Ichongiwe Ukuba semngciphekweni kumphathi wephakheji ye-APT (I-CVE-2019-3462), Intoni ivumela umhlaseli ukuba aqalise ukusasazeka kwephakeji efakiweyo ingaba umhlaseli unolawulo lwesipili esinefayile okanye unokuphazamisa ukugcwala phakathi komsebenzisi kunye nendawo yokugcina (uhlaselo lweMITM).
Ingxaki yachongwa ngumphandi wezokhuseleko uMax Justicz, Waziwa ngokufumanisa ukuba semngciphekweni kumphathi wephakheji ye-APK (Alpine) nakwiPackagist, NPM nakwiRubyGems zokugcina.
Ingxaki Kungenxa yokungqinisisa okungalunganga kwamabala kwikhowudi yokuqhubekeka kwakhona kwe-HTTP.
Yintoni ingxaki?
Obu bungozi ivumela umhlaseli afake umxholo wakhe kwidatha ehanjiswe ngaphakathi kweseshoni ye-HTTP (I-Debian kunye ne-Ubuntu zisebenzisa i-HTTP hayi i-HTTPS ukufikelela kwindawo yokugcina izinto, ucinga ukuba utyikityo lwedijithali lwanele ngemethadatha kunye nobukhulu bepakethi.)
Ubungozi obuchongiweyo buvumela amandla omhlaseli buyisela ipakethi ehanjisiweyo, emva koko i-APT iya kuyibona njengoko ifunyenwe kwisipili esisemthethweni kwaye iqale inkqubo yokufaka.
Ngokufakwa kwiphakheji enobungozi yeempendulo ezisungulwe ngexesha lofakelo, umhlaseli unokufezekisa ukwenziwa kwekhowudi yakhe kwinkqubo enamalungelo engcambu.
Ukukhuphela idatha kwindawo yokugcina izinto, i-APT iqala inkqubo yomntwana ngokuphunyezwa kothutho oluthile kwaye icwangcise unxibelelwano kunye nale nkqubo isebenzisa umgaqo olula wokubhaliweyo kunye nolwahlulo lwemiyalelo ngomgca ongenanto.
Ndiyifumana njani ingxaki?
Umongo wengxaki kukuba umphathi wezothutho we-HTTP, emva kokufumana impendulo kumncedisi we-HTTP ngesihloko esithi "Indawo:", icela uqinisekiso lokuphinda uhanjiswe kwakhona ukusuka kwinkqubo ephambili.
Ukuhambisa ngokupheleleyo umxholo wale ntloko. Ngenxa yokunqongophala kococeko loonobumba abakhethekileyo, umhlaseli angakhankanya ukophuka komgca kwi "Indawo:"
Kuba eli xabiso liza kuchongwa kwaye lihanjiswe kwisitishi sonxibelelwano ngenkqubo ephambili, umhlaseli angalinganisa impendulo eyahlukileyo evela kumphathi wezothutho lwe-HTTP kwaye athabathe indawo yedummy 201 URI block.
Umzekelo, ukuba, xa ucela ipakethi, umhlaseli othathe indawo yempendulo, oku kutshintshwa kuya kubangela ukuhanjiswa kwebhloko elandelayo yedatha kwinkqubo ephambili.
Ukubalwa kwee-hashes zeefayile ezikhutshelweyo kuyaphathwa kwaye eyona nkqubo iphambili ijonga le datha ngokukhawuleza kwi-database yeephakeji ezisayiniweyo.
Phakathi kwemethadatha, umhlaseli angakhankanya naliphi na ixabiso lovavanyo lwe-hashes oludityaniswe kwindawo yogcino lwedatha kwiipakeji ezisayiniweyo, kodwa ayihambelani neefayile ezikhutshiweyo.
Inkqubo ephambili iya kwamkela ikhowudi yokuphendula ithathelwe indawo luhlaselo, jonga i-hash kwindawo yogcino lwedatha kwaye uqwalasele ukuba ipakethi enesiginitsha efanelekileyo yedijithali ilayishiwe, nangona eneneni ixabiso lomhlaba kunye ne-hash lifakwe endaweni Ijelo lonxibelelwano ngenkqubo ephambili usebenzisa uhlaselo kunye nefayile echaziweyo kwimethadatha ebuyiselweyo.
Ukukhuphela iphakheji enobungozi kwenziwa ngokudibanisa iphakheji kwifayile yeRelease.gpg, ngexesha lokuhambisa.
Le fayile inendawo eqikelelweyo kwinkqubo yefayile kwaye ukunamathisela iphakheji kwisiqalo sayo akuchaphazeli ukukhutshwa kwesiginitsha yedijithali kwindawo yokugcina izinto.
Xa ufumana idatha, unokukhubaza iinkqubo zomsebenzi ezijolise kwiinkqubo ezahlukeneyo eziza kusetyenziselwa ukuhambisa idatha.
Inkqubo ephambili emva koko inxibelelana naba basebenzi nge-stdin / stdout ukubaxelela ukuba bakhuphele phi kwaye bayibeke phi kwinkqubo yefayile kusetyenziswa umthetho olandelwayo ojongeka njenge-HTTP.
Inkqubo ephambili iya kuthi emva koko ingenise ubumbeko lwayo kwaye icele izibonelelo kwaye inkqubo yomsebenzi iyakuphendula.
Xa umncedisi we-HTTP ephendula ngolunye uhambiso, inkqubo yomsebenzi ibuyisela i-103 eqondisa kwakhona endaweni ye-201 URI Eyenziweyo, kwaye eyona nkqubo iphambili isebenzisa le mpendulo ukufumana ukuba yeyiphi na imithombo elandelayo.