DevOps Platform Updates
scanned 101d ago6Latest announcements and changes from GitHub, GitLab, Azure DevOps, Bitbucket, and Atlassian.
Atlassian Patches High-Severity OS Command Injection in Confluence
On March 17, 2026, Atlassian published a security bulletin disclosing multiple vulnerabilities across self-hosted Jira and Confluence products. CVE-2025-64756 is a high-severity OS command injection flaw in Confluence Data Center and Server that allows authenticated attackers to execute arbitrary system commands. Self-managed installations must immediately upgrade to patched versions (11.3.3 LTS or 10.3.18 LTS); Atlassian-hosted cloud products are unaffected, so on-premises Veeam-integrated deployments carry elevated risk.
Azure DevOps Retires Global PATs; New Creation Blocked March 15
Azure DevOps Sprint 270 announces the retirement of Global Personal Access Tokens (PATs), which grant overly broad cross-organization access. As of March 15, 2026, creation and regeneration of global PATs is blocked; all existing tokens will stop working December 1, 2026. Any Veeam connector, backup automation, or CI/CD integration relying on global PATs must migrate to organization-scoped PATs or Microsoft Entra-based authentication to avoid disruption.
CVE-2026-33419: MinIO LDAP Flaw Exposes S3 Buckets to Brute-Force
A vulnerability disclosed March 20, 2026 in MinIO AIStor affects all LDAP-configured deployments. Two chained weaknesses—username enumeration via distinguishable error responses and absent rate limiting on the STS AssumeRoleWithLDAPIdentity endpoint—allow unauthenticated attackers to obtain AWS-style credentials (AccessKeyId, SecretAccessKey, SessionToken) with full S3 access. No fix is currently available, raising immediate risk for DevOps pipelines using MinIO as object storage for build artifacts or backup data.
GitHub Enterprise Server 3.20 GA Ships Built-In Backup Service
GHES 3.20, released March 17, 2026, promotes its managed built-in backup service from public preview to general availability, eliminating the need for a separate host running backup-utils (which is planned for retirement starting in GHES 3.22). The release also adds immutable releases—locking artifact files and tags from post-publication modification—directly strengthening supply chain integrity. These changes affect Veeam customers who back up GHES instances and rely on backup-utils tooling.
Azure DevOps Sprint 270 Adds Audit Log for Push Protection Bypasses
Sprint 270 (March 2026) in Azure DevOps now records secret push protection bypass events in the organization audit log, capturing the repository, secret type, and identity of the bypassing developer. This gives security and compliance teams a complete paper trail for credential-leak incidents, enabling easier policy enforcement and developer coaching. For Veeam, this increases auditability of CI/CD pipelines that handle backup credentials.
GitHub Actions Supports Environments Without Creating Deployments
GitHub Actions' Late March 2026 update introduces a deployment: false key for environment definitions, letting workflows consume environment-scoped secrets and variables without generating a GitHub Deployment record. Teams using Actions for backup or restore automation can now isolate environment credentials without polluting the Deployments view. The same release adds IANA timezone support to cron schedules, removing the UTC-only restriction.