Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions.
From the article
However maybe it's time to going back to build from source.
"Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions."
I think its our local copies that might have issues if anything. If there is a threat at all, it would affect releases prior to the cve release not since then. Or yeah, if a possible attacker had gained access they may still have it, but its unlikely that would not have been caught.
To clarify: This is about a possible supply chain attack. The possibility of it. Not about unsafe code in the app or anywhere else. It means that an attacker could have gained access to the ios repo and possibly any other repo. It is fixed now.
I imagine that hostile commits would have been caught by now, as would compromised releases. But the main issue for me is that we are pretty much left in the dark about this. Maybe the team checked everything well and came to the conclusion that this was nothing worry about and was catched before it could do any harm. Which is the most probable scenario I think. Still leaves a bit of a sour taste.
4
CVE: Possible Organization/Secret Compromise from dangerous CI implementation | Spyke
From the article
However maybe it's time to going back to build from source.
Hasn’t it already been patched? https://github.com/jellyfin/jellyfin-ios/security/advisories/GHSA-7qhm-2m45-7fmh
Furthermore, OPs post seems to link to the patch: https://github.com/jellyfin/jellyfin-ios/commit/109217e75f38394b2f6e46e25dfe5a721203d3c8
This doesn't affect the code or jellyfin. Its a problem with how github does CI that needs to be fixed.
@renegadespork @le_throosh
"Note: This is not a code vulnerability, but a vulnerability in the GitHub Actions workflows. No new version is required for this GHSA and end users do not need to take any actions."
I think its our local copies that might have issues if anything. If there is a threat at all, it would affect releases prior to the cve release not since then. Or yeah, if a possible attacker had gained access they may still have it, but its unlikely that would not have been caught.
To clarify: This is about a possible supply chain attack. The possibility of it. Not about unsafe code in the app or anywhere else. It means that an attacker could have gained access to the ios repo and possibly any other repo. It is fixed now.
I imagine that hostile commits would have been caught by now, as would compromised releases. But the main issue for me is that we are pretty much left in the dark about this. Maybe the team checked everything well and came to the conclusion that this was nothing worry about and was catched before it could do any harm. Which is the most probable scenario I think. Still leaves a bit of a sour taste.