EUVD-2021-28228

Malicious code in bioql PyPI...

CVE-2021-41077

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

Unpatched Travis CI API Bug Exposes Thousands of Secret User Access Tokens

An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks. "More than 770 million logs o...

GitHub Says Recent Attack Involving Stolen OAuth Tokens Was "Highly Targeted"

Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis CI as "highly targeted" in nature. "This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to...

Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens

GitHub revealed details tied to last week’s incident where hackers, using stolen OAuth tokens, downloaded data from private repositories. “We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in thei...

GitHub Notifies Victims Whose Private Data Was Accessed Using OAuth Tokens

GitHub on Monday noted that it had notified all victims of an attack campaign, which involved an unauthorized party downloading private repository contents by taking advantage of third-party OAuth user tokens maintained by Heroku and Travis CI. "Customers should also continue to monitor Heroku an...

GitHub Says Hackers Breached Dozens of Organizations Using Stolen OAuth Access Tokens

Cloud-based repository hosting service GitHub on Friday revealed that it discovered evidence of an unnamed adversary capitalizing on stolen OAuth user tokens to unauthorizedly download private data from several organizations. "An attacker abused stolen OAuth user tokens issued to two third-party...

Travis CI Configuration Detected

Travis CI is a Software as a Service SaaS based continuous integration service used to build and test software projects. By defining a configuration file named .travis.yml in their source code repositories, developers can customize their applications build workflows. When exposed with the web...

Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects

Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks. The issue — tracked as CVE-2021-41077 — concerns unauthorized...

CVE-2021-41077

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

Design/Logic Flaw

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

CVE-2021-41077

CVE-2021-41077 concerns a Travis CI vulnerability observed during 2021-09-03 to 2021-09-10, where the activation/build process could cause secret data (e.g., signing keys, credentials, API tokens) to be exposed to unauthorized actors that forked public repositories. The issue stemmed from builds ...

CVE-2021-41077

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

SUSE: Security Advisory (SUSE-SU-2019:2941-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security update for wavpack (moderate)

openSUSE Security Update: Security update for wavpack Announcement ID: openSUSE-SU-2021:0154-1 Rating: moderate References: 1091340 1091341 1091342 1091343 1091344 1180414 Cross-References: CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539 CVE-2018-10540 CVE-2018-19840 CVE-2018-19841...

Security update for wavpack (moderate)

openSUSE Security Update: Security update for wavpack Announcement ID: openSUSE-SU-2021:0153-1 Rating: moderate References: 1091340 1091341 1091342 1091343 1091344 1180414 Cross-References: CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539 CVE-2018-10540 CVE-2018-19840 CVE-2018-19841...

SUSE SLED15 / SLES15 Security Update : wavpack (SUSE-SU-2021:0186-1)

This update for wavpack fixes the following issues : Update to version 5.4.0 - CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples bsc1180414 - fixed: disable A32 asm code when building for Apple silicon - fixed: issues with Adobe-style floating-point WAV files - added:...

Internet Bug Bounty: Some build dependencies are downloaded over an insecure channel (without subsequent integrity checks)

Summary: Build jobs mingw64 | openssl-1.1.1d and mingw32 | openssl-1.0.2u download dependencies from build.openvpn.net and www.oberhumer.comover an insecure channel http, not https and do not check their integrity in any way. This opens the door to person-in-the-middle attacks, whereby an attacke...

pwntools

This is an open-source repository for the pwntools project, a Python library for reverse engineering and exploitation. The repository contains various files and workflows for contributing to the project, including issue templates, pull request templates, and workflows for continuous integration a...

openSUSE Security Update : libseccomp (openSUSE-2019-2283)

This update for libseccomp fixes the following issues : Security issues fixed : - CVE-2019-9893: An incorrect generation of syscall filters in libseccomp was fixed bsc1128828 libseccomp was updated to new upstream release 2.4.1 : - Fix a BPF generation bug where the optimizer mistakenly identifie...