[Python-apps-team] Bug#921271: buildbot: CVE-2019-7313: CRLF injection in Buildbot login and logout redirect code

Salvatore Bonaccorso carnil at debian.org
Sun Feb 3 20:20:17 GMT 2019


Source: buildbot
Version: 1.8.0-1
Severity: grave
Tags: security upstream

Hi,

The following vulnerability was published for buildbot.

CVE-2019-7313[0]:
| www/resource.py in Buildbot before 1.8.1 allows CRLF injection in the
| Location header of /auth/login and /auth/logout via the redirect
| parameter. This affects other web sites in the same domain.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2019-7313
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7313
[1] https://github.com/buildbot/buildbot/wiki/CRLF-injection-in-Buildbot-login-and-logout-redirect-code

Regards,
Salvatore



More information about the Python-apps-team mailing list