Hacker News
new
|
past
|
comments
|
ask
|
show
|
jobs
|
submit
login
anonymars
9 months ago
|
parent
|
context
|
favorite
| on:
Tj-actions/changed-files GitHub Action Compromised...
I don't think that's exactly what happened here: the compromise created new tags but generally the tag consumption relies on semantic versioning
In other words: you specify version 44, the attacker creates 44.1, you're still hosed.
BlackFingolfin
9 months ago
[–]
No you literally can (and the attackers did) change version 44 (the tag for it) to point to a different compromised commmit
anonymars
9 months ago
|
parent
[–]
Yes, you're right. I wasn't able to double-check as the repo was deleted at the time. That said, AIUI making the tags read-only would still often be vulnerable to semantic-version exploitation.
Guidelines
|
FAQ
|
Lists
|
API
|
Security
|
Legal
|
Apply to YC
|
Contact
Search:
In other words: you specify version 44, the attacker creates 44.1, you're still hosed.