Your message dated Tue, 27 Mar 2012 12:17:48 +0000
with message-id <[email protected]>
and subject line Bug#664057: fixed in jenkins 1.424.6+dfsg-1
has caused the Debian Bug report #664057,
regarding jenkins: XSS security vulnerability
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
664057: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664057
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: jenkins
Version: 1.424.3+dfsg-1
Severity: normal
Tags: upstream
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05
This advisory announces a couple of critical security vulnerabilities
that were found in Jenkins core.
The first vulnerability is a directory traversal vulnerability. This allows
an anonymous attacker to read files in the file system that shouldn't be
exposed.
This vulnerability affects Jenkins that run on Windows, whether or not the
access control in Jenkins is enabled. Those file reads are still subject to
OS-level access control, and therefore an attacker will only gain access to
files
that are readable to the OS user that runs the Jenkins process. This is a
vulnerability in the built-in servlet container (named Winstone), and therefore
the only affected users are those who are running Jenkins via
java -jar jenkins.war (this includes users of the Windows installer.)
This vulnerability affects all versions of Jenkins up to and including 1.452,
and LTS releases up to and including 1.424.3.
The second vulnerability is a cross-site scripting (XSS) vulnerability,
which allows an attacker to inject malicious HTMLs to pages served by Jenkins.
This allows an attacker to escalate his privileges by hijacking sessions of
other users. This vulnerability affects all versions of Jenkins up to and
including 1.452, and LTS releases up to and including 1.424.3, regardless
of the security settings.
Debian package is only impacted by the second vulnerability and requires a
new package - owasp-java-html-sanitizer (see
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664055).
This is also being address in Ubuntu which is nearing beta-2 for precise:
https://bugs.launchpad.net/ubuntu/+source/jenkins/+bug/954960
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-18-generic (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBCAAGBQJPYcfqAAoJEL/srsug59jDdScQAKCBO5Dnxq/lonWKebhswIEt
p+kLi+JvBqRp0xKwpZIu1P235TEOOvKQPfgCAJj/8Uzsi1qB1t28100cYf/SOiZ/
phjpqtJ6tepxkTU4g/MMJb1hgkBpz/Cyit5JM+pZQ35kNWwFpCHf0kwZs51zHJyn
yGT0P0o0xaQkWjBjYnIbGeaklmyTa99YLcnvdt4u5NelIbj/eaBuJ7Y+nCpebjIP
o5V8LECTt2+YD54IoAAOTBwiK31v8/XgIL1D1nxOBMr9Kx5yXOVgzi5qdhrvfydT
tQA1+L/3Pada3rS4YqcEN04FF6m9iDYkzrhSuBOQML6dVIm8L0bCsf1Kp3VM0rMV
2j+fTF8HLqp8GUFmlRsd68DuTW6axZL/xHy5Ohh7vW+AhPcdlxKzNKCwnMA6HfIY
sVDS+fFhDYwLdqWgWw52bmqCO1MfY8mRZgpaxLd7j6PMGGZcchbhQ+/AYnTrU0cr
b0Z7YfyY80BU2rX61MsASwyFgdjuDNEGU+nNDgW1W3y6lJF64cyWAg+2E3kwLl9m
h2/0y/XoXRUWLu73lezl4ZHYSbE4P0x1zu2Xjm+Qjco1L9RmtsShc1YssXfD4OGC
aj7pAOxUSaXj01Q5890odCoIoGm1wCMHrohsJEMVWFIdjQMvKkvKumlHy4zZchmo
SM6YhUpIcTle9zDaVTxo
=tKqK
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Source: jenkins
Source-Version: 1.424.6+dfsg-1
We believe that the bug you reported is fixed in the latest version of
jenkins, which is due to be installed in the Debian FTP archive:
jenkins-cli_1.424.6+dfsg-1_all.deb
to main/j/jenkins/jenkins-cli_1.424.6+dfsg-1_all.deb
jenkins-common_1.424.6+dfsg-1_all.deb
to main/j/jenkins/jenkins-common_1.424.6+dfsg-1_all.deb
jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
to main/j/jenkins/jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
jenkins-slave_1.424.6+dfsg-1_all.deb
to main/j/jenkins/jenkins-slave_1.424.6+dfsg-1_all.deb
jenkins-tomcat_1.424.6+dfsg-1_all.deb
to main/j/jenkins/jenkins-tomcat_1.424.6+dfsg-1_all.deb
jenkins_1.424.6+dfsg-1.debian.tar.gz
to main/j/jenkins/jenkins_1.424.6+dfsg-1.debian.tar.gz
jenkins_1.424.6+dfsg-1.dsc
to main/j/jenkins/jenkins_1.424.6+dfsg-1.dsc
jenkins_1.424.6+dfsg-1_all.deb
to main/j/jenkins/jenkins_1.424.6+dfsg-1_all.deb
jenkins_1.424.6+dfsg.orig.tar.gz
to main/j/jenkins/jenkins_1.424.6+dfsg.orig.tar.gz
libjenkins-java_1.424.6+dfsg-1_all.deb
to main/j/jenkins/libjenkins-java_1.424.6+dfsg-1_all.deb
libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
to main/j/jenkins/libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Page <[email protected]> (supplier of updated jenkins package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 27 Mar 2012 09:17:51 +0100
Source: jenkins
Binary: libjenkins-java libjenkins-plugin-parent-java jenkins-common jenkins
jenkins-slave jenkins-external-job-monitor jenkins-cli jenkins-tomcat
Architecture: source all
Version: 1.424.6+dfsg-1
Distribution: sid
Urgency: low
Maintainer: Debian Java Maintainers
<[email protected]>
Changed-By: James Page <[email protected]>
Description:
jenkins - Continuous Integration and Job Scheduling Server
jenkins-cli - Jenkins CI Command Line Interface
jenkins-common - Jenkins common Java components and web application
jenkins-external-job-monitor - Jenkins CI external job monitoring
jenkins-slave - Jenkins slave node helper
jenkins-tomcat - Jenkins CI on Tomcat 6
libjenkins-java - Jenkins CI core Java libraries
libjenkins-plugin-parent-java - Jenkins Plugin Parent Maven POM
Closes: 664057
Changes:
jenkins (1.424.6+dfsg-1) unstable; urgency=low
.
* New upstream release, fixing XSS security vulnerability (Closes: #664057):
- d/control: Add new dependency on libowasp-java-html-sanitizer-java.
- d/maven.rules: Add new rule to use artifacts
from libowasp-java-html-sanitizer-java.
* Switch upstart configurations to use start-stop-daemon to allow
desktop systems to shutdown.
* d/jenkins-slave.upstart.in: Ensure /var/run/jenkins exists before
trying to download the jenkins slave.jar file to it.
Thanks to Al Stone for providing this fix.
Checksums-Sha1:
ba6791a2b60e8b07a751a9578dbad08723017205 4374 jenkins_1.424.6+dfsg-1.dsc
f2d10efcf5bb7faefcb50bf011b1b3f53a1f96d2 3812074
jenkins_1.424.6+dfsg.orig.tar.gz
f43121a30988acc77d664fe21aa996abdf4fcf19 39504
jenkins_1.424.6+dfsg-1.debian.tar.gz
68456e6f0a09506084817e7978f30bb835ae3761 5522472
libjenkins-java_1.424.6+dfsg-1_all.deb
d51ff5ffcba3dc3f7e1adf9dd863f030a6c0a6d2 13812
libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
218fa1c451e51707b00adbc84ad36467943fe8cc 30756438
jenkins-common_1.424.6+dfsg-1_all.deb
c10d68fbe48e34913e7209afdcbc190ac9a6e8e9 17908 jenkins_1.424.6+dfsg-1_all.deb
8bf81b8a976f812dd343c4370898011eaf9e778b 16972
jenkins-slave_1.424.6+dfsg-1_all.deb
991719b5f5cf0a8d88d46e31424bf05f7b3525d2 5495970
jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
a89f1b89741f80669c9e976a4d2ecebf91ee2661 545486
jenkins-cli_1.424.6+dfsg-1_all.deb
54219def11a7721925ab710653b9ed61e565d9e7 13998
jenkins-tomcat_1.424.6+dfsg-1_all.deb
Checksums-Sha256:
04d9f6f352325bea6b329bd28392cc1ced0e008183021582e49f6f7574621ad1 4374
jenkins_1.424.6+dfsg-1.dsc
d9effb49adce7814658a552cf46bc12ec40856264a2d145f464799736f8e5d01 3812074
jenkins_1.424.6+dfsg.orig.tar.gz
856de806e075d9945720b004ec4d5c7f5beee769ea248fb09bcc121cafb55ca6 39504
jenkins_1.424.6+dfsg-1.debian.tar.gz
11dae27ae45a26ce77c0e47fc5f388f1ac38e463f7c1cffe385b55d517730fab 5522472
libjenkins-java_1.424.6+dfsg-1_all.deb
89a45ae3c438c7e5fac5e22f1d859b0d1b7b262b6543ffdb0ceb256a83194ca2 13812
libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
15239b86b84bdb20e107b3af028bac8089a51c5d716823fbc6850ee6ef1d50b0 30756438
jenkins-common_1.424.6+dfsg-1_all.deb
316b079d8828bcbde51999009856e461f069f7c237992c9b66cf8516ae9ffd36 17908
jenkins_1.424.6+dfsg-1_all.deb
abde9e59552bc370c893d40dbba8ef288b9c79e1ca0caa8c8c3e61c914824686 16972
jenkins-slave_1.424.6+dfsg-1_all.deb
2660bf84353505f23597329c814819ab2e37f9022219175a1af6f0c6f24bde01 5495970
jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
01853d98fe4307ff7facc3e2ae1b4618aa1d6667a183783eda33c055aeb63a70 545486
jenkins-cli_1.424.6+dfsg-1_all.deb
a0c9acf1504f710a9157cbe199d8bf7e509a7e68d21ee4bbe5482829ba3b4cff 13998
jenkins-tomcat_1.424.6+dfsg-1_all.deb
Files:
bb71287234e9013f4db7b4c91ff5d9ce 4374 java optional jenkins_1.424.6+dfsg-1.dsc
6e1178315606e58701d28e0d6afaa0a0 3812074 java optional
jenkins_1.424.6+dfsg.orig.tar.gz
42f5a45ed3d96faa48c8ea9a1f0409af 39504 java optional
jenkins_1.424.6+dfsg-1.debian.tar.gz
3fe574c66cb26e822c6902a8d2e8dede 5522472 java optional
libjenkins-java_1.424.6+dfsg-1_all.deb
2aa76824e691e7fb67cd0f267a980b00 13812 java optional
libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
3e544ab0f2e09d804e624c4c3805557a 30756438 java optional
jenkins-common_1.424.6+dfsg-1_all.deb
f9e2b02661876d4b7abe775bbab01659 17908 java optional
jenkins_1.424.6+dfsg-1_all.deb
199b32102dbd0b7784a1591c6ae085d4 16972 java optional
jenkins-slave_1.424.6+dfsg-1_all.deb
cea94f39bcab40c65545fcf0ae8d31c6 5495970 java optional
jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
e06ed0bde45ce9d75d7b52737ccae63b 545486 java optional
jenkins-cli_1.424.6+dfsg-1_all.deb
bc559694b4dc994d9cb8764dadb28675 13998 java optional
jenkins-tomcat_1.424.6+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQIcBAEBCAAGBQJPcaewAAoJEL/srsug59jDoR0P/iLr3SZs4IV7x/h8LtSXEGIu
UVqxmdtpts2tr83Qrj/MIH7CPyStPm1XC8RvY2Jqqr7l3VXG2Qyuy9pqHwlCwKpk
Fs4TBsGayJBixCrzcnhs9iBUA/6WMkJ/jUnrIDyo7ZxjD3d+dvw+7QT5BVzBMRjC
hmgslGeEAEgbovqqLVUHr/dqXPol531eaHJvlm7n1JDIKU2I1RHAZ1/H6SoncWqF
b+zAzRAJa5f4UKCpHip0kVtOjWsWYbHuYeZdqAl/4D2LXE74mGfXy4riv3xuAN1c
tYw7U2CsKElLrRPJvCp4Rn+AYAFPlDPCEPu+XfPamY/5c7+INgs58c8hZIzEXh1F
zEyf1dDdf8Ucc01IliXgkN8FhlOIDqzqvs6Y6LlsjOKGCrmmThrMUqGDZ6NshVPQ
0O+bnPm2JAeUYxVAQz+V0SSngd7iRqjGEXm5SoRouqv0TCumOPdces1HBOdEGsW+
E43FAHgsCDtP4vjFwJQJuHkRtXfUXy9ZJbXkA9vPHpLSBZWgv8o6VGV77QdBUnd5
GlxNVL+UoFkjNxTJCCSvsw0lAj38+QuIJUMq7kFz1D5GzUe046O6B0mch/r31Peq
pSsXACVVxe1mBfaVyN0s35mj1ZAHA5wlcUqLlRb174vIuWSA0+LqXsKwHPm4Il8R
EQMlov0lSk9Xvr3Vdzt6
=yZYE
-----END PGP SIGNATURE-----
--- End Message ---
