Bug#697617: jenkins: remote code execution vulnerability

2013-03-01 Thread Salvatore Bonaccorso 
Hi

On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote:
> Package: jenkins
> Version: 1.447.2+dfsg-2
> Severity: grave
> Tags: security
> 
> Dear Maintainer,
> 
> The upstream vendor announced a security advisory, that is rated
> critical severity.
> 
> See: 
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04

Are there any news on this issue?

Regards,
Salvatore

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-30 Thread Guido Günther 
Hi James,
On Thu, Jan 10, 2013 at 05:03:44PM +, James Page wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
> 
> On 10/01/13 15:46, Miguel Landaeta wrote:
> >>> We might want to consider whether updating unstable/testing to
> >>> 1.480.2 is actually the best way forward at this point in
> >>> time.
> > Hi James,
> > 
> > I don't know if it is feasible at this point in the release cycle
> > to have a new upstream release of jenkins in sid even if it fixes
> > some security issues.
> 
> Agreed; its a last resort.
> 
> > I backported the fix for CVE-2013-0158 from stable branch and I 
> > applied it to 1.447.2+dfsg-2. It applies cleanly but I'm getting a 
> > FTBFS. I don't have time to review it right now but I'll go back to
> > it later.
> > 
> > I'm attaching the debdiff I got and the FTBFS log error.
> 
> I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit
> similar issues. The key problem is the extent of the patch to fix this
> issue and the amount of code change in the TCP/Agent communication
> area between 1.480.2 and earlier versions we already have packaged.
> 
> I'm trying to get some advice from upstream on this - hopefully I'll
> hear back in the next ~24hrs

Any news on this one. Jenkins has become a candidate for removal due
to this one and I'd be sad to see a release without it.
Cheers,
 -- Guido

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-18 Thread Miguel Landaeta 
On Thu, Jan 10, 2013 at 2:29 PM, Miguel Landaeta  wrote:
> On Thu, Jan 10, 2013 at 2:03 PM, James Page  wrote:
>> I'm trying to get some advice from upstream on this - hopefully I'll
>> hear back in the next ~24hrs
>
> Good to know, I'll stay tuned.
>

Hi James, is there any news about this issue?

Cheers,

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-10 Thread Miguel Landaeta 
On Thu, Jan 10, 2013 at 2:03 PM, James Page  wrote:
> I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit
> similar issues. The key problem is the extent of the patch to fix this
> issue and the amount of code change in the TCP/Agent communication
> area between 1.480.2 and earlier versions we already have packaged.

Yeah, and besides that this is going to be a large patch. I don't
think Release Team is going to be much happy about that at this stage
either.

> I'm trying to get some advice from upstream on this - hopefully I'll
> hear back in the next ~24hrs

Good to know, I'll stay tuned.

>> BTW, recently the team of developers with I work with began to use
>> Jenkins so I have some interest in it. If you are OK with that I
>> can jump in as co-maintainer.
>
> Yes please!

Fine,

Cheers,

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-10 Thread James Page 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 10/01/13 15:46, Miguel Landaeta wrote:
>>> We might want to consider whether updating unstable/testing to
>>> 1.480.2 is actually the best way forward at this point in
>>> time.
> Hi James,
> 
> I don't know if it is feasible at this point in the release cycle
> to have a new upstream release of jenkins in sid even if it fixes
> some security issues.

Agreed; its a last resort.

> I backported the fix for CVE-2013-0158 from stable branch and I 
> applied it to 1.447.2+dfsg-2. It applies cleanly but I'm getting a 
> FTBFS. I don't have time to review it right now but I'll go back to
> it later.
> 
> I'm attaching the debdiff I got and the FTBFS log error.

I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit
similar issues. The key problem is the extent of the patch to fix this
issue and the amount of code change in the TCP/Agent communication
area between 1.480.2 and earlier versions we already have packaged.

I'm trying to get some advice from upstream on this - hopefully I'll
hear back in the next ~24hrs

> BTW, recently the team of developers with I work with began to use 
> Jenkins so I have some interest in it. If you are OK with that I
> can jump in as co-maintainer.

Yes please!

Cheers

James

- -- 
James Page
Ubuntu Core Developer
Debian Maintainer
james.p...@ubuntu.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJQ7vRvAAoJEL/srsug59jDePQP/3ZNVyvgr6jsG66T1Q/6QEkt
HdtZd01UkKZyjmRFwjVDTA73Iu4Y8DI7xArmt4CwzMLwBom5T77wqI80zcr2IjpM
/QRJmi9rycztfPvjdGfHSZDR2s/9i+nrHIEBEi+I35zkFROj9QTN6cbmytEw2/LU
p7oEsiysl6n/zvj5DqnsH5VjvqmQ1Y7ovR7MBT27ZRTXI39k3dzIM8eOpU/la4Mw
t2kKbMJ/M+Xm6eb5G1XHpogQ2/v7WRXMNy0LZdg18shsVrduMf99c+ScacdEWPYf
txNos0lmjV+dWfXgQFUNn390Im/u3SceounIKQ9ppiiA4osmptn2x8fwcQHHR+Bg
Ph2Yn+Oln7mIASoZ9Ge9MK3ydIDt4UHaAltGoJJdQc4gs9Zc7h/AhD0dwaNodk3E
BB3yZOKE46kAhlUx4u6PDxy2k6FmJY0eTY3J3Rp1s2V6quaNI1xvnXDkTHfDpgFr
zdznY6D5KTvuSvqXCrufg4z5D/yWev5OYLis+QYS0mf7QuOsg2F8EFRywupqps1P
qi+1+dKdiNg94Xwh+Gwt8OpT44yhWWIp2Wcg+ujisBeKf+XDrb/7V3BZk9hYSkuv
dETJrGPlKqkLvQv8fIpOhpENDYiMNtMtHGSs/C7UETcNnAH4LmsLt05GihxgFPQH
yfY6QFN5a2Gt7Km9ymag
=XG02
-END PGP SIGNATURE-

