Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.
This week we’re going to talk about the first security analysis and incident reports published so far in 2023.
1. On January 4th CircleCI published an alert for their customers about a security issue. In a subsequent incident report, they shared what happened, what they’ve learned, and what their plans are to continuously improve CircleCI’s security posture for the future.
2. On January 17th GitHub explained how Git was addressing a pair of security vulnerabilities, CVE-2022-41903, and CVE-2022-23521. Git for Windows was also patched to address an additional, Windows-specific issue known as CVE-2022-41953.
3. Also on January 17th, Tailscale published a security bulletin describing an issue in the Tailscale coordination server, which allowed a malicious individual to share nodes from other tailnets to themselves if they knew the node ID of the target.
4. On January 18th, InfoWorld reported about researchers at Aqua Nautilus finding attackers impersonating popular Visual Studio Code extensions and tricking unknowing developers into downloading them.
5. On January 19th, Bruce Schneier reported an impressive and scathing security analysis of the Threema secure chat application published by a group of Swiss researchers.
Can we trust software, like, at all? What measures have you set in place to protect your infrastructure? Would you like to share your concerns with our readers? Get in touch with us, and see you next week for another edition of VSHN.timer.
PS: check out our previous VSHN.timer editions about Security: #8, #17, #22, #27, #32, #44, #54, #62, #76, #84, #93, #106, #117, #128, #142, #145, and #164.
PS2: do you prefer reading VSHN.timer in your favorite RSS reader? Subscribe to this feed.
PS3: would you like to receive VSHN.timer every Monday in your inbox? Sign up for our weekly VSHN.timer newsletter.