In addition to the XSS vulnerability announced on August 12, several other such vulnerabilities were discovered in other portions of the Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez. The severity of these vulnerabilities is no different that that announced on August 12, except that the vulnerabilities are not limited to the waterfall view.
All affected users are urged to upgrade or apply the patches given in the MITIGATION section, below.
This vulnerability does not affect Buildbot workers.
- buildbot-0.7.5 and earlier
- buildbot-0.7.12 and later
Users of buildbot-0.7.11 (at any patch level) are encouraged to upgrade to buildbot-0.7.11p3, which contains fixes for all vulnerabilities in this alert and in the August 12 alert. Users of previous versions should apply the following patches: