse itšetlehileng ka tsona, le ho hlahloba litokollo tsa LiteLLM tseo ba li sebelisang khahlanong le khoutu ea tokollo ho GitHub.
Source: opennet.ru
