(Holloway) Chew, Kean Ho
CVE-2024-3094 - AutomataCI Countermeasures #27
-
Beta Was this translation helpful? Give feedback.
Replies: 8 comments
-
|
I just completed the routine check.
Right now, Chocolatey is the one I'm suprebly worried at most due to their lack of emphasis and facility with securing origin. |
Beta Was this translation helpful? Give feedback.
-
|
Any chance to find out Chocolatey? |
Beta Was this translation helpful? Give feedback.
-
|
Also, is AutomataCI affected? |
Beta Was this translation helpful? Give feedback.
-
No. AutomataCI is entirely built using shell scripts. It should not be an earthquake.
I have no idea. Still searching. |
Beta Was this translation helpful? Give feedback.
-
|
That bad? |
Beta Was this translation helpful? Give feedback.
-
|
You have no idea. I'm likely going to perform direct vendor sourcing for both Homebrew and Chocolatey in the future to remove 1 layer of supply chain. Chocolatey will be my first target. Their community packages are horrible. |
Beta Was this translation helpful? Give feedback.
-
|
So generally, AutomataCI users are safe right? |
Beta Was this translation helpful? Give feedback.
-
|
As long as xz and its deployment are NOT side loaded (homebrew & chocolatey) and patched with the latest releases, they're fine and they just have follow their ecosystems' upstream instructions to mitigate the matter. |
Beta Was this translation helpful? Give feedback.
As long as xz and its deployment are NOT side loaded (homebrew & chocolatey) and patched with the latest releases, they're fine and they just have follow their ecosystems' upstream instructions to mitigate the matter.