Amber Yust has discovered and fixed several cross-site scripting vulnerabilities in the Buildbot console. This vulnerability allows an attacker to craft a URL targetting a specific Buildbot instance, and run arbitrary browser-side code in the context of that Buildbot instance. This constitutes a security risk both for the Buildbot instance and for any other services hosted on the same domain as that Buildbot instance, and is a particular threat when browsers' same-origin policy is used to protect sensitive information such as cookies.

Note that Buildbot itself does not use cookies (even in the IAuth framework), so the risk for a standalone buildbot instance is somewhat limited. Even so, all users are urged to upgrade or apply the patch given in the MITIGATION section, below.

The vulnerabilities are limited to the console view, and do not affect Buildbot slaves.

Affected Versions

buildbot-0.8.0 buildbot-0.8.1

Unaffected Versions

all earlier versions

MITIGATION

All users of Buildbot are urged to patch their installations. Patches are available for both affected versions, as are patched source packages, in the following directories:

•  https://sourceforge.net/projects/buildbot/files/buildbot/0.8.0p1/
•  https://sourceforge.net/projects/buildbot/files/buildbot/0.8.1p1/

Each of the source packages are identical to the previous release with the sole addition of the patch to fix this vulnerability.

File checksums are as follows. The corresponding tags in git are signed by my GPG public key (7F0D15B1) (available from keyservers), as are the .asc files available on SourceForge.

• a35b4b2e01f94badbb6c80af907e4c64 buildbot-0.8.0p1.tar.gz
• ebf8fe23518fcc3bdd763b98ab9b03c4 buildbot-0.8.0p1.zip
• fc12c0e94e246b9b12c80a0baf72de08 buildbot-0.8.1p1.tar.gz
• d0cc794554636c7c053b4bd1f16dfd7f buildbot-0.8.1p1.zip
• c59101ca454111d3c56d2da37a79171d buildbot-slave-0.8.1p1.tar.gz
• 37dedf2a0d09e4037e9a566dfe817427 buildbot-slave-0.8.1p1.zip