Amber Yust has discovered and fixed several cross-site scripting vulnerabilities in the Buildbot console. This vulnerability allows an attacker to craft a URL targetting a specific Buildbot instance, and run arbitrary browser-side code in the context of that Buildbot instance. This constitutes a security risk both for the Buildbot instance and for any other services hosted on the same domain as that Buildbot instance, and is a particular threat when browsers' same-origin policy is used to protect sensitive information such as cookies.

Note that Buildbot itself does not use cookies (even in the IAuth framework), so the risk for a standalone buildbot instance is somewhat limited. Even so, all users are urged to upgrade or apply the patch given in the MITIGATION section, below.

The vulnerabilities are limited to the console view, and do not affect Buildbot workers.

Affected Versions

buildbot-0.8.0 buildbot-0.8.1

Unaffected Versions

all earlier versions


All users of Buildbot are urged to patch their installations. Patches are available for both affected versions, as are patched source packages, in the following directories:

Each of the source packages are identical to the previous release with the sole addition of the patch to fix this vulnerability.

File checksums are as follows. The corresponding tags in git are signed by my GPG public key (7F0D15B1) (available from keyservers), as are the .asc files available on SourceForge.

  • a35b4b2e01f94badbb6c80af907e4c64 buildbot-0.8.0p1.tar.gz
  • ebf8fe23518fcc3bdd763b98ab9b03c4
  • fc12c0e94e246b9b12c80a0baf72de08 buildbot-0.8.1p1.tar.gz
  • d0cc794554636c7c053b4bd1f16dfd7f
  • c59101ca454111d3c56d2da37a79171d buildbot-slave-0.8.1p1.tar.gz
  • 37dedf2a0d09e4037e9a566dfe817427
Last modified 3 months ago Last modified on Jan 4, 2017, 2:20:26 AM