Kukhonjwe ukuba sengozini kumphathi wephakheji ye-APT (I-CVE-2019-3462), ini ivumela umhlaseli ukuthi aqale isipholi sephakeji efakiwe noma ngabe umhlaseli uyakwazi ukulawula isibuko sokugcina noma angaphazamisa ukuhamba kwezimoto phakathi komsebenzisi nendawo yokugcina (ukuhlaselwa kweMITM).
Inkinga ikhonjwe ngumcwaningi wezokuphepha uMax Justicz, eyaziwa ngokuthola ukuba sengozini kumphathi wephakheji ye-APK (i-Alpine) nasendaweni yokugcina izinto yasePackagist, NPM naseRubyGems.
Inkinga Kungenxa yokuqinisekiswa okungalungile kwezinkambu kwikhodi yokucubungula kabusha ye-HTTP.
Yini inkinga?
Lokhu kuba sengozini ivumela umhlaseli ukufaka okunye okuqukethwe kwakhe kudatha edluliselwe kuseshini ye-HTTP (I-Debian ne-Ubuntu zisebenzisa i-HTTP hhayi i-HTTPS ukufinyelela okugciniwe, kucatshangelwa ukuthi isiginesha yedijithali yanele ngemethadatha efanayo nosayizi wepakethe.)
Ukuba sengozini okukhonjiwe kuvumela amandla ohlasela shintsha iphakethe elidlulisiwe, ngemuva kwalokho i-APT izolibona selitholwe esibukweni esisemthethweni bese liqala inqubo yokufaka.
Ngokufakwa kuphakheji enonya yemibhalo eyethulwe ngesikhathi sokufakwa, umhlaseli angakwazi ukufeza ukwenziwa kwekhodi yakhe ohlelweni olunamalungelo empande.
Ukulanda idatha kusuka endaweni yokugcina izinto, i-APT iqala inqubo yengane ngokuqaliswa kokuthuthwa okuthile futhi ihlele ukusebenzisana nale nqubo kusetshenziswa umbhalo olandelwayo wombhalo olula ngokuhlukaniswa kwemiyalo ngomugqa ongenalutho.
Ngingayithola kanjani inkinga?
Ingqikithi yenkinga ukuthi umphathi wezokuthutha we-HTTP, lapho ithola impendulo evela kuseva ye-HTTP enesihloko esithi "Indawo:", icela ukuqinisekiswa kokuqondiswa kabusha kusuka kwinqubo eyinhloko.
Ukudlulisa ngokuphelele okuqukethwe kwalesi sihloko. Ngenxa yokushoda kwenhlanzeko yezinhlamvu ezikhethekile ezidlulisiwe, umhlaseli angacacisa ukugqashuka kolayini enkambini "Yendawo:"
Njengoba leli nani lizokhishwa ikhodi futhi lidluliswe ngesiteshi sokuxhumana ngenqubo eyinhloko, umhlaseli angalingisa impendulo ehlukile kumphathi wezokuthutha we-HTTP afake ibhulokhi yedummy 201 URI.
Isibonelo, uma, uma ecela iphakethe, umhlaseli angene esikhundleni sempendulo, lokhu kufakwa esikhundleni kuzoholela ekudlulisweni kwedatha elandelayo kunqubo enkulu.
Ukubalwa kwama-hashes wamafayela alandiwe kuyaphathwa futhi inqubo enkulu imane ihlole le datha ngama-hashes asuka ku-database yamaphakeji asayiniwe.
Phakathi kwemethadatha, umhlaseli angacacisa noma yiliphi inani lama-hashes wokuhlola axhunywe ku-database kumaphakeji wangempela asayiniwe, kepha empeleni awahambelani nama-hashes wefayela elidlulisiwe.
Inqubo eyinhloko izokwamukela ikhodi yokuphendula efakwe esikhundleni sokuhlaselwa, ibheke i-hash ku-database futhi ibheke ukuthi iphakethe lapho kunesiginesha efanelekile yedijithali ilayishiwe, yize empeleni inani lenkambu ene-hash lifakwe endaweni isiteshi sokuxhumana esinenqubo eyinhloko kusetshenziswa ukuhlaselwa nefayela elishiwo kwimethadatha efakiwe.
Ukulanda iphakheji enonya kwenziwa ngokunamathisela iphakheji kufayela le-Release.gpg, ngesikhathi sokudluliswa.
Leli fayela linendawo engabikezelwa kusistimu yamafayela futhi ukunamathisela iphakheji ekuqaleni kwayo akuthinti ukukhishwa kwesiginesha yedijithali ekhosombe.
Lapho uthola idatha, i-apt ikhubaza izinqubo zesisebenzi ezikhethekile kwizivumelwano ezahlukahlukene ezizosetshenziselwa ukudluliswa kwedatha.
Inqubo eyinhloko bese ixhumana nalaba basebenzi nge-stdin / stdout ukubatshela ukuthi yini okufanele bayilande nokuthi bangayifaka kuphi kusistimu yefayela besebenzisa umthetho olandelwayo obukeka njenge-HTTP.
Inqubo enkulu izobe seyithumela ukumiswa kwayo bese icela insiza kusebenza bese inqubo yomsebenzi izophendula.
Lapho iseva ye-HTTP iphendula ngokuqondisa kabusha, inqubo yomsebenzi ibuyisa i-103 Iqondisa kabusha esikhundleni se-201 URI Done, futhi inqubo enkulu isebenzisa le mpendulo ukuthola ukuthi iyiphi insiza ezocelwa ngokulandelayo.