Re: Zero Day attack due to Apache Commons statement to widespread Java object de-serialisation vulnerability

2015-12-17 Thread Stephen Connolly
Correct... the evil job type is... evil... Freestyle will work just fine You also should be able to make toolchains work, i.e. that Maven can use Java 7 or 8 to run and Java 6 to compile. Keep in mind that JDK 9 or JDK 10 will have a lower bound on the -target so that you will probably be only

Re: Zero Day attack due to Apache Commons statement to widespread Java object de-serialisation vulnerability

2015-12-16 Thread Daniel Beck
On 12.12.2015, at 18:44, Indra Gunawan (ingunawa) wrote: > With the Java 7 to run requirement, I want to confirm the following: > 1. Jenkins master and all its slave needs to run JDK 7 or above (JDK7 or > above to run Jenkins master process and SSH slave to connect needs to

Re: Zero Day attack due to Apache Commons statement to widespread Java object de-serialisation vulnerability

2015-12-16 Thread Indra Gunawan (ingunawa)
Point #3 is not possible because of this new change in 1.625.1? 1.625.1 is the first Jenkins LTS release that requires Java 7 to run. If you're using the Maven Project type, please note that it needs to use a JDK capable of running Jenkins, i.e. JDK 7 or up. If you configure an older JDK in a

Re: Zero Day attack due to Apache Commons statement to widespread Java object de-serialisation vulnerability

2015-12-12 Thread Indra Gunawan (ingunawa)
Starting from 1.625.1: 1.625.1 is the first Jenkins LTS release that requires Java 7 to run. If you're using the Maven Project type, please note that it needs to use a JDK capable of running Jenkins, i.e. JDK 7 or up. If you configure an older JDK in a Maven Project, Jenkins will attempt to find

Re: Zero Day attack due to Apache Commons statement to widespread Java object de-serialisation vulnerability

2015-12-08 Thread Stephen Connolly
As somebody on the jenkins-cert list, I highly recommend upgrading to 1.625.3 On 8 December 2015 at 07:41, Christopher Orr wrote: > Also note that, if you're planning a Jenkins upgrade anyway, there's > another Jenkins release coming out tomorrow (1.625.3) to fix one or more >

Re: Zero Day attack due to Apache Commons statement to widespread Java object de-serialisation vulnerability

2015-12-07 Thread Christopher Orr
Also note that, if you're planning a Jenkins upgrade anyway, there's another Jenkins release coming out tomorrow (1.625.3) to fix one or more new security issues: https://groups.google.com/forum/#!topic/jenkinsci-advisories/UbJeKl4Vxbw So, you may want to apply the CLI workaround from the blog

Re: Zero Day attack due to Apache Commons statement to widespread Java object de-serialisation vulnerability

2015-12-07 Thread Mark Waite
Yes, based on https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli , that is impacting Jenkins. The link you posted states that Jenkins is affected. It includes the link to the above Jenkins blog posting which describes a remediation you can take with