CVE: Possible Organization/Secret Compromise from dangerous CI implementation

CVE: Possible Organization/Secret Compromise from dangerous CI implementation (www.cvedetails.com)
from le_throosh@lemmy.dbzer0.com to jellyfin@lemmy.ml on 25 Mar 22:30
https://lemmy.dbzer0.com/post/65996465

Strange that there was no comms whatsover from the team about this

#jellyfin

threaded - newest

renegadespork@lemmy.jelliefrontier.net on 25 Mar 22:47 next collapse

Everyone might want to freeze your Jellyfin versions until this gets sorted. As far as we know, nothing has been hijacked, but safer sit on your local copies for now.

Link@rentadrunk.org on 25 Mar 23:18 next collapse

Hasn’t it already been patched? https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh

Patches

CI workflows have been modified in all affected repositories, and secrets have been rotated.

Furthermore, OPs post seems to link to the patch: https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8

slacktoid@lemmy.ml on 25 Mar 23:38 next collapse

This doesn’t affect the code or jellyfin. Its a problem with how github does CI that needs to be fixed.

renegadespork@lemmy.jelliefrontier.net on 26 Mar 01:28 collapse

I know. My comment stands. Though apparently it was already patched.

noodle@aus.social on 26 Mar 00:41 collapse

@renegadespork @le_throosh

"Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions."

renegadespork@lemmy.jelliefrontier.net on 26 Mar 01:32 collapse

I know. My comment stands. Though apparently it was already patched.

slacktoid@lemmy.ml on 25 Mar 23:39 collapse

Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.

From the article

However maybe it’s time to going back to build from source.