Vulnerability in 0.9.0b1 through 0.9.0b4
Dustin J. Mitchell
dustin at buildbot.net
Thu Oct 29 02:13:51 UTC 2015
I'm sorry to have to announce a security vulnerability in recent beta
versions of Buildbot. The Buildbot WWW service publishes most of
c['www'] to the web frontend so that it can use that data for
configuration. Unfortunately, when hooks are configured, that data may
contain secrets for those hooks.
Note that no full release versions of Buildbot are affected, and users
not using web hooks are not affected.
Buildbot-0.9.0b5 contains the fix in pull request 1891. All users who
have deployed a 0.9.0 beta with web hooks containing secrets are
encouraged to update and to rotate their secrets. Packages are
available from pypi, or linked from
Pieter Lexis discovered this bug and reported it per the Security process.
More information about the announce