ISC, GitHub, and CVE-2025-30066
John Thurston
john.thurston at alaska.gov
Thu Mar 20 16:12:31 UTC 2025
I was reading about CVE-2025-30066. I must admit that my git-knowledge
is close to nil, but if I'm reading the description right then this CVE
is describing a pathway which let bad-actors potentially gain keys to
other projects in GitHub.
> Projects that used the compromised version of
> *tj-actions/changed-files* between March 12, 2025, 00:00 and March 15,
> 2025, 12:00 UTC are at high risk. In these cases, sensitive
> credentials may have been exposed via public logs. [From sysdig.com
> <https://sysdig.com/blog/detecting-and-mitigating-the-tj-actions-changed-files-supply-chain-attack-cve-2025-30066/>]
And since I know that ISC has projects at GitHub, and I suspect that ISC
projects would be a big, fat, juicy target for code injection, I feel
like I gotta ask . . Is ISC willing to weigh in and say if their
projects may have been affected, or if credentials for their projects
may have been exposed?
--
--
Do things because you should, not just because you can.
John Thurston 907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250320/0618b34f/attachment-0001.htm>
More information about the bind-users
mailing list