Re: [theia-dev] Committer action needed: Travis-CI secrets leak

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [theia-dev] Committer action needed: Travis-CI secrets leak

From: Artem Zatsarynnyi <azatsary@xxxxxxxxxx>
Date: Tue, 28 Sep 2021 18:07:55 +0300
Delivered-to: theia-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/theia-dev/>
List-help: <mailto:theia-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/theia-dev>, <mailto:theia-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/theia-dev>, <mailto:theia-dev-request@eclipse.org?subject=unsubscribe>

Hello,

Thomas, during today's community call you've asked if Roman and I sent an answer via the google form.
We're curious is there any reason why our accounts (among all the others) caught your attention?

Also, could you please share how these answers are going to help with checking that no one
has used leaked credentials to inject malicious code into Theia-related Github repositories?
Or is it for a different purpose?

Thanks!

On Tue, Sep 28, 2021 at 5:49 PM Thomas Mäder <tmader@xxxxxxxxxx> wrote:

Folks, if you're a Theia committer (aka one of these people: https://projects.eclipse.org/projects/ecd.theia/who) we're asking you to fill out this form:

https://docs.google.com/forms/d/e/1FAIpQLSd9Uzed0cZkHVn8IqcazukQ2C9jpLhEEa1EFW_4L91Nk-Ny7A/viewform?usp=sf_link

/Thomas

------ Original Message ------

From: "Thomas Mäder" <tmader@xxxxxxxxxx>

To: "theia developer discussions" <theia-dev@xxxxxxxxxxx>

Sent: 23/09/2021 11:10:56

Subject: Committer action needed: Travis-CI secrets leak

Hi Theia committers,

you may have heard about a problem in Travis-CI recently [1], [2]. The problem, in short is that environment variables entered in the Travis-CI UI have been exposed to anyone building a fork of the project with Travis-CI. The leaked credentials have been accessible starting on Sep. 3 up to and including Sep. 10. So if you have a Travis-CI account and have had Github credentials stored in Travis-CI in that period, you may be affected.

We're checking that no-one has used leaked credentials to inject malicious code into Theia-related Github repos. However, to prevent anything from happening in the future, we're asking all committers to delete or rotate their Github access tokens.

What you need to do:

1. Please delete or recreate any Github tokens that may have been stored on Travis-CI in the affected period.
2. Let us know you've done so (or aren't affected) by filling out this form: https://docs.google.com/forms/d/e/1FAIpQLSd9Uzed0cZkHVn8IqcazukQ2C9jpLhEEa1EFW_4L91Nk-Ny7A/viewform?usp=sf_link

Please do so ASAP, but at least before next Tuesday's community meeting.

thank you for you cooperation

/Thomas

[1] https://arstechnica.com/information-technology/2021/09/travis-ci-flaw-exposed-secrets-for-thousands-of-open-source-projects/
[2] https://travis-ci.community/t/security-bulletin/12081

_______________________________________________
theia-dev mailing list
theia-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/theia-dev

Artem Zatsarynnyi

Red Hat

Follow-Ups:
- Re: [theia-dev] Committer action needed: Travis-CI secrets leak
  - From: Thomas Mäder

References:
- [theia-dev] Committer action needed: Travis-CI secrets leak
  - From: Thomas Mäder
- Re: [theia-dev] Committer action needed: Travis-CI secrets leak
  - From: Thomas Mäder

Prev by Date: Re: [theia-dev] Committer action needed: Travis-CI secrets leak
Next by Date: Re: [theia-dev] Committer action needed: Travis-CI secrets leak
Previous by thread: Re: [theia-dev] Committer action needed: Travis-CI secrets leak
Next by thread: Re: [theia-dev] Committer action needed: Travis-CI secrets leak
Index(es):
- Date
- Thread

Breadcrumbs