Utshintsho olubi lufunyenwe kwiphakheji ye-node-ipc NPM (CVE-2022-23812), kunye ne-25% yamathuba okuba iziqulatho zazo zonke iifayile ezinokufikelela kokubhala zitshintshwe ngophawu "❤️". Ikhowudi enobungozi iyasebenza kuphela xa iqaliswe kwiinkqubo ezineedilesi ze-IP ezivela eRashiya okanye eBelarus. Iphakheji ye-node-ipc inokukhutshelwa malunga nesigidi ngeveki kwaye isetyenziswa njengokuxhomekeka kwiiphakheji ze-354, kuquka i-vue-cli. Zonke iiprojekthi ezine-node-ipc njengabaxhomekeke nazo ziyachatshazelwa yingxaki.
Ikhowudi enobungozi yathunyelwa kwindawo yokugcina ye-NPM njengenxalenye ye-node-ipc 10.1.1 kunye ne-10.1.2 ekhutshwa. Utshintsho olukhohlakeleyo lwaposwa kwindawo yokugcina iprojekthi yeGit egameni lombhali weprojekthi kwiintsuku ezili-11 ezidlulileyo. Ilizwe limiselwe kwikhowudi ngokubiza inkonzo ye-api.ipgeolocation.io. Isitshixo ebesifikelelwe kwi-ipgeolocation.io API ukusuka kwi-malicious embed ngoku sirhoxisiwe.
Kumagqabantshintshi kwisilumkiso malunga nokuvela kwekhowudi ethandabuzekayo, umbhali weprojekthi uthe utshintsho lulingana nokongeza ifayile kwidesktop ebonisa umyalezo obiza uxolo. Enyanisweni, ikhowudi iqhube uphendlo oluphinda-phindayo lwezalathisi ngenzame yokubhala ngaphezulu zonke iifayile ezifunyenweyo.
Ukukhutshwa kwe-node-ipc 11.0.0 kunye ne-11.1.0 kamva kwathunyelwa kwindawo yokugcina ye-NPM, eyathatha indawo yekhowudi ekhohlakeleyo eyakhelweyo kunye nokuxhomekeka kwangaphandle, "i-peacenotwar," elawulwa ngumbhali ofanayo kwaye inikezelwa ukuba ifakwe ngabagcini bephakheji abanqwenelayo. ukuzimanya noqhanqalazo. Kuxelwa ukuba iphakheji ye-peacenotwar ibonisa kuphela umyalezo malunga noxolo, kodwa ngokuqwalasela izenzo esele zithathwe ngumbhali, imixholo eyongezelelweyo yephakheji ayinakuqikelelwa kwaye ukungabikho kweenguqu ezibhubhisayo akuqinisekiswanga.
Ngelo xesha, ukuhlaziywa kwi-stable node-ipc 9.2.2 yesebe, esetyenziswa yiprojekthi ye-Vue.js, yakhululwa. Ekukhutshweni okutsha, ngaphezu kwe-peacenotwar, iphakheji yemibala yongezwa kwakhona kuluhlu lokuxhomekeka, umbhali odibanisa utshintsho olutshabalalisayo kwikhowudi ngoJanuwari. Ilayisensi yomthombo yokukhutshwa okutsha itshintshiwe ukusuka kwi-MIT ukuya kwi-DBAD.
Ekubeni izenzo ezongezelelweyo zombhali zingenakulinganiswa, abasebenzisi be-node-ipc bacetyiswa ukuba balungise ukuxhomekeka kwinguqulo 9.2.1. Kukwacetyiswa ukuba kulungiswe iinguqulelo zolunye uphuhliso ngumbhali ofanayo ogcine iipakethe ezingama-41. Ezinye zeepakethe ezigcinwe ngumbhali ofanayo (i-js-umgca, i-stack-stack, i-js-message, isiganeko-pubsub) inokukhutshelwa malunga nesigidi ngeveki.
Ukongezwa: Ezinye iinzame zirekhodwe ukongeza izenzo kwiiphakheji ezahlukeneyo ezivulekileyo ezingahambelani nokusebenza ngokuthe ngqo kwezicelo kwaye zibotshelelwe kwiidilesi ze-IP okanye indawo yenkqubo. Olona tshintsho lungenabungozi (es5-ext, rete, PHP composer, PHPUnit, Redis Desktop Manager, Awesome Prometheus Alerts, verdaccio, filestash) zibilisa phantsi ekuboniseni iifowuni zokuphelisa imfazwe kubasebenzisi abavela eRashiya naseBelarus. Ngexesha elifanayo, ukubonakaliswa okuyingozi ngakumbi kuchongiwe, umzekelo, i-encryptor yongezwa kwiipakethi zeemodyuli ze-AWS Terraform kunye nezithintelo zezopolitiko zaziswa kwilayisensi. I-firmware ye-Tasmota ye-ESP8266 kunye nezixhobo ze-ESP32 zinebhukhimakhi eyakhelwe-ngaphakathi enokuthintela ukusebenza kwezixhobo. Kukholelwa ukuba umsebenzi onjalo unokujongela phantsi ukuthembela kwisoftware yomthombo ovulekileyo.
umthombo: opennet.ru