Izibuyekezo zokulungisa zenkundla yokuhlela ukuthuthukiswa kokuhlanganyela zishicilelwe - I-GitLab 16.7.2, 16.6.4 kanye ne-16.5.6, elungisa ubungozi obubili. Ukuba sengozini kokuqala (CVE-2023-7028), okunikezwa ileveli yobukhulu obukhulu (i-10 kwabangu-10), ikuvumela ukuthi ubambe i-akhawunti yomunye umuntu ngokukhohlisa ifomu elikhohliwe lokutakula iphasiwedi. Ukuba sengozini kubangelwa ukuthi kungenzeka ukuthumela i-imeyili enekhodi yokusetha kabusha iphasiwedi kumakheli e-imeyili angaqinisekisiwe. Inkinga ibilokhu ivela kusukela kwakhululwa i-GitLab 16.1.0, eyethula ikhono lokuthumela ikhodi yokuthola iphasiwedi ekhelini le-imeyili eliyisipele elingaqinisekisiwe.
Ukuze uhlole amaqiniso okufakwa ebucayini kwezinhlelo, kuhlongozwa ukuba kuhlolwe kulogi ye-gitlab-rails/production_json.log ubukhona bezicelo ze-HTTP kusiphathi /users/password esibonisa uhlu lwama-imeyili amaningana kokuthi “params.value.email ” ipharamitha. Kuphinde kuphakanyiswe ukuhlola okufakiwe kokuthi gitlab-rails/audit_json.log log enevelu PasswordsController#create in meta.caller.id futhi ibonise amakheli amaningana kubhulokhi_lemininingwane_eqondiwe. Ukuhlasela akukwazi ukuqedelwa uma umsebenzisi anika amandla ukuqinisekiswa kwezinto ezimbili.
Ukuba sengozini kwesibili, i-CVE-2023-5356, ikhona kukhodi yokuhlanganiswa nezinsizakalo ze-Slack kanye ne-Mattermost, futhi ikuvumela ukuthi wenze /-imiyalo ngaphansi komunye umsebenzisi ngenxa yokuntuleka kokuhlolwa kokugunyazwa okufanele. Udaba lunikezwe ileveli yokuqina engu-9.6 kokungu-10. Izinguqulo ezintsha futhi zisusa ubungozi obuncane (7.6 koku-10) sengozini (CVE-2023-4812), okukuvumela ukuthi udlule ukugunyazwa kwe-CODEOWNERS ngokwengeza izinguquko kokuvunywe ngaphambilini hlanganisa isicelo.
Ulwazi oluningiliziwe mayelana nokuba sengozini okuhlonziwe luhlelelwe ukudalulwa ezinsukwini ezingu-30 ngemva kokushicilelwa kokulungiswa. Ulwazi olumayelana nokuba sengozini luhanjiswe kwa-GitLab njengengxenye yohlelo lwenzuzo yokuba sengozini lwe-HackerOne.
Source: opennet.ru