|
| 1 | +--- |
| 2 | +authors: |
| 3 | + - beckermr |
| 4 | +tags: [security] |
| 5 | +--- |
| 6 | +# Travis CI Security Incident |
| 7 | + |
| 8 | +On September 9, 2021 one of our core devs discovered that artifacts |
| 9 | +building on Travis CI were being uploaded to our conda channel from PRs |
| 10 | +running on forked repositories. A quick investigation revealed that |
| 11 | +Travis CI was passing encrypted secrets to PR builds on forks. Further |
| 12 | +examination of our logs and artifacts indicated that this had been |
| 13 | +happening since about September 3, 2021. This security bug was |
| 14 | +subsequently confirmed by Travis CI. See this |
| 15 | +[CVE](https://nvd.nist.gov/vuln/detail/CVE-2021-41077) for more details |
| 16 | +on this incident. **As far as we know, there were no actual exploits |
| 17 | +against conda-forge which used this vulnerability.** |
| 18 | + |
| 19 | +<!--truncate--> |
| 20 | + |
| 21 | +## Our Response |
| 22 | + |
| 23 | +We took the following steps to respond to this incident. |
| 24 | + |
| 25 | +1. We immediately turned off all builds on Travis CI by suspending the |
| 26 | + Travis CI GitHub App. |
| 27 | +2. We immediately disclosed the bug to Travis CI through our contacts |
| 28 | + there. |
| 29 | +3. Once Travis CI indicated to us that they were ready, we rotated all |
| 30 | + feedstock tokens and later our anaconda.org token for our staging |
| 31 | + channel. The anaconda.org token for the main `conda-forge` channel |
| 32 | + was never disclosed in this incident. Further, only ~70 feedstocks |
| 33 | + had their tokens exposed in this incident. |
| 34 | +4. We examined our artifacts and marked as broken any artifacts that |
| 35 | + were uploaded from PRs. We think we found everything, but we are not |
| 36 | + completely sure. Our criterion for marking things broken was more |
| 37 | + generous than it needed to be. |
| 38 | +5. We issued PRs to rebuild any broken artifacts via our bots. |
| 39 | +6. We put in changes to `conda-smithy` to help prevent inadvertent |
| 40 | + uploads of artifacts from PRs in the future. |
| 41 | + |
| 42 | +## Closing Thoughts & What can you do? |
| 43 | + |
| 44 | +I (MRB) want to recognize the quick work of our core dev team in |
| 45 | +handling this incident. It goes without saying that the public nature of |
| 46 | +`conda-forge`'s infrastructure carries risks. On the other hand, by |
| 47 | +being public, anyone can look and verify our artifact builds. Security |
| 48 | +for `conda-forge` is about reducing risk and we will continue to do our |
| 49 | +best. |
| 50 | + |
| 51 | +Our best defense against security incidents in `conda-forge` is *you*! |
| 52 | +Our feedstock maintainers are in the best position to notice incidents |
| 53 | +and issues. Please responsibly report anything you find to us at |
| 54 | + |
0 commit comments