Path: csiph.com!weretis.net!feeder8.news.weretis.net!reader5.news.weretis.net!news.solani.org!.POSTED!not-for-mail From: badgolferman Newsgroups: misc.phone.mobile.iphone,comp.sys.mac.apps Subject: Re: Orphaned CodoPods are found in Apple software Date: Sat, 6 Jul 2024 20:19:32 -0000 (UTC) Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Injection-Date: Sat, 6 Jul 2024 20:19:32 -0000 (UTC) Injection-Info: solani.org; logging-data="310719"; mail-complaints-to="abuse@news.solani.org" User-Agent: NewsTap/5.5 (iPhone/iPod Touch) Cancel-Lock: sha1:PjsxwfF4WIJyW/HNPqLw/EKaUT0= sha1:8BlGVRUTaAzsZiwLdvQw4C60x+k= X-User-ID: eJwFwQkBgAAIA8BKvAPjCLL+EbxLh2IrkIhkkmNkqsXZ9OlmtNi7cW2orzmPS0HCsAc/T/miqLO6bl3+A1F1FP8= Xref: csiph.com misc.phone.mobile.iphone:188517 comp.sys.mac.apps:47125 Wolf Greenblatt wrote: > On Sat, 6 Jul 2024 12:48:23 -0400, Alan Browne wrote: > >> ... been asleep most of the week, huh? > > How did you find out about this new hole found in millions of mac/iOs apps? > > I was looking up Swift documentation for a project when all the hits by > reverse date shows up to be about this vulnerability for mac/iOS apps. > > https://forums.appleinsider.com/discussion/236916/vulnerabilities-found-in-swift-repository-left-millions-of-iphone-apps-exposed > The open-source Swift and Objective-C repository, CocoaPods, had multiple > vulnerabilities that left millions of iOS and macOS apps exposed for a > decade > > https://thehackernews.com/2024/07/critical-flaws-in-cocoapods-expose-ios.html > security flaws were uncovered in the CocoaPods dependency manager for Swift > > https://www.evasec.io/blog/eva-discovered-supply-chain-vulnerabities-in-cocoapods > CocoaPods is an open source dependency manager for Swift > > https://www.techrepublic.com/article/apple-applications-cocoapods-supply-chain-attack/ > CocoaPods is a dependency manager for Swift and Objective-C projects > > The holes are so big they can't be avoided but why did Apple not find it? > We’re being told it’s not Apple’s job to find security holes in other peoples dependencies so it’s not their fault.