Fedora has issued an advisory tomorrow (February 11): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EWAF32D6MHPGCKKLWODCZAJS32A7N2SC/ The issue is fixed upstream in 1.8.1. Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOOStatus comment: (none) => Fixed upstream in 1.8.1
Fedora 29 version of the advisory: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YM3QABRCGCPSLMZRSXLFN6YLYLEQE2BA/
Whiteboard: MGA6TOO => MGA7TOO, MGA6TOO
Fedora has issued advisories on June 7: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/7GXKO7OYLKBTXXXKF4VPHWT7GVYWFVYA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/4XLOM2K4M4723BCLHZJEX52KJXZSEVRL/ The issue is fixed upstream in 1.8.3 and 2.3.1.
Source RPM: buildbot-0.8.12-3.mga6.src.rpm => buildbot-0.8.12-7.mga7.src.rpmWhiteboard: MGA7TOO, MGA6TOO => (none)Summary: buildbot new security issue CVE-2019-7313 => buildbot new security issues CVE-2019-7313 and CVE-2019-12300CC: (none) => shlomifStatus comment: Fixed upstream in 1.8.1 => Fixed upstream in 1.8.3Version: Cauldron => 7
*** Bug 27733 has been marked as a duplicate of this bug. ***
CC: (none) => zombie_ryushu
The files that need to be patched for these bugs are not part of our (old) version of buildbot for mga7. The 2 patches are:
CC: (none) => bruno
https://github.com/buildbot/buildbot/pull/4584/commits/e781f110933e05ecdb30abc64327a2c7c9ff9c5a.patch and https://github.com/buildbot/buildbot/pull/4763/commits/e1dcfce4388bfb153428fb4078b70a7ac96fd5b1.patch corresponding to buildbot/www/oauth2.py or buildbot/www/resource.py which are not there. So I wonder whether this BR is still valid for mga7. For cauldron maybe we can update to the latest 2.x serie ?
Upstream advisories confirm versions before 0.9.0 are not vulnerable.
Resolution: (none) => FIXEDVersion: 7 => CauldronStatus: NEW => RESOLVEDStatus comment: Fixed upstream in 1.8.3 => (none)