So what do we do? Pin our dependencies (to hashes when possible), and only update when there are CVEs?
But problem is this could lead to abuse of the CVE system to try to force rapid adoption of attacked packages. What prevents this?
So what do we do? Pin our dependencies (to hashes when possible), and only update when there are CVEs?
But problem is this could lead to abuse of the CVE system to try to force rapid adoption of attacked packages. What prevents this?
Run everything as sudo so they cant escalate any further ;)
Do you know if this exploit works on Docker containers? And if so, I assume it just allows escalation WITHIN the container? So this attack is scary for Linux desktops and servers, but a fully containerized system like common on CI/CD should be good. Right?
Nothing :D