wiki:SecurityAlert0711

In addition to the XSS vulnerability announced on August 12, several other such vulnerabilities were discovered in other portions of the Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez. The severity of these vulnerabilities is no different that that announced on August 12, except that the vulnerabilities are not limited to the waterfall view.

All affected users are urged to upgrade or apply the patches given in the MITIGATION section, below.

This vulnerability does not affect Buildbot workers.

Affected Versions

  • buildbot-0.7.6
  • buildbot-0.7.7
  • buildbot-0.7.8
  • buildbot-0.7.9
  • buildbot-0.7.10
  • buildbot-0.7.10p1
  • buildbot-0.7.11
  • buildbot-0.7.11p1
  • buildbot-0.7.11p2

Unaffected Versions

  • buildbot-0.7.5 and earlier
  • buildbot-0.7.11p3
  • buildbot-0.7.12 and later

Mitigation

Users of buildbot-0.7.11 (at any patch level) are encouraged to upgrade to buildbot-0.7.11p3, which contains fixes for all vulnerabilities in this alert and in the August 12 alert. Users of previous versions should apply the following patches:

Last modified 5 months ago Last modified on Jan 4, 2017, 2:20:50 AM