[Ci-users] Fwd: IMPORTANT - ACTION MAY BE NEEDED - TravisCI security issues

Thu Sep 16 16:40:17 UTC 2021
Mark O'Brien <markobri at redhat.com>

Raising awareness here. I am not sure if anyone uses this on our openshift
cluster but better safe than sorry.

---------- Forwarded message ---------
From: Jay Madison <madisonj at redhat.com>
Date: Wed, Sep 15, 2021 at 8:06 PM
Subject: IMPORTANT - ACTION MAY BE NEEDED - TravisCI security issues
To: <announce-list at redhat.com>

Hi all,

TL;DR: If your software development projects use TravisCI, please rotate
your secrets as soon as possible, but by no later than close of business,
September 17th. If you use TravisCI and have seen any first time
contributors between Sep 03 - Sep 10, 2021, follow the steps below in the “What
you need to do” section and contact infosec at redhat.com if you have any
questions.  If you are not involved with software development activities,
using tools such as GitHub, GitLab or CI/CD tooling, this message very
likely does not apply to you, and you may ignore it.

What happened

Travis CI is a hosted continuous integration service used to build and test
software projects hosted on source code repositories such as GitHub.

On September 13, TravisCI released a security bulletin
<https://travis-ci.community/t/security-bulletin/12081>[1] advising that
secret environment variables of any public repositories may have been
leaked. This issue has been designated as CVE-2021-41077[2]

This issue was reported to TravisCI by the community on September 7 and a
patch was deployed by TravisCI on September 10. It is believed that all use
between September 3rd and 10th may have been subject to this vulnerability,
at a minimum. Given the limited information published by the Travis CI
Team, it is impossible to rule out a broader range of potential impact.

Information Security is in the process of scanning known Red Hat
repositories, but we need your help.

What you need to do

If you have a repository that uses TravisCI:


   Rotate your secrets as soon as possible but by no later than close of
   business September 17th.

      Secrets refers to secure environment variables of all public repos
      using TravisCI.  Items such as Signing Keys, Access Credentials, and API

   Check for any external pull requests between September 3rd - 10th.

      This includes first time pull request submitters, and people who
      don’t submit often.

      In particular, look for tags FIRST_TIME_CONTRIBUTOR, FIRST_TIMER, or

   To learn more about specific environment variables that may have been
   exposed, please visit:

   For any pull requests of this nature, check the diff to see if it does
   something unusual, for example, dumping env variables.

   If you are unsure of any of these steps, notice anything unusual, and/or
   unexpected activity please contact infosec at redhat.com.

Thank you for your diligence in helping us keep Red Hat secure. As always,
if there are any concerns, questions, or you wish to report an anomaly or
potential incident, please contact infosec at redhat.com directly.




[1] TravisCI security bulletin:
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41077

Jay Madison
Vice President - Trust, Risk, Assurance & Compliance
Red Hat, Inc.
Forward any comments to mailto:memo-list at redhat.com for open discussion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/ci-users/attachments/20210916/7216976d/attachment-0002.html>