Ikhowudi enobungozi ichongiwe kumxumi wokuphumla kunye nezinye iipakethe zeRuby ezili-10

Kwiphakheji yegem eyaziwayo ukuphumla-umthengi, kunye ne-113 yezigidi ezikhutshelweyo, ichongiwe Ukutshintshwa kwekhowudi enobungozi (CVE-2019-15224) ekhuphela imiyalelo ephunyezwayo kwaye ithumele ulwazi kumamkeli wangaphandle. Uhlaselo lwaqhutywa ukulalanisa i-akhawunti yomphuhlisi-umthengi wokuphumla kwindawo yokugcina i-rubygems.org, emva kokuba abahlaseli bapapashe i-13-14 ngo-Agasti 1.6.10 kunye ne-1.6.13, ebandakanya utshintsho olubi. Ngaphambi kokuba iinguqulelo ezikhohlakeleyo zivaliwe, malunga newaka labasebenzisi bakwazile ukuzikhuphela (abahlaseli bakhuphe uhlaziyo kwiinguqulelo ezindala ukuze bangatsali ingqalelo).

Utshintsho olukhohlakeleyo lubeka ngaphezulu kwe "#qinisekisa" indlela eklasini
Isazisi, emva kokuba indlela nganye yokufowuna iphumela kwi-imeyile kunye negama lokugqitha elithunyelwe ngexesha lokuzama ukuqinisekiswa lithunyelwa kubahlaseli. Ngale ndlela, iiparameters zokungena zabasebenzisi benkonzo abasebenzisa udidi lweSazisi kunye nokuhlohla uguqulelo olusesichengeni lwethala leencwadi lomxhasi-ukuphumla luyamkelwa, oluthi luhlohlwe. iyavela njengokuxhomekeka kwiiphakheji ezininzi zeRuby ezidumileyo, kubandakanya i-ast (izigidi ezingama-64 zokukhutshelwa), i-oauth (izigidi ezingama-32), i-fastlane (izigidi ezili-18), kunye ne-kubeclient (izigidi ezi-3.7).

Ukongeza, i-backdoor yongezwe kwikhowudi, evumela ukuba ikhowudi yeRuby iqhutywe ngokusebenza komsebenzi. Ikhowudi ihanjiswa ngeCookie engqinisiswe sisitshixo somhlaseli. Ukwazisa abahlaseli malunga nokufakwa kwepakethe enobungozi kwi-host host yangaphandle, i-URL yenkqubo yexhoba kunye nokukhethwa kolwazi malunga nokusingqongileyo, njengamaphasiwedi agcinwe kwi-DBMS kunye neenkonzo zefu, zithunyelwa. Iinzame zokukhuphela izikripthi zemigodi ye-cryptocurrency zarekhodwa kusetyenziswa le khowudi yobubi ekhankanywe ngasentla.

Emva kokufunda ikhowudi ekhohlakeleyo kwaba tyhiniweukuba utshintsho olufanayo lukhona Iiphakheji ezili-10 kwiRuby Gems, engazange ibanjwe, kodwa ilungiswe ngokukodwa ngabahlaseli basekwe kwamanye amathala eencwadi adumileyo anamagama afanayo, apho isikhewu satshintshwa nge underscore okanye vice versa (umzekelo, esekelwe cron-parser ipakethe enobungozi cron_parser yenziwe, kwaye isekwe kwi doge_coin iphakheji ye-doge-coin ekhohlakeleyo). Iipakethe ezinengxaki:

• ingqekembe_isiseko: 4.2.2, 4.2.1
• blockchain_wallet: 0.0.6, 0.0.7
• eyoyikekayo-bot: 1.18.0
• idoge-inkozo: 1.0.2
• capistrano-imibala: 0.5.5
• bitcoin_amampunge: 4.3.3
• lita_coin: 0.0.3
• iyeza kunekudala: 0.2.8
• omniauth_amazon: 1.0.1
• cron_parser1.0.12, 1.0.13, 0.1.4

Iphakheji yokuqala ekhohlakeleyo kolu luhlu yathunyelwa ngoMeyi 12, kodwa uninzi lwazo lwavela ngoJulayi. Zizonke, ezi phakheji zakhutshelwa malunga namaxesha angama-2500.

umthombo: opennet.ru