Bug#697617: jenkins: remote code execution vulnerability
Hi On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.447.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory, that is rated critical severity. See: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 Are there any news on this issue? Regards, Salvatore __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#697617: jenkins: remote code execution vulnerability
Hi James, On Thu, Jan 10, 2013 at 05:03:44PM +, James Page wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/01/13 15:46, Miguel Landaeta wrote: We might want to consider whether updating unstable/testing to 1.480.2 is actually the best way forward at this point in time. Hi James, I don't know if it is feasible at this point in the release cycle to have a new upstream release of jenkins in sid even if it fixes some security issues. Agreed; its a last resort. I backported the fix for CVE-2013-0158 from stable branch and I applied it to 1.447.2+dfsg-2. It applies cleanly but I'm getting a FTBFS. I don't have time to review it right now but I'll go back to it later. I'm attaching the debdiff I got and the FTBFS log error. I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit similar issues. The key problem is the extent of the patch to fix this issue and the amount of code change in the TCP/Agent communication area between 1.480.2 and earlier versions we already have packaged. I'm trying to get some advice from upstream on this - hopefully I'll hear back in the next ~24hrs Any news on this one. Jenkins has become a candidate for removal due to this one and I'd be sad to see a release without it. Cheers, -- Guido __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#697617: jenkins: remote code execution vulnerability
On Thu, Jan 10, 2013 at 2:29 PM, Miguel Landaeta mig...@miguel.cc wrote: On Thu, Jan 10, 2013 at 2:03 PM, James Page james.p...@ubuntu.com wrote: I'm trying to get some advice from upstream on this - hopefully I'll hear back in the next ~24hrs Good to know, I'll stay tuned. Hi James, is there any news about this issue? Cheers, -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/ Faith means not wanting to know what is true. -- Nietzsche __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#697617: jenkins: remote code execution vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 09/01/13 00:54, Miguel Landaeta wrote: Hi, I'm working in backporting a fix for this issue to this version of Jenkins. It doesn't too hard to do it but I had not tested properly the patch I got. If everything goes well I'll attach a debdiff to this bug report very soon. Thanks Miguel; I'm also about to upload the latest version of Jenkins to experimental which includes a fix for this issue and http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816 (which requires a new version of jenkins-winstone as well). We might want to consider whether updating unstable/testing to 1.480.2 is actually the best way forward at this point in time. - -- James Page Ubuntu Core Developer Debian Maintainer james.p...@ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJQ7pX6AAoJEL/srsug59jDM9sP/3E07QJTYx8B+gltG2+Wc6Qh Lyn/qXV1GPrUs2pKwzyhUa6gOBdQ6CR+PsVa529aSw4j8sIrcLl5qGLexJE6xuC6 u2Fwl5SgFi7WZriS1pK8