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-10 Thread James Page 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 09/01/13 00:54, Miguel Landaeta wrote:
> Hi,
> 
> I'm working in backporting a fix for this issue to this version of 
> Jenkins. It doesn't too hard to do it but I had not tested
> properly the patch I got.
> 
> If everything goes well I'll attach a debdiff to this bug report
> very soon.

Thanks Miguel;  I'm also about to upload the latest version of Jenkins
to experimental which includes a fix for this issue and
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816 (which
requires a new version of jenkins-winstone as well).

We might want to consider whether updating unstable/testing to 1.480.2
is actually the best way forward at this point in time.


- -- 
James Page
Ubuntu Core Developer
Debian Maintainer
james.p...@ubuntu.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJQ7pX6AAoJEL/srsug59jDM9sP/3E07QJTYx8B+gltG2+Wc6Qh
Lyn/qXV1GPrUs2pKwzyhUa6gOBdQ6CR+PsVa529aSw4j8sIrcLl5qGLexJE6xuC6
u2Fwl5SgFi7WZriS1pK8NEHVyVncjU39gVLCrIrS0U06V6PSDZ+9wfnWDQE/Jzuo
WUgOh09YEhxJYdqWt+OsrvMirtCY1w5CzofS+TQ414GHj7mVZAVgRgZwxf3N+Vaz
u2avaaqC1cQcb2ZTPfsN/bDlFRNFREJTpHtLhfCmhhAwsveL9LkOCX/NcJOQm/LP
PF1WWrPzrDyLzqdNhp6awnndOFOvkq27Pkb0V4G8wom1chgPONEKSrzYFmzphKo9
zPOxiVkK8FOu4hb4J+KNS57KN/t3v/mUad7aoXMVlMUtMv2dbCIGhW2Nf89YbaWC
YSbcdTVk0EM/0ar2P3gvcAZGlppMKjbbAYvAWWN/3BPdfYyRwVsw1Hq72tPvrr6a
7hBZ6uKzool8RZAf9qSfSWC/a17NELKXnrbtb8bglHGwOgltkQHoRWC2fyL4t+w+
QH1HdLeP/Yc/GCZK1jwtOVRW5XxIXqyzcD+/YncIUVNqtIFLmBZbLEw56JspxxKl
Nix1M9OYKIDa1rBKjYER5ICZXdrv1hUerqLgGe4/+E8x/WT2XB6m1bTkt6YOsn5Y
jiqHFGUNyH80R1k5EBKF
=biqm
-END PGP SIGNATURE-

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-08 Thread Miguel Landaeta 
Hi,

I'm working in backporting a fix for this issue to this version of
Jenkins. It doesn't too hard to do it but I had not tested properly
the patch I got.

If everything goes well I'll attach a debdiff to this bug report very soon.

Cheers,

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Processed: Re: Bug#697617: jenkins: remote code execution vulnerability

2013-01-07 Thread Debian Bug Tracking System 
Processing control commands:

> retitle -1 jenkins: CVE-2013-0158: remote code execution vulnerability
Bug #697617 [jenkins] jenkins: remote code execution vulnerability
Changed Bug title to 'jenkins: CVE-2013-0158: remote code execution 
vulnerability' from 'jenkins: remote code execution vulnerability'

-- 
697617: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697617
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-07 Thread Salvatore Bonaccorso 
Control: retitle -1 jenkins: CVE-2013-0158: remote code execution vulnerability

Hi

On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote:
> Package: jenkins
> Version: 1.447.2+dfsg-2
> Severity: grave
> Tags: security
> 
> Dear Maintainer,
> 
> The upstream vendor announced a security advisory, that is rated
> critical severity.
> 
> See: 
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04

CVE-2013-0158 was assigned to this issue. Please include the CVE when
fixing this issue.

Regards,
Salvatore


signature.asc
Description: Digital signature
__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.

Bug#697617: jenkins: remote code execution vulnerability

2013-01-07 Thread Nobuhiro Ban 
Package: jenkins
Version: 1.447.2+dfsg-2
Severity: grave
Tags: security

Dear Maintainer,

The upstream vendor announced a security advisory, that is rated
critical severity.

See: 
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04


Regards,
Nobuhiro

__
This is the maintainer address of Debian's Java team
. 
Please use
debian-j...@lists.debian.org for discussions and questions.