Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[GHSA-jqqh-999x-w26w] Buildbot Cross-site scripting (XSS) vulnerability #5637

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[GHSA-jqqh-999x-w26w] Buildbot Cross-site scripting (XSS) vulnerability #5637

wants to merge 1 commit into from

Conversation

rhdesmond
Copy link

Updates

  • Affected products
  • CVSS v3

Comments
Fixing patched version: https://github.com/pypa/advisory-database/blob/main/vulns/buildbot/PYSEC-2009-1.yaml

@github-actions github-actions bot changed the base branch from main to rhdesmond/advisory-improvement-5637 May 23, 2025 17:27
@rhdesmond rhdesmond mentioned this pull request May 23, 2025
Closed
@shelbyc
Copy link
Contributor

shelbyc commented May 27, 2025

Hi @rhdesmond, I'm closing this PR as well as #5638 because it's pretty clear from the available evidence that CVE-2009-2959 and CVE-2009-2967 were fixed in 0.7.11p3. The fix commit for CVE-2009-2959 and the fix commit for CVE-2009-2967 are both tagged with 0.7.11p3, and an archived copy of a securityfocus.com advisory that covers both vulnerabilities lists 0.7.11p3 as the fixed version. Although 0.7.11p3 no longer exists in PyPI, it is the first available patched version according to extant evidence, and anyone who wishes to upgrade to 0.7.12 or another later version to mitigate the issue is still welcome to do so.

Thanks for your interest in CVE-2009-2959 and CVE-2009-2967 and have a good week!

@shelbyc shelbyc closed this May 27, 2025
@github-actions github-actions bot deleted the rhdesmond-GHSA-jqqh-999x-w26w branch May 27, 2025 16:45
@rhdesmond
Copy link
Author

Ah, I see what happened. The sorting on https://pypi.org/project/buildbot/#history incorrectly listed the nonconformant versions after than the regular versions so I missed them. Seems like they also have unexpected behavior when encountering invalid versions that we are 😆. Guess we'll just have to accept these unless Pypi yanks them.

Thanks for looking into this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@rhdesmond @shelbyc