Your message dated Tue, 04 Jun 2019 12:58:59 +0000
with message-id <e1hy91n-000cug...@fasolo.debian.org>
and subject line Bug#929849: fixed in buildbot 2.0.1-2
has caused the Debian Bug report #929849,
regarding buildbot: CVE-2019-12300: OAuth vulnerability in using submitted 
authorization token for authentication
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
929849: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=929849
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: buildbot
Version: 2.0.1-1
Severity: grave
Tags: security upstream
Justification: user security hole

Hi,

The following vulnerability was published for buildbot.

CVE-2019-12300[0]:
| Buildbot before 1.8.2 and 2.x before 2.3.1 accepts a user-submitted
| authorization token from OAuth and uses it to authenticate a user. If
| an attacker has a token allowing them to read the user details of a
| victim, they can login as the victim.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-12300
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12300
[1] 
https://github.com/buildbot/buildbot/wiki/OAuth-vulnerability-in-using-submitted-authorization-token-for-authentication

The affected versions in [1] seem a bit missleading, because 2.x
versions up to 2.3.1 are affected as well, at least  2.0.1-1 as in
buster and sid has the problematic code.

Regards,
Salvatore

--- End Message ---
--- Begin Message ---
Source: buildbot
Source-Version: 2.0.1-2

We believe that the bug you reported is fixed in the latest version of
buildbot, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 929...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Robin Jarry <ro...@jarry.cc> (supplier of updated buildbot package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Mon, 03 Jun 2019 14:47:25 +0200
Source: buildbot
Architecture: source
Version: 2.0.1-2
Distribution: unstable
Urgency: high
Maintainer: Python Applications Packaging Team 
<python-apps-t...@lists.alioth.debian.org>
Changed-By: Robin Jarry <ro...@jarry.cc>
Closes: 929849
Changes:
 buildbot (2.0.1-2) unstable; urgency=high
 .
   * Fix OAuth module security bypass [CVE-2019-12300] (Closes: #929849)
Checksums-Sha1:
 fd5d53656fe2b5f8b9f113b7bceef79e293ba2f6 2940 buildbot_2.0.1-2.dsc
 ac60fc782403d2b33a8af618733e645da8b3471d 27264 buildbot_2.0.1-2.debian.tar.xz
 34364721210542b644e05ec07274b84526654dc2 10342 buildbot_2.0.1-2_amd64.buildinfo
Checksums-Sha256:
 847ce062f7d2aec73dfd836b69a7e5f529f7b5bfd720585822527e2386bffefc 2940 
buildbot_2.0.1-2.dsc
 5f5cf29f009a1368f0799d5fb2f451047526c57b9f141043517b399f93dd1b13 27264 
buildbot_2.0.1-2.debian.tar.xz
 9ba1194fac15fd9e16f21dfb62a940f4fb2212ce94e2b8efedec1c67f9c7ac4e 10342 
buildbot_2.0.1-2_amd64.buildinfo
Files:
 91800be6d3435f56cb4d126d44e165c6 2940 devel optional buildbot_2.0.1-2.dsc
 0296ef4ae3e68ed695253040e5eb8718 27264 devel optional 
buildbot_2.0.1-2.debian.tar.xz
 def7ae3898eb0b043c5a7ea1d6b15754 10342 devel optional 
buildbot_2.0.1-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEolIP6gqGcKZh3YxVM2L3AxpJkuEFAlz2Y78ACgkQM2L3AxpJ
kuFEgg//ako9B5+N4ctX3ggA74xFbJPY4ivbTAnYWUfGOXfQ5fvXOVKJruHyns3H
lH1v5dyDmOs8DQFT1Ceu7A2y4N0LR3Qgmf5kZ6p3eg7aI8qJ/caHlybh6UflBC8x
sfmShzMbYAXgwN/nncF+oNQDQ6sGZZsO4mmizpVS+qZJ2Za/8xHEWcnPyqxJsmNH
rG1Ntb/FXCor82dJmwWcrfTB2e/Sd+52rLPybb41hKak4zfA0xcagfP9eQue/bF9
P63+SEUHB5msogCZS/iMzk4hGIgof+HMEiS34/m2T/30ZcT4LQaX1tivDxAY/bbV
rP01ZaxaNcuDJQetnSwCWXqYHbqzPG61KgfZlgCuwnXAZWL6ibVeDrAoKVlzLso5
XtKLlma8W1r1f6LvxmdZtPNJozAxuAQvrI0ZXJOz4rgd+Nwu0O/CD++GRLuUBq0b
1WzYynoXU2dHDCs1zDwAS/lv32cakInhC/Fi7FpHHoRSihS6Zja1XhwpJKgyYOPR
xd9tUzyEc4r3LFEc0228OFmVfhA8ZkV5KsnLR/J2iCQLhqwuOKX4j0hYoeRjojnu
OufZNbrauSncbIZlEcMXY355ggDV69hXMYqhzJdsuZYVzdusxsRlMKnq7oBeywrZ
tJoDKl5d7IMJzLf71BKZ6fNLG0GAOlYfsklAsPGgNyTJ9+Gmih0=
=xCkJ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to