На прошлой неделе организация The Linux Foundation во время своего мероприятия Open Source Leadership Summit объявила о создании нового фонда для Open Source-проектов. Очередной независимый институт по развитию открытых [и востребованных в индустрии] технологий призван объединить в себе инструменты для DevOps-инженеров, а если быть точнее — для организации и реализации процессов непрерывной доставки, пайплайнов CI/CD. Организацию так и назвали: The Continuous Delivery Foundation (CDF). Читать дальше →
Spinnaker is an open source, multi-cloud continuous delivery platform. Spinnaker has improper permissions allowing pipeline creation & execution. This lets an arbitrary user with access to the gate endpoint to create a pipeline and execute it without authentication. If users haven't setup Role-based access control (RBAC) with-in spinnaker, this enables remote execution and access to deploy almost any resources on any account. Patches are available on the latest releases of the supported branches and…
The Spinnaker template resolution functionality is vulnerable to Server-Side Request Forgery (SSRF), which allows an attacker to send requests on behalf of Spinnaker potentially leading to sensitive data disclosure.
Spinnaker is an open source, multi-cloud continuous delivery platform for releasing software changes, and Spinnaker's Rosco microservice produces machine images. Rosco prior to versions 1.29.2, 1.28.4, and 1.27.3 does not property mask secrets generated via packer builds. This can lead to exposure of sensitive AWS credentials in packer log files. Versions 1.29.2, 1.28.4, and 1.27.3 of Rosco contain fixes for this issue. A workaround is available. It's recommended to use short lived credentials via role…