top | item 30188148

(no title)

pcmonk | 4 years ago

I found it interesting that the patch was apparently published before it was exploited: https://twitter.com/kelvinfichter/status/1489050921938132996

discuss

astrange|4 years ago

I wonder how their deployment system works. They should probably be deploying security patches before they land in a public repo.

Also, if it auto deploys from a git repo, then you just need a committer's git keys to exploit it. Having code auditing and multisig git tags has to be rare.

8note|4 years ago

Doesn't it have to land in a public repo before it can be patched?

Somebody else is going to run that code publicly, and each person who runs it will find out about the patch with some time delay

resonious|4 years ago

Yeah that definitely smells like someone was watching the commits for a security patch so that they could exploit it quickly before it deploys.

unknown|4 years ago

[deleted]