[Buildbot-devel] [SECURITY ALERT] Additional XSS vulnerabilities fixed

Dustin J. Mitchell dustin at zmanda.com
Fri Aug 14 20:46:16 UTC 2009 

SUMMARY

In addition to the XSS vulnerability announced on August 12, several
other such vulnerabilities were discovered in other portions of the
Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez.  The
severity of these vulnerabilities is no different that that announced
on August 12, except that the vulnerabilities are not limited to the
waterfall view.

All affected users are urged to upgrade or apply the patches given in
the MITIGATION section, below.

This vulnerability does not affect Buildbot slaves.

AFFECTED VERSIONS

 buildbot-0.7.6
 buildbot-0.7.7
 buildbot-0.7.8
 buildbot-0.7.9
 buildbot-0.7.10
 buildbot-0.7.10p1
 buildbot-0.7.11
 buildbot-0.7.11p1
 buildbot-0.7.11p2

UNAFFECTED VERSIONS

 buildbot-0.7.5 and earlier
 buildbot-0.7.11p3

MITIGATION

Users of buildbot-0.7.11 (at any patch level) are encouraged to
upgrade to buildbot-0.7.11p3, which contains fixes for all
vulnerabilities in this alert and in the August 12 alert.  See below.
Users of previous versions should apply the following patches:

buildbot-0.7.10p1:
  http://github.com/djmitche/buildbot/commit/822bd5600f8ea577dcb24efe8d7886c66946ac94.patch
  http://github.com/djmitche/buildbot/tree/buildbot-0.7.10p2
buildbot-0.7.9:
  http://github.com/djmitche/buildbot/commit/7367766b6570fdbfd60bfeb3bdbd80dc573a09a1.patch
  http://github.com/djmitche/buildbot/tree/buildbot-0.7.9p1
buildbot-0.7.8:
  http://github.com/djmitche/buildbot/commit/31946bda9f77edc3d11ea78a7513a7a3bb6bb2b2.patch
  http://github.com/djmitche/buildbot/tree/buildbot-0.7.8p1
buildbot-0.7.7:
  http://github.com/djmitche/buildbot/commit/3f1b9dc68ee956afb772d339951331ed0d32d285.patch
  http://github.com/djmitche/buildbot/tree/buildbot-0.7.7p1

NEW RELEASE

Buildbot-0.7.11p3 is now released and available for download on pypi:

 http://pypi.python.org/pypi/buildbot/0.7.11p3

This release is equivalent to release 0.7.11p1 with the patches
described here as well as the patch from the August 12 alert.

File checksums are as follows.  This buildbot release is signed by my
GPG public key (7F0D15B1) (available from keyservers):

 buildbot-0.7.11p3.tar.gz
 md5: 6e4ef001d11caf270e2ed7d1d7d43318

 buildbot-0.7.11p3.zip
 md5: dccc17e201ee1bc20e12fbaad1ffcff2

Dustin

-- 
Open Source Storage Engineer
http://www.zmanda.com

More information about the devel mailing list