24346 – buildbot new security issues CVE-2019-7313 and CVE-2019-12300

Bug 24346 - buildbot new security issues CVE-2019-7313 and CVE-2019-12300

Summary: buildbot new security issues CVE-2019-7313 and CVE-2019-12300

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	Neal Gompa
QA Contact:	Sec team

URL:
Whiteboard:
Keywords:

Duplicates (1):	27733 (view as bug list)
Depends on:
Blocks:

Reported:	2019-02-11 02:41 CET by David Walser
Modified:	2021-01-05 00:05 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	buildbot-0.8.12-7.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2019-02-11 02:41:01 CET

Fedora has issued an advisory tomorrow (February 11):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWAF32D6MHPGCKKLWODCZAJS32A7N2SC/

The issue is fixed upstream in 1.8.1.

Mageia 6 is also affected.

David Walser 2019-02-11 02:41:12 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Fixed upstream in 1.8.1

Comment 1 David Walser 2019-02-11 13:35:03 CET

Fedora 29 version of the advisory:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YM3QABRCGCPSLMZRSXLFN6YLYLEQE2BA/

David Walser 2019-06-23 19:22:11 CEST

Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO

Comment 2 David Walser 2019-12-19 22:53:16 CET

Fedora has issued advisories on June 7:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7GXKO7OYLKBTXXXKF4VPHWT7GVYWFVYA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4XLOM2K4M4723BCLHZJEX52KJXZSEVRL/

The issue is fixed upstream in 1.8.3 and 2.3.1.

Source RPM: buildbot-0.8.12-3.mga6.src.rpm => buildbot-0.8.12-7.mga7.src.rpm
Whiteboard: MGA7TOO, MGA6TOO => (none)
Summary: buildbot new security issue CVE-2019-7313 => buildbot new security issues CVE-2019-7313 and CVE-2019-12300
CC: (none) => shlomif
Status comment: Fixed upstream in 1.8.1 => Fixed upstream in 1.8.3
Version: Cauldron => 7

Comment 3 David Walser 2020-12-04 13:32:03 CET

*** Bug 27733 has been marked as a duplicate of this bug. ***

CC: (none) => zombie_ryushu

Comment 4 Bruno Cornec 2021-01-04 23:52:23 CET

The files that need to be patched for these bugs are not part of our (old) version of buildbot for mga7.

The 2 patches are:

CC: (none) => bruno

Comment 5 Bruno Cornec 2021-01-04 23:59:37 CET

https://github.com/buildbot/buildbot/pull/4584/commits/e781f110933e05ecdb30abc64327a2c7c9ff9c5a.patch and
https://github.com/buildbot/buildbot/pull/4763/commits/e1dcfce4388bfb153428fb4078b70a7ac96fd5b1.patch

corresponding to buildbot/www/oauth2.py or buildbot/www/resource.py which are not there.
So I wonder whether this BR is still valid for mga7.
For cauldron maybe we can update to the latest 2.x serie ?

Comment 6 David Walser 2021-01-05 00:05:01 CET

Upstream advisories confirm versions before 0.9.0 are not vulnerable.

Resolution: (none) => FIXED
Version: 7 => Cauldron
Status: NEW => RESOLVED
Status comment: Fixed upstream in 1.8.3 => (none)

Note You need to log in before you can comment on or make changes to this bug.