5 posts tagged with "security"

In the past few months, conda-forge has been engaging with an external security audit in collaboration with the Open Source Technology Improvement Fund (OSTIF). The full results of this audit will be made public once it is complete per OSTIF responsible disclosure policies.

During this process, OSTIF and their contractor uncovered misconfigured infrastructure which exposed the anaconda.org token for the conda-forge channel to all feedstock maintainers. The token was exposed from on or about 2025-02-10 through 2025-04-01. See our GitHub Security Advisory for more details.

On March 29th, 2024, at 18:07 UTC, the core team learnt about the recently disclosed xz backdoor, now labeled as CVE-2024-3094.

To the best of our knowledge, conda-forge's artifacts for xz are not affected.

In June 2023, software engineers from Anaconda have reported a security issue in the uninstallers that are included in the Windows versions of the miniforge and mambaforge installers, one of the main ways to bootstrap conda-forge based conda and mamba distributions.

In early January 2023, CircleCI informed us that they had a large security breach where a third party had gained access to all the environment secrets stored in the service. For conda-forge, these secrets are the API token used to upload built packages to our staging area on anaconda.org and the unique token we generate for each feedstock. The feedstock tokens are used as part of our artifact staging process to ensure that only the maintainers of a given feedstock can upload packages built by that feedstock. Later in January, we were informed by CircleCI that their security breach started on December 19, 2022, with the bulk of the secrets being exfiltrated in plain text from their servers a few days later. A malicious third-party with access to these secrets could potentially upload compromised versions of any package on conda-forge in a so-called "supply chain" attack.

On September 9, 2021 one of our core devs discovered that artifacts building on Travis CI were being uploaded to our conda channel from PRs running on forked repositories. A quick investigation revealed that Travis CI was passing encrypted secrets to PR builds on forks. Further examination of our logs and artifacts indicated that this had been happening since about September 3, 2021. This security bug was subsequently confirmed by Travis CI. See this CVE for more details on this incident. As far as we know, there were no actual exploits against conda-forge which used this vulnerability.