Changes between Version 79 and Version 80 of WikiStart


Ignore:
Timestamp:
Aug 14, 2009, 8:50:33 PM (10 years ago)
Author:
dustin
Comment:

another security alert!

Legend:

Unmodified
Added
Removed
Modified
  • WikiStart

    v79 v80  
    33= Security Alert =
    44
    5 Nicolas Sylvain reported a cross-site scripting vulnerability in the waterfall web status view.  This vulnerability allows an attacker to craft a URL targetting a specific Buildbot instance, and run arbitrary browser-side code in the context of that Buildbot instance.  This constitutes a security risk both for the Buildbot instance and for any other services hosted on the same domain as that Buildbot instance, and is a particular threat when browsers' same-origin policy is used to protect sensitive information such as cookies.
     5In addition to the XSS vulnerability announced on August 12, several
     6other such vulnerabilities were discovered in other portions of the
     7Buildbot web status, by Nicolas Sylvain and Nicolás Alvarez.  The
     8severity of these vulnerabilities is no different that that announced
     9on August 12, except that the vulnerabilities are not limited to the
     10waterfall view.
    611
    7 Note that Buildbot itself does not use cookies (even in the IAuth framework), so the risk for a standalone buildbot instance is somewhat limited.  Even so, all users are urged to upgrade or apply the patch given in the MITIGATION section, below.
     12All affected users are urged to upgrade or apply the patches given in
     13the MITIGATION section, below.
    814
    9 This vulnerability is limited to the waterfall view, and does not affect Buildbot slaves.
     15This vulnerability does not affect Buildbot slaves.
    1016
    1117== Affected Versions ==
     
    1925 *  buildbot-0.7.11
    2026 *  buildbot-0.7.11p1
     27 *  buildbot-0.7.11p2
    2128
    2229== Unaffected Versions ==
    2330
    2431 *  buildbot-0.7.5 and earlier
    25  *  buildbot-0.7.11p2
     32 *  buildbot-0.7.11p3
    2633
    2734== Mitigation ==
    28 The fix for this vulnerability is a simple, one-line patch:
    29   http://github.com/djmitche/buildbot/commit/ad13a16bbdec535c8edebdbba4f77ae39b19c84c
    3035
    31 Users of buildbot-0.7.11p1 are encouraged to upgrade to buildbot-0.7.11p2, which contains this patch.  For others, the simpler solution may be to apply the patch directly.  The patch applies cleanly to all vulnerable versions of Buildbot, and will also apply to an installed copy of Buildbot.
     36Users of buildbot-0.7.11 (at any patch level) are encouraged to
     37upgrade to buildbot-0.7.11p3, which contains fixes for all
     38vulnerabilities in this alert and in the August 12 alert. 
     39Users of previous versions should apply the following patches:
     40
     41buildbot-0.7.10p1:
     42 http://github.com/djmitche/buildbot/commit/822bd5600f8ea577dcb24efe8d7886c66946ac94.patch
     43 http://github.com/djmitche/buildbot/tree/buildbot-0.7.10p2
     44buildbot-0.7.9:
     45 http://github.com/djmitche/buildbot/commit/7367766b6570fdbfd60bfeb3bdbd80dc573a09a1.patch
     46 http://github.com/djmitche/buildbot/tree/buildbot-0.7.9p1
     47buildbot-0.7.8:
     48 http://github.com/djmitche/buildbot/commit/31946bda9f77edc3d11ea78a7513a7a3bb6bb2b2.patch
     49 http://github.com/djmitche/buildbot/tree/buildbot-0.7.8p1
     50buildbot-0.7.7:
     51 http://github.com/djmitche/buildbot/commit/3f1b9dc68ee956afb772d339951331ed0d32d285.patch
     52 http://github.com/djmitche/buildbot/tree/buildbot-0.7.7p1
    3253
    3354= Welcome to Buildbot! =