Security advisory for builds.sr.ht admins

Message ID
DKIM signature
Download raw message
Instance administrators running builds.sr.ht instances are advised to
upgrade to a py3-srht (core.sr.ht) version 0.66.10 or newer, urgently so
if they also run dispatch.sr.ht for building GitHub pull requests. After
the upgrade, restart the builds.sr.ht service.

An error in a form validation change to py3-srht caused the "secrets"
parameter in the job submission API to be ignored, and always set to
true, causing builds which were requested to have secrets disabled to
run with secrets enabled regardless. dispatch.sr.ht relies on this
behvaior to prevent the exfiltration of secrets via malicious GitHub
pull requests. This vulnerability has been present since py3-srht
version 0.66.4, which was released on December 30th.

To evaluate if this vulnerability has been exploited on your instance,
review build jobs which should have had secrets disabled between
December 30th and today, January 19th.
Reply to thread Export thread (mbox)