Uhlaziyo oluchanekileyo kwiqonga lophuhliso lwentsebenziswano ye-GitLab 14.8.2, 14.7.4 kunye ne-14.6.5 isusa ubuthathaka obubalulekileyo (i-CVE-2022-0735) evumela umsebenzisi ongagunyaziswanga ukuba akhuphe amathokheni okubhalisa kwi-GitLab Runner, esetyenziselwa ukubiza abaphathi. xa kwakhiwa ikhowudi yeprojekthi kwinkqubo yokudibanisa eqhubekayo. Iinkcukacha azikabonelelwa, kuphela ingxaki ibangelwa kukuvuza kolwazi xa usebenzisa imiyalelo yeentshukumo eziKhawulezayo.
Umba wachongwa ngabasebenzi be-GitLab kwaye uchaphazela iinguqulelo 12.10 ukuya kwi-14.6.5, 14.7 ukuya ku-14.7.4, kunye ne-14.8 ukuya kwi-14.8.2. Abasebenzisi abagcina ufakelo lweGitLab yesiko bayacetyiswa ukuba bafakele uhlaziyo okanye bafake isiziba ngokukhawuleza. Umba wasonjululwa ngokucutha ukufikelela kwimiyalelo yeZenzo eziKhawulezayo kuphela kubasebenzisi abanemvume yokubhala. Emva kokufaka uhlaziyo okanye iipatches "token-prefix" zomntu ngamnye, amathokheni okubhalisa kwi-Runner eyenziwe ngaphambili kumaqela kunye neeprojekthi ziya kuphinda zihlaziywe kwaye zihlaziywe.
Ukongeza kumngcipheko obalulekileyo, iinguqulelo ezintsha zikwasusa ubuthathaka obungaphantsi kwe-6 obunokuthi bukhokhelele kumsebenzisi ongenalungelo ukongeza abanye abasebenzisi kumaqela, ulwazi olungelulo lwabasebenzisi ngokukhohlisa imixholo yee-Snippets, ukuvuza kwezinto eziguquguqukayo zokusingqongileyo ngokusebenzisa indlela yokuhambisa i-imeyile, ukufumanisa ubukho babasebenzisi nge-GraphQL API, ukuvuza kwamagama ayimfihlo xa ubeka i-mirroring repositories nge-SSH kwimodi yokutsala, ukuhlaselwa kwe-DoS ngenkqubo yokungeniswa kwezimvo.
umthombo: opennet.ru