Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

dockhub compromised

Featured Replies

https://news.ycombinator.com/item?id=19763413.  May be worth a bulletin to users given the significant use of containers within unraid.

Could not someone have used the tokens to add themselves to the github repo access, modify some code, and let the auto build do it's thing... then we get the "docker has update" notification and those with auto update just pulled a poisoned copy?

 

For example this was in the wild for a few days and last night I noticed 6 of my dockers had updates pending... worrisome in light of this news.

Sure, but all that's needed is the authors to change their passwords.

You have a lot more faith then me I guess... some authors likely don't even know this happened or have things in a code complete mode so don't check their github daily.

 

Guess I'll go check all the recent ones marked as updated and see what exactly changed to relieve my paranoia.

Ultimately, you need to have faith since none of us have any control over it.

39 minutes ago, melmurp said:

Guess I'll go check all the recent ones marked as updated and see what exactly changed to relieve my paranoia.

Good luck with that.

49 minutes ago, melmurp said:

You have a lot more faith then me I guess... some authors likely don't even know this happened or have things in a code complete mode so don't check their github daily.

 

Guess I'll go check all the recent ones marked as updated and see what exactly changed to relieve my paranoia.

 

Those accounts that got compromised also got an email asking them to change password and change github api key.

 

Linuxserver.io did not get any email. Personally I got an email.

7 minutes ago, saarg said:

 

Those accounts that got compromised also got an email asking them to change password and change github api key.

 

Linuxserver.io did not get any email. Personally I got an email.

I did check and seems the majority of mine where Linuxserver.io's bot updating dependence libs on the same day this compromised occurred.. bad timing :D

Curious why dockerhub requires write access to github repo if they're just pulling

 

  • Author

little late replying to my own thread here but agree with melmurp.  unraid, and it's community, leverage a lot of docker containers and just making an assumption that those dev owners who author containers for use of unraid have taken steps is a bit risky.   

I know emails, password resets including api tokens has occurred.  I may jump over to the community plugin support page to see if they are mitigating this at all.  Would make me feel better about it at least. 

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.