26 Maarso 2019, Magento wuxuu siidaayay xirmada amniga PRODSECBUG-2198 ee loogu talagalay hagaajinta nuglaanta SQL. Dayacnaantaas darteed, isticmaale ruqsad la'aan ah ayaa fulin kara koodhka SQL, iyadoo ay dhici karto luminta xogta xasaasiga ah. Waxaan si adag kuugula talineynaa inaad ku rakibto balastarradaas dhameystiran sida ugu dhaqsaha badan.
- Macluumaadka PRODSECBUG-2198
- CVSSv3 Severity: 9 (Halis ah)
- Weerarada loo yaqaan: midna
- Sharraxaadda: isticmaale aan la xaqiijin ayaa ku fulin kara koodh aan sabab lahayn iyada oo loo marayo nuglaanta SQL, taas oo keenta luminta xogta xasaasiga ah.
- Badeecada Saameysay: Magento Open Source pre-1.9.4.1 iyo Magento Ganacsi kahor 1.14.4.1, Magento 2.1 kahor 2.1.17, Magento 2.2 kahor 2.2.8, Magento 2.3 kahor 2.3.1
- Degan: Magento Furan Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1
- Wariyaha: cfreal
Si aad u rakibto balastar PRODSECBUG-2198, si fudud u socodsiiya qodobbada 6 ee soo socda:
- Waxaad u soo celisaa eccmerce-kaaga Magento-ka ku saleysan: Waa tallaabo xigmad leh oo lagu kaydinayo dukaanka 'Magento Store' ka hor intaadan dalbanin wax alaabo ammaan ah maxaa yeelay dukaankaaga ayaa laga yaabaa inuu wax khilaaf ah kala kulmo faylasha 'Patch';
- Ka soo rogo balastarka goobta Magento: Soo dejiso PRODSECBUG-2198 patch ka qui, adoo dooranaya nooca saxda ah ee bakhaarkaaga Magento oo aad ugu rideyso galkaaga xididka 'Magento'.
- Codso balastarka: Ku gal server-ka adiga oo adeegsanaya qolof (ssh) oo geli galka xididka. Ku dhaqaaq amarrada soo socda:
- Nadiifi Kaararkaaga 'Magento': Waxaan kugula talineynaa inaad nadiifiso bakhaarka 'Magento' ka dib markaad isticmaasho balastarka. Waad nadiifin kartaa oo aad nadiifin kartaa majaajiyaha maamulka 'Magento' ama waxaad fulin kartaa amarada soo socda ee SSH:
-
- kaydinta 'php bin / magento': fogee
- kaydinta php bin / magento: nadiif ah
- Xaqiiji rakibaadda balakoonka: Ku dhaqaaq amarrada soo socda si aad u ogaato haddii balastarka si sax ah loo rakibay:
-
- grep '|' app / iwm / applied.patches.lis
- Ka saar faylka 'Patch': Kadib rakibidda lagu guuleysto ee patch, waxaad ka saari kartaa faylka .patch xididka Magento. Ku dhaqaaq amarrada soo socda si aad uga saarto adoo adeegsanaya SSH:
Tixgeli taas:
Habka kore ee qaabka Magento 2.2 CE waxaad yeelan kartaa khalad sida soo socota:
sh PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
diff: ikhtiyaar aan la aqoonsan “–git”
diff: iskuday “diff –help” wixii macluumaad dheeri ah.
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 2: tixraac: amar lama helin
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 3: -: amar lama helin
Si looga fogaado qaladkan, raac tallaabooyinka hoose:
- Hadaad isticmaasho cirridka:
git apply PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
- isticmaal balastar
Ka qaad a / eb / ka hor waddooyinka.
U dhaqaaji faylka 'patch' xididka Magento oo socodsiiya patch -p0 <PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
Ercole Palmeri
Maareeyaha cusub ee ku meel gaarka ah
Sebtember 3, 2019 7:10 galabnimo