“We will continue to work toward the highest security standards possible for all of our users.”Īs of now, no repository has found any evidence of exploitation in the wild.įor instructions on how to generate new keys, GitKraken has provided separate guides for GitHub, GitLab, Bitbucket, and Azure DevOps. Best open source Git clients Price Platforms License-Git Extensions-Windows, Linux, MacOS (Linux and Macos up to version 2.5 only)-Magit. “Where possible, the affected keys are now permanently blocked by the Git hosting service providers,” GitKraken says. The Azure DevOps team found a small subset of users “with potentially insecure SSH keys” and has revoked them, informing impacted users in the process. GitLab has emailed customers to make them aware of the issue and has asked self-managed customers to revoke old, GitKraken-generated SSH keys immediately.īitbucket has also launched an investigation and has both revoked and blocked keys, preventing them from being used in the future. The teams have since worked together to invalidate weak SSH keys found in active use. GitKraken reached out to Git hosting providers that could be impacted further down the chain to warn them of the security flaw.
#GITKRAKEN OPEN SOURCE SOFTWARE UPGRADE#
Users should upgrade to the latest build, but GitKraken cautions that if keys were generated through the past, vulnerable versions of the GUI, they still must be replaced – a software upgrade alone is not enough.
In GitKraken’s disclosure, the team says the issue has been resolved as of version 8.0.1 by removing the old dependency and replacing it with a new key generation library. Users of the software, therefore, may have been generating weak keys and then implemented them encrypt connections to the GitHub, GitLab, BitBucket, and Azure DevOps repositories.ĭON’T MISS Nagios XI updated to address trio of security vulnerabilities “Weak keys are created with low entropy, meaning there is a higher probability of key duplication,” GitKraken says. The cryptographic library was implemented in versions 7.6.x, 7.7.x, and 8.0.0 of GitKraken, distributed between May 12 and September 27, 2021.Īccording to the team, the vulnerability resulted in weak, public SSH security keys being generated. Read more of the latest open source software security news The critical vulnerability, discovered by Axosoft’s Ross Wheeler, is tracked as CVE-2021-41117 and has been issued a CVSS severity score of 8.7. On October 11, the Axosoft team behind GitKraken, a cross-platform Git GUI client, said in a blog post that the organization uncovered a security flaw in an open source SSH generation library – keypair – used by the client.Īccording to GitHub, the software was generating identical RSA keys used in SSH, leading to weak random number generation. In what could have been considered a cryptographic supply chain security incident in the making, GitLab and other providers have blocked known, weak SSH keys generated through GitKraken.
To push changes using GitKraken Client’s CLI, open the terminal tab by selecting the Terminal button from the top toolbar. Right-click the branch from the central graph and select Push from the context menu. Weak SSH keys have been revoked by vendors to protect their users Use the Command Palette with the keyboard shortcut command/ctrl + P and then type Push.
0 kommentar(er)
