Some repos may give a dependabot warning about a CVE in a PyYAML
dependency:
https://github.com/linux-system-roles/template/security/dependabot/ansible_…
This is due to
https://github.com/linux-system-roles/template/blob/master/ansible_pytest_e…
PyYAML<5.1 ; python_version < "2.7"
I believe the last time I looked at this there was no supported PyYAML
>= version 5.4 for python 2.6.
Note that this only affects CI on python 2.6, and only for those roles
which have modules which require Ansible for unit testing.
If you are seeing this warning on your repo, and you don't need unit
testing using Ansible, just make this file an empty file.
Otherwise, it is safe to ignore this warning.
There was some sort of potential GitHub Actions breach Feb. 4 - Feb. 5
2021. I have been checking what they suggested - I haven't found any
problems. Please double check if you are the maintainer of one of the
repos listed below.
"We’re writing to let you know that an independent bug bounty researcher
recently reported a GitHub Actions bug that, in theory, could have
allowed an unauthorized user to fork a public repository which uses
Actions and perform a series of steps to edit the main branch or use the
GITHUB_TOKEN to perform other unauthorized actions. This bug existed in
a very brief window from February 4 to February 5, 2021.
You are receiving this email because you are an owner of one or more
GitHub organizations or enterprises with a public repository using
Actions, and you had protected and/or unprotected branches that were
vulnerable to this bug.
Repos and workflows with unprotected branches:
linux-system-roles/network
Repos and workflows with protected branches:
linux-system-roles/logging
linux-system-roles/metrics
linux-system-roles/selinux
linux-system-roles/tox-lsr
There is currently no evidence to suggest this was the result of a
compromise of GitHub or any of its systems; instead this was a recently
introduced bug in GitHub Actions. Security, user privacy, and
transparency are essential to maintain your trust; therefore, we are
notifying you of this change, the steps we took, and additional steps we
are taking to address this situation. Read on for more information.
* What happened? *
On February 4, 2021, an independent security researcher notified us of a
bug in GitHub Actions that could allow an attacker to alter parent
repository code or take certain actions using a GITHUB_TOKEN:
https://docs.github.com/en/actions/reference/authentication-in-a-workflow#p…
<https://docs.github.com/en/actions/reference/authentication-in-a-workflow#p…>
The GITHUB_TOKEN is revoked after the job is completed, and they expire
after a default 60 minute timeout.
* Which repositories were involved? *
Any parent repository with Actions between February 4, 2021 at 18:42 UTC
and February 5, 2021 at 13:35 UTC could have had their unprotected main
branches edited or experienced misuse of the GITHUB_TOKEN.
* What GitHub is doing *
After learning of this bug on February 5, 2021, GitHub immediately
corrected it, and unauthorized users could no longer make changes to
your repositories or abuse the GITHUB_TOKEN. GitHub identified any
repositories vulnerable during the bug window and contacted all affected
organization owners. We are also performing an internal assessment to
determine how we can better prevent this sort of bug in the future.
* What you can do *
For repositories listed above without branch protection, we recommend
that you audit for both unwanted pull requests and abuse by the
GITHUB_TOKEN.
1. Assess commits made during the bug window, February 4,2021 18:42 UTC
to February 5, 2021 13:35 UTC.
2. Assess workflow files for unauthorized injection during the bug window.
3. Assess pull_request_target and pull_request workflow runs, and
examine those pull requests during the bug window to look for
unauthorized activity. Ignore pull requests from known users with write
permissions.
4. Assess release history for any that may have been deployed via
unauthorized GITHUB_TOKEN activity during the bug window.
5. Assess package history for any that may have been deployed via
unauthorized GITHUB_TOKEN activity during the bug window.
For repositories listed above with branch protection, we recommend that
you audit for abuse by the GITHUB_TOKEN.
1. Assess release history for any that may have been deployed via
unauthorized GITHUB_TOKEN activity during the bug window.
2. Assess package history for any that may have been deployed via
unauthorized GITHUB_TOKEN activity during the bug window.
Feel free to reach out to us with any additional questions or concerns
through this contact form:
https://support.github.com/contact?subject=GH-0000941-4107-1&tags=GH-000094…
<https://support.github.com/contact?subject=GH-0000941-4107-1&tags=GH-000094…>"