URGENT: possible GitHub-related security issue due to compromised secrets
44 views
Skip to first unread message
Dima Pasechnik
Mar 17, 2025, 11:25:05 AMMar 17
to sage-release, sage-devel, sage-support, Tobias Diez, sagemath-admins
Dear all,
this is to point out that SageMath is one of GitHub orgs affected by
"tj-actions changed-files through 45.0.7 allows remote attackers to
discover secrets by reading actions logs"
https://github.com/advisories/GHSA-mrrh-fwg8-r2c3
we are working to fix this in sagemath GitHub org repos
(sagemath/sage, etc)
https://github.com/sagemath/sage/pull/39722
However, if you enabled GitHub's Actions on your fork of any of
sagemath's repo, I assume our GitHub secrets might have gotten
compromised too.
So you'd need to disable Actions on your forks for the time being, and
change your secrets/tokens.
Dima
this is to point out that SageMath is one of GitHub orgs affected by
"tj-actions changed-files through 45.0.7 allows remote attackers to
discover secrets by reading actions logs"
https://github.com/advisories/GHSA-mrrh-fwg8-r2c3
we are working to fix this in sagemath GitHub org repos
(sagemath/sage, etc)
https://github.com/sagemath/sage/pull/39722
However, if you enabled GitHub's Actions on your fork of any of
sagemath's repo, I assume our GitHub secrets might have gotten
compromised too.
So you'd need to disable Actions on your forks for the time being, and
change your secrets/tokens.
Dima
Reply all
Reply to author
Forward
0 new messages