EUVD-2021-28228

Malicious code in bioql PyPI...

CVE-2021-41077

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

Malicious Package

Overview sample-travis-ci is a malicious package. The package's name is based on existing repositories, namespaces, or components used by popular companies in an effort to trick employees into downloading it, also known as 'dependency confusion'. Therefore, you're only vulnerable if this package...

MAL-2022-5921 Malicious code in sample-travis-ci (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 568970137987e9314235b38ecb7007db2b4db3023f6eaf1cacb92983e90f3613 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Unpatched Travis CI API Bug Exposes Thousands of Secret User Access Tokens

An unpatched security issue in the Travis CI API has left tens of thousands of developers' user tokens exposed to potential attacks, effectively allowing threat actors to breach cloud infrastructures, make unauthorized code changes, and initiate supply chain attacks. "More than 770 million logs o...

GitHub Says Recent Attack Involving Stolen OAuth Tokens Was "Highly Targeted"

Cloud-based code hosting platform GitHub described the recent attack campaign involving the abuse of OAuth access tokens issued to Heroku and Travis CI as "highly targeted" in nature. "This pattern of behavior suggests the attacker was only listing organizations in order to identify accounts to...

Attacker Breach ‘Dozens’ of GitHub Repos Using Stolen OAuth Tokens

GitHub revealed details tied to last week’s incident where hackers, using stolen OAuth tokens, downloaded data from private repositories. “We do not believe the attacker obtained these tokens via a compromise of GitHub or its systems because the tokens in question are not stored by GitHub in thei...

GitHub Notifies Victims Whose Private Data Was Accessed Using OAuth Tokens

GitHub on Monday noted that it had notified all victims of an attack campaign, which involved an unauthorized party downloading private repository contents by taking advantage of third-party OAuth user tokens maintained by Heroku and Travis CI. "Customers should also continue to monitor Heroku an...

GitHub Says Hackers Breached Dozens of Organizations Using Stolen OAuth Access Tokens

Cloud-based repository hosting service GitHub on Friday revealed that it discovered evidence of an unnamed adversary capitalizing on stolen OAuth user tokens to unauthorizedly download private data from several organizations. "An attacker abused stolen OAuth user tokens issued to two third-party...

Travis CI Configuration Detected

Travis CI is a Software as a Service SaaS based continuous integration service used to build and test software projects. By defining a configuration file named .travis.yml in their source code repositories, developers can customize their applications build workflows. When exposed with the web...

Travis CI Flaw Exposes Secrets of Thousands of Open Source Projects

Continuous integration vendor Travis CI has patched a serious security flaw that exposed API keys, access tokens, and credentials, potentially putting organizations that use public source code repositories at risk of further attacks. The issue — tracked as CVE-2021-41077 — concerns unauthorized...

CVE-2021-41077

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

Design/Logic Flaw

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

CVE-2021-41077

The activation process in Travis CI, for certain 2021-09-03 through 2021-09-10 builds, causes secret data to have unexpected sharing that is not specified by the customer-controlled .travis.yml file. In particular, the desired behavior if .travis.yml has been created locally by a customer, and...

CVE-2021-41077

CVE-2021-41077 concerns a Travis CI vulnerability observed during 2021-09-03 to 2021-09-10, where the activation/build process could cause secret data (e.g., signing keys, credentials, API tokens) to be exposed to unauthorized actors that forked public repositories. The issue stemmed from builds ...

SUSE: Security Advisory (SUSE-SU-2019:2941-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2021 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Security update for wavpack (moderate)

openSUSE Security Update: Security update for wavpack Announcement ID: openSUSE-SU-2021:0154-1 Rating: moderate References: 1091340 1091341 1091342 1091343 1091344 1180414 Cross-References: CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539 CVE-2018-10540 CVE-2018-19840 CVE-2018-19841...

Security update for wavpack (moderate)

openSUSE Security Update: Security update for wavpack Announcement ID: openSUSE-SU-2021:0153-1 Rating: moderate References: 1091340 1091341 1091342 1091343 1091344 1180414 Cross-References: CVE-2018-10536 CVE-2018-10537 CVE-2018-10538 CVE-2018-10539 CVE-2018-10540 CVE-2018-19840 CVE-2018-19841...

openSUSE Security Update : wavpack (openSUSE-2021-154)

This update for wavpack fixes the following issues : - Update to version 5.4.0 - CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples bsc1180414 - fixed: disable A32 asm code when building for Apple silicon - fixed: issues with Adobe-style floating-point WAV files - added:...

SUSE SLED15 / SLES15 Security Update : wavpack (SUSE-SU-2021:0186-1)

This update for wavpack fixes the following issues : Update to version 5.4.0 - CVE-2020-35738: Fixed an out-of-bounds write in WavpackPackSamples bsc1180414 - fixed: disable A32 asm code when building for Apple silicon - fixed: issues with Adobe-style floating-point WAV files - added:...