Security Bulletin

Hey all,

According to a received report, a Public repository forked from another one could file a pull request (standard functionality e.g. in GitHub, BitBucket, Assembla) and while doing it, obtain unauthorized access to secret from the original Public repository with a condition of printing some of the files during the build process. **In this scenario secrets are still encrypted in the Travis CI database.

The issue is valid only for public repositories not Private repositories. (In case of Private repository, Repository Owner has a full control on ability of someone to fork the repository. )

Travis CI implemented a series of security patches starting on Sept 3rd that resolves this issue.

As a reminder, cycling your secrets is something that all users should do on a regular basis. If you are unsure how to do this please contact Support.

Does this bulletin effect me:

  • This Security Bulletin does NOT affect any Private Repositories

  • This Security Bulletin does NOT affect any Public Repositories that were NOT forked

  • If you have a Public Repository that was forked, then there was a possibility that someone from the forked (copied) project might have been able to have seen the original project’s Secret ONLY for a short time while doing a build.

  • The Secret would not have the potential of being seen outside of a build process running given it is encrypted when not in use.

  • Our competitors design and operate similarly with Public Repositories given industry standard 3rd party usage.

  • We updated our servers on Sept 3rd to resolve this potential issue.

  • To date, we found no evidence of unauthorized parties leveraging the potential exposure.

  • We continue to recommend that both Public and Private Repository customers rotate their secrets on a regular basis.

For more information on GitHub secrets rotation please visit the following links:

Travis CI Team.