Contributors mailing list archives
contributors@odoo-community.org
Browse archives
A meeting with the functionals that feel excluded by the OCA
Security Advisory: runbot_travis2docker - Database Password Exposed
Re: Security Advisory: runbot_travis2docker - Database Password Exposed
by
LasLabs, Dave Lasley
Oops sorry, to test you’ll need a commit like this. Your password won’t be exposed unless you checkout use the specific revision before the fix ;)
— Dave Lasley
On Aug 17, 2017, at 10:27 AM, David Lasley <dave@dlasley.net> wrote:Hi All,Please note that an edge case was recently discovered in maintainer-quality-tools that caused Runbot implementations using runbot_travis2docker to expose the host database password when the Odoo container exits with a non-zero code.I committed the fix yesterday, but it is recommended that you change your Runbot PostgreSQL password immediately if your Runbot deploy meets the following conditions:
- Runbot that builds using the module runbot_travis2docker
- Runbot instance has a configured database host (as opposed to the default `localhost`)
- Runbot test logs are exposed to the public
For anyone that wants to confirm whether your password has been exposed:
- You can create a commit such as this
- Look for your database password at the bottom of the test_all logs.
Reference
-
Security Advisory: runbot_travis2docker - Database Password Exposed
byLasLabs, Dave Lasley-
Re: Security Advisory: runbot_travis2docker - Database Password Exposed
byLasLabs, Dave Lasley
-