I was reading about CVE-2025-30066. I must admit that my git-knowledge
is close to nil, but if I'm reading the description right then this CVE
is describing a pathway which let bad-actors potentially gain keys to
other projects in GitHub.
Projects that used the compromised version of
*tj-actions/changed-files* between March 12, 2025, 00:00 and March 15,
2025, 12:00 UTC are at high risk. In these cases, sensitive
credentials may have been exposed via public logs. [From sysdig.com
<https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/>]
And since I know that ISC has projects at GitHub, and I suspect that ISC
projects would be a big, fat, juicy target for code injection, I feel
like I gotta ask . . Is ISC willing to weigh in and say if their
projects may have been affected, or if credentials for their projects
may have been exposed?
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
john.thurs...@alaska.gov
Department of Administration
State of Alaska
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
