An gano batun tsaro (CVE-2021-41077) a cikin sabis na haɗin kai na Travis CI, wanda aka tsara don gwadawa da gina ayyukan da aka haɓaka akan GitHub da Bitbucket, wanda ke ba ku damar gano abubuwan da ke cikin masu canjin yanayi na sirri na wuraren ajiyar jama'a ta amfani da Travis. CI. Daga cikin wasu abubuwa, raunin yana ba ku damar gano maɓallan da aka yi amfani da su a cikin Travis CI don samar da sa hannu na dijital, maɓallan samun dama da alamu don samun dama ga API.
Batun ya kasance a cikin Travis CI daga Satumba 3rd zuwa 10th. Abin lura ne cewa an aika bayanin game da raunin zuwa ga masu haɓakawa a ranar 7 ga Satumba, amma kawai an karɓi amsa tare da shawarar yin amfani da maɓallin juyawa. Ba samun amsa mai kyau ba, masu binciken sun tuntubi GitHub kuma sun ba Travis jerin baƙar fata. An dai gyara matsalar ne a ranar 10 ga watan Satumba bayan da aka samu korafe-korafe da dama daga wasu ayyuka. Bayan abin da ya faru, an buga rahoton matsala fiye da ban mamaki akan gidan yanar gizon Travis CI, wanda, maimakon sanarwa game da gyare-gyaren rashin lahani, ya ƙunshi kawai shawarwarin da ba na yanayi ba don maɓallan shiga zagayowar.
Bayan rashin jin daɗi game da hana bayanai ta manyan ayyuka da yawa, an buga ƙarin cikakken rahoto akan dandalin tallafin Travis CI, yana mai gargadin cewa mai cokali mai yatsa na kowane ma'ajiyar jama'a, ta hanyar gabatar da buƙatun ja, na iya fara aiwatar da ginin kuma samun damar shiga mara izini. zuwa masu canjin yanayi na sirri na asali na asali, saita a lokacin ginawa dangane da filayen daga fayil ɗin ".travis.yml" ko aka bayyana ta hanyar hanyar yanar gizon Travis CI. Ana adana irin waɗannan masu canji a cikin rufaffen tsari kuma ana ɓoye su ne kawai a lokacin ginawa. Matsalar ta shafi ma'ajiyar da ake isa ga jama'a waɗanda ke da cokali mai yatsu (ba a kai hari ga ma'ajiyar sirri).
source: budenet.ru