[users at bb.net] [ANNOUNCE] Vunerability in 0.9.0 betas

Dustin J. Mitchell dustin at buildbot.net
Thu Oct 22 13:20:59 UTC 2015


The Buildbot WWW service publishes most of c['www'] to the web frontend so
that it can use that data for configuration. Unfortunately, when hooks are
configured, that data may contain secrets for those hooks.

The data is contained in the HTML document fetched from the root of the
service. For example:

dustin at hopper ~ $ curl nine.buildbot.net
...{"authz": {}, "avatar_methods": {"name": "gravatar"}, "titleURL":
"http://buildbot.net/", "versions": [ ["Python", "2.7.10"],
["Buildbot", "0.9.0b4"], ["Twisted", "15.4.0"] ], "title": "Buildbot",
"logfileName": "http.log", "user": {"anonymous": true}, "plugins":
{"waterfall_view": {}}, "buildbotURL": "http://nine.buildbot.net/",
"multiMaster": false, "auth": {"name": "NoAuth"}, "port":

The immediate solution is to omit the change_hook_dialects key, preventing
the disclosure of this key - see ​
https://github.com/buildbot/buildbot/pull/1891. The longer-term fix is to
whitelist the configuration keys published - see #3374

Buildbot-0.9.0b5 contains the fix in pull request 1891. All users who have
deployed a 0.9.0 beta with web hooks containing secrets are encouraged to
update and to rotate their secrets. Packages are available at

   - ​https://pypi.python.org/pypi/buildbot/0.9.0b5
   - ​https://pypi.python.org/pypi/buildbot-slave/0.9.0b5
   - ​https://pypi.python.org/pypi/buildbot-pkg/0.9.0b5
   - ​https://pypi.python.org/pypi/buildbot-www/0.9.0b5
   - ​https://pypi.python.org/pypi/buildbot-console-view/0.9.0b5
   - ​https://pypi.python.org/pypi/buildbot-waterfall-view/0.9.0b5
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.buildbot.net/pipermail/users/attachments/20151022/b90a71be/attachment.html>

More information about the users mailing list