Kutholwe ushintsho olunonya kuphakheji ye-node-ipc NPM (CVE-2022-23812), okungenzeka ukuthi okuqukethwe kwawo wonke amafayela anokufinyelela kokubhala kuthathelwe indawo uhlamvu oluthi “❤️”. Ikhodi enonya yenziwa isebenze kuphela uma yethulwa ezinhlelweni ezinamakheli e-IP asuka e-Russia noma e-Belarus. Iphakheji ye-node-ipc inokulandwa okungaba yisigidi ngesonto futhi isetshenziswa njengokuncika kumaphakheji angama-25, kufaka phakathi i-vue-cli. Wonke amaphrojekthi ane-node-ipc njengokuncika nawo ayathinteka yinkinga.
Ikhodi enonya ithunyelwe endaweni ye-NPM njengengxenye yokukhishwa kwe-node-ipc 10.1.1 kanye ne-10.1.2. Ushintsho olunonya lwathunyelwa endaweni yephrojekthi ye-Git egameni lombhali wephrojekthi ezinsukwini eziyi-11 ezedlule. Izwe linqunywe ngekhodi ngokushayela isevisi ye-api.ipgeolocation.io. Ukhiye ofinyelelwe ku-ipgeolocation.io API kusukela ekushumekeni okunonya manje uhoxisiwe.
Emazwaneni esixwayiso mayelana nokuvela kwekhodi engabazekayo, umbhali wale phrojekthi uthe ushintsho lufana nokwengeza ifayela kudeskithophu elibonisa umyalezo ofuna ukuthula. Eqinisweni, ikhodi yenze ukusesha okuphindaphindiwe kohla lwemibhalo ngomzamo wokubhala phezu kwawo wonke amafayela okuhlangatshezwane nawo.
Ukukhishwa kwe-node-ipc 11.0.0 kanye ne-11.1.0 kwathunyelwa kamuva endaweni yokugcina ye-NPM, eyashintsha ikhodi enonya eyakhelwe ngaphakathi yaba nokuncika kwangaphandle, “i-peacenotwar,” elawulwa umbhali ofanayo futhi yanikezwa ukuba ifakwe ngabagcini bephakheji abafisayo. ukujoyina umbhikisho. Kuthiwa iphakethe le-peacenotwar libonisa kuphela umlayezo mayelana nokuthula, kodwa kucatshangelwa izenzo esezivele zithathwe umbhali, okuqukethwe okwengeziwe kwephakeji akulindelekile futhi ukungabikho kwezinguquko ezilimazayo akuqinisekisiwe.
Ngesikhathi esifanayo, isibuyekezo segatsha le-node-ipc 9.2.2 ezinzile, elisetshenziswa iphrojekthi ye-Vue.js, sakhululwa. Ekukhululweni okusha, ngaphezu kwe-peacenotwar, iphakethe lemibala liphinde lanezelwa ohlwini lokuncika, umbhali walo okuhlanganisa izinguquko ezilimazayo kukhodi ngoJanuwari. Ilayisense yomthombo yokukhishwa okusha ishintshiwe ukusuka ku-MIT ukuya ku-DBAD.
Njengoba ezinye izenzo zombhali zingalindelekile, abasebenzisi be-node-ipc bayanconywa ukuthi balungise ukuncika kunguqulo 9.2.1. Kuphinde kunconywe ukulungisa izinguqulo zezinye intuthuko ngumbhali ofanayo ogcine amaphakheji angama-41. Amanye amaphakheji anakekelwa umbhali ofanayo (i-js-umugqa, isitaki esilula, i-js-message, umcimbi-pubsub) anokulanda okungaba yisigidi ngesonto.
Ukwengeza: Eminye imizamo irekhodiwe yokwengeza izenzo kumaphakheji ahlukahlukene avulekile angahlobene nokusebenza okuqondile kwezinhlelo zokusebenza futhi ahlanganiswe namakheli e-IP noma indawo yesistimu. Okungenangozi kakhulu kwalezi zinguquko (es5-ext, rete, PHP composer, PHPUnit, Redis Desktop Manager, Awesome Prometheus Alerts, verdaccio, filesstash) iphelela ekuboniseni izingcingo zokuqeda impi yabasebenzisi abavela eRussia naseBelarus. Ngasikhathi sinye, ukubonakaliswa okuyingozi kakhulu nakho kukhonjwa, ngokwesibonelo, i-encryptor yengezwe kumaphakeji wamamojula we-AWS Terraform kanye nemikhawulo yezepolitiki yethulwa elayisensi. I-firmware ye-Tasmota ye-ESP8266 kanye namadivayisi we-ESP32 inebhukhimakhi eyakhelwe ngaphakathi engavimba ukusebenza kwamadivayisi. Kukholakala ukuthi umsebenzi onjalo ungathunaza kakhulu ukwethenjwa kwesofthiwe yomthombo ovulekile.
Source: opennet.ru