[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [theia-dev] Committer action needed: Travis-CI secrets leak
|
/Thomas
------ Original Message ------
From: "Thomas Mäder" <tmader@xxxxxxxxxx>
To: "theia developer discussions" <theia-dev@xxxxxxxxxxx>
Sent: 23/09/2021 11:10:56
Subject: Committer action needed: Travis-CI secrets leak
Hi Theia committers,
you may have heard about a problem in Travis-CI recently [1], [2]. The problem, in short is that environment variables entered in the Travis-CI UI have been exposed to anyone building a fork of the project with Travis-CI. The leaked credentials have been accessible starting on Sep. 3 up to and including Sep. 10. So if you have a Travis-CI account and have had Github credentials stored in Travis-CI in that period, you may be affected.
We're checking that no-one has used leaked credentials to inject malicious code into Theia-related Github repos. However, to prevent anything from happening in the future, we're asking all committers to delete or rotate their Github access tokens.
What you need to do:
1. Please delete or recreate any Github tokens that may have been stored on Travis-CI in the affected period.
2. Let us know you've done so (or aren't affected) by filling out this form: https://docs.google.com/forms/d/e/1FAIpQLSd9Uzed0cZkHVn8IqcazukQ2C9jpLhEEa1EFW_4L91Nk-Ny7A/viewform?usp=sf_link
Please do so ASAP, but at least before next Tuesday's community meeting.
thank you for you cooperation
/Thomas
[1] https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/
[2] https://travis-ci.community/t/security-bulletin/12081
