GITKRAKEN GITHUB ENTERPRISE SOFTWARE UPGRADE
Users should upgrade to the latest build, but GitKraken cautions that if keys were generated through the past, vulnerable versions of the GUI, they still must be replaced – a software upgrade alone is not enough. In GitKraken’s disclosure, the team says the issue has been resolved as of version 8.0.1 by removing the old dependency and replacing it with a new key generation library. Users of the software, therefore, may have been generating weak keys and then implemented them encrypt connections to the GitHub, GitLab, BitBucket, and Azure DevOps repositories.ĭON’T MISS Nagios XI updated to address trio of security vulnerabilities “Weak keys are created with low entropy, meaning there is a higher probability of key duplication,” GitKraken says. The cryptographic library was implemented in versions 7.6.x, 7.7.x, and 8.0.0 of GitKraken, distributed between May 12 and September 27, 2021.Īccording to the team, the vulnerability resulted in weak, public SSH security keys being generated.
Read more of the latest open source software security news
The critical vulnerability, discovered by Axosoft’s Ross Wheeler, is tracked as CVE-2021-41117 and has been issued a CVSS severity score of 8.7. On October 11, the Axosoft team behind GitKraken, a cross-platform Git GUI client, said in a blog post that the organization uncovered a security flaw in an open source SSH generation library – keypair – used by the client.Īccording to GitHub, the software was generating identical RSA keys used in SSH, leading to weak random number generation. In what could have been considered a cryptographic supply chain security incident in the making, GitLab and other providers have blocked known, weak SSH keys generated through GitKraken. Weak SSH keys have been revoked by vendors to protect their users
0 kommentar(er)
