repomanz Posted April 28, 2019 Share Posted April 28, 2019 https://news.ycombinator.com/item?id=19763413. May be worth a bulletin to users given the significant use of containers within unraid. Quote Link to comment
Squid Posted April 28, 2019 Share Posted April 28, 2019 https://news.ycombinator.com/item?id=19763413. May be worth a bulletin to users given the significant use of containers within unraid.Only affects those who create containers, not anyone who only uses themSent via telekinesis Quote Link to comment
melmurp Posted April 29, 2019 Share Posted April 29, 2019 Could not someone have used the tokens to add themselves to the github repo access, modify some code, and let the auto build do it's thing... then we get the "docker has update" notification and those with auto update just pulled a poisoned copy? For example this was in the wild for a few days and last night I noticed 6 of my dockers had updates pending... worrisome in light of this news. Quote Link to comment
Squid Posted April 29, 2019 Share Posted April 29, 2019 Sure, but all that's needed is the authors to change their passwords. Quote Link to comment
melmurp Posted April 29, 2019 Share Posted April 29, 2019 You have a lot more faith then me I guess... some authors likely don't even know this happened or have things in a code complete mode so don't check their github daily. Guess I'll go check all the recent ones marked as updated and see what exactly changed to relieve my paranoia. Quote Link to comment
Squid Posted April 29, 2019 Share Posted April 29, 2019 Ultimately, you need to have faith since none of us have any control over it. 39 minutes ago, melmurp said: Guess I'll go check all the recent ones marked as updated and see what exactly changed to relieve my paranoia. Good luck with that. Quote Link to comment
saarg Posted April 29, 2019 Share Posted April 29, 2019 49 minutes ago, melmurp said: You have a lot more faith then me I guess... some authors likely don't even know this happened or have things in a code complete mode so don't check their github daily. Guess I'll go check all the recent ones marked as updated and see what exactly changed to relieve my paranoia. Those accounts that got compromised also got an email asking them to change password and change github api key. Linuxserver.io did not get any email. Personally I got an email. 1 Quote Link to comment
melmurp Posted April 29, 2019 Share Posted April 29, 2019 7 minutes ago, saarg said: Those accounts that got compromised also got an email asking them to change password and change github api key. Linuxserver.io did not get any email. Personally I got an email. I did check and seems the majority of mine where Linuxserver.io's bot updating dependence libs on the same day this compromised occurred.. bad timing Curious why dockerhub requires write access to github repo if they're just pulling Quote Link to comment
repomanz Posted April 30, 2019 Author Share Posted April 30, 2019 little late replying to my own thread here but agree with melmurp. unraid, and it's community, leverage a lot of docker containers and just making an assumption that those dev owners who author containers for use of unraid have taken steps is a bit risky. I know emails, password resets including api tokens has occurred. I may jump over to the community plugin support page to see if they are mitigating this at all. Would make me feel better about it at least. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.