[Buildbot-devel] Additional XSS vulnerabilities fixed
Steve 'Ashcrow' Milner
smilner at redhat.com
Mon Aug 17 18:07:26 UTC 2009
On 14/08/09 16:46 -0400, Dustin J. Mitchell wrote:
>SUMMARY
>
>In addition to the XSS vulnerability announced on August 12, several
>other such vulnerabilities were discovered in other portions of the
>Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez. The
>severity of these vulnerabilities is no different that that announced
>on August 12, except that the vulnerabilities are not limited to the
>waterfall view.
>
>All affected users are urged to upgrade or apply the patches given in
>the MITIGATION section, below.
>
>This vulnerability does not affect Buildbot slaves.
>
>AFFECTED VERSIONS
>
> buildbot-0.7.6
> buildbot-0.7.7
> buildbot-0.7.8
> buildbot-0.7.9
> buildbot-0.7.10
> buildbot-0.7.10p1
> buildbot-0.7.11
> buildbot-0.7.11p1
> buildbot-0.7.11p2
>
>UNAFFECTED VERSIONS
>
> buildbot-0.7.5 and earlier
> buildbot-0.7.11p3
>
>MITIGATION
>
>Users of buildbot-0.7.11 (at any patch level) are encouraged to
>upgrade to buildbot-0.7.11p3, which contains fixes for all
>vulnerabilities in this alert and in the August 12 alert. See below.
>Users of previous versions should apply the following patches:
>
>buildbot-0.7.10p1:
> http://github.com/djmitche/buildbot/commit/822bd5600f8ea577dcb24efe8d7886c66946ac94.patch
> http://github.com/djmitche/buildbot/tree/buildbot-0.7.10p2
>buildbot-0.7.9:
> http://github.com/djmitche/buildbot/commit/7367766b6570fdbfd60bfeb3bdbd80dc573a09a1.patch
> http://github.com/djmitche/buildbot/tree/buildbot-0.7.9p1
>buildbot-0.7.8:
> http://github.com/djmitche/buildbot/commit/31946bda9f77edc3d11ea78a7513a7a3bb6bb2b2.patch
> http://github.com/djmitche/buildbot/tree/buildbot-0.7.8p1
>buildbot-0.7.7:
> http://github.com/djmitche/buildbot/commit/3f1b9dc68ee956afb772d339951331ed0d32d285.patch
> http://github.com/djmitche/buildbot/tree/buildbot-0.7.7p1
>
>NEW RELEASE
>
>Buildbot-0.7.11p3 is now released and available for download on pypi:
>
> http://pypi.python.org/pypi/buildbot/0.7.11p3
>
>This release is equivalent to release 0.7.11p1 with the patches
>described here as well as the patch from the August 12 alert.
>
>File checksums are as follows. This buildbot release is signed by my
>GPG public key (7F0D15B1) (available from keyservers):
>
> buildbot-0.7.11p3.tar.gz
> md5: 6e4ef001d11caf270e2ed7d1d7d43318
>
> buildbot-0.7.11p3.zip
> md5: dccc17e201ee1bc20e12fbaad1ffcff2
>
>Dustin
>
>--
>Open Source Storage Engineer
>http://www.zmanda.com
Updates submited to Fedora testing.
F11: https://admin.fedoraproject.org/updates/F11/FEDORA-2009-8516
F10: https://admin.fedoraproject.org/updates/F10/FEDORA-2009-8577
--
kthxbye!
Steve 'Ashcrow' Milner
Agent of Infosec
IRC: ashcrow
GnuPG ID: 28DFD4BE
"In the heat of conversation I may have said certain things I believe
to be untrue. The alleged lie that you might have heard me saying
allegedly moments ago ... that's a parasite that lives in my neck."
-- Tad Ghostal
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://buildbot.net/pipermail/devel/attachments/20090817/22414f59/attachment.bin>
More information about the devel
mailing list