Changes between Version 1 and Version 2 of SecurityAlert090b4


Ignore:
Timestamp:
Oct 22, 2015, 1:23:09 PM (3 years ago)
Author:
dustin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SecurityAlert090b4

    v1 v2  
     1= Problem =
     2
    13The Buildbot WWW service publishes most of `c['www']` to the web frontend so that it can use that data for configuration.  Unfortunately, when hooks are configured, that data may contain secrets for those hooks.
    24
     
    810}}}
    911
    10 The immediate solution is to omit the `change_hook_dialects` key, preventing this disclosure key - see https://github.com/buildbot/buildbot/pull/1891.  The longer-term fix is to whitelist the configuration keys published - see #3374.
     12The immediate solution is to omit the `change_hook_dialects` key, preventing the disclosure of this key - see https://github.com/buildbot/buildbot/pull/1891.  The longer-term fix is to whitelist the configuration keys published - see #3374.
    1113
    12 Buildbot-0.9.0b5 contains the fix in pull request 1891.  All users who have deployed a 0.0.0 beta with web hooks containing secrets are encouraged to update and to rotate their secrets.  Packages are available at
     14= Recommended Fix =
     15
     16Buildbot-0.9.0b5 contains the fix in pull request 1891.  All users who have deployed a 0.9.0 beta with web hooks containing secrets are encouraged to update and to rotate their secrets.  Packages are available at
    1317
    1418 * https://pypi.python.org/pypi/buildbot/0.9.0b5
     
    1822 * https://pypi.python.org/pypi/buildbot-console-view/0.9.0b5
    1923 * https://pypi.python.org/pypi/buildbot-waterfall-view/0.9.0b5
     24
     25= Credit =
     26
     27Pieter Lexis discovered this bug and reported it per the [wiki:Security] process.