Bug 24346

Summary: buildbot new security issues CVE-2019-7313 and CVE-2019-12300
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Neal Gompa <ngompa13>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: bruno, shlomif, zombie_ryushu
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: buildbot-0.8.12-7.mga7.src.rpm CVE:
Status comment:

Description David Walser 2019-02-11 02:41:01 CET 
Fedora has issued an advisory tomorrow (February 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWAF32D6MHPGCKKLWODCZAJS32A7N2SC/

The issue is fixed upstream in 1.8.1.

Mageia 6 is also affected.
David Walser 2019-02-11 02:41:12 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.8.1

David Walser 2019-06-23 19:22:11 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 2 David Walser 2019-12-19 22:53:16 CET 
Fedora has issued advisories on June 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7GXKO7OYLKBTXXXKF4VPHWT7GVYWFVYA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4XLOM2K4M4723BCLHZJEX52KJXZSEVRL/

The issue is fixed upstream in 1.8.3 and 2.3.1.

Source RPM: buildbot-0.8.12-3.mga6.src.rpm => buildbot-0.8.12-7.mga7.src.rpm
Whiteboard: MGA7TOO, MGA6TOO => (none)
Summary: buildbot new security issue CVE-2019-7313 => buildbot new security issues CVE-2019-7313 and CVE-2019-12300
CC: (none) => shlomif
Status comment: Fixed upstream in 1.8.1 => Fixed upstream in 1.8.3
Version: Cauldron => 7

Comment 3 David Walser 2020-12-04 13:32:03 CET 
*** Bug 27733 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 4 Bruno Cornec 2021-01-04 23:52:23 CET 
The files that need to be patched for these bugs are not part of our (old) version of buildbot for mga7.

The 2 patches are:

CC: (none) => bruno

Comment 5 Bruno Cornec 2021-01-04 23:59:37 CET 
https://github.com/buildbot/buildbot/pull/4584/commits/e781f110933e05ecdb30abc64327a2c7c9ff9c5a.patch and
https://github.com/buildbot/buildbot/pull/4763/commits/e1dcfce4388bfb153428fb4078b70a7ac96fd5b1.patch

corresponding to buildbot/www/oauth2.py or buildbot/www/resource.py which are not there.
So I wonder whether this BR is still valid for mga7.
For cauldron maybe we can update to the latest 2.x serie ?
Comment 6 David Walser 2021-01-05 00:05:01 CET 
Upstream advisories confirm versions before 0.9.0 are not vulnerable.

Resolution: (none) => FIXED
Version: 7 => Cauldron
Status: NEW => RESOLVED
Status comment: Fixed upstream in 1.8.3 => (none)