Security vulnerability requires updates for builds.sr.ht

Message ID
DKIM signature
Download raw message
Support for private builds was recently added to builds.sr.ht, but an
oversight in its rollout allowed for the enumeration of the logs of
private builds. Good user security discipline calls for build logs to
omit any secret keys and other sensitive information, making this a
relatively minor information disclosure vulnerability, but nevertheless
the expectation of privacy was not properly upheld prior to builds.sr.ht
version 0.86.4.

builds.sr.ht versions 0.86.4 and above proxy build log requests through
the API, which now handles authentication properly. It is advised that
you upgrade your systems to this version or newer AND manually upgrade
your httpd configuration on the build workers such that they only accept
requests from your builds.sr.ht master server.
Reply to thread Export thread (mbox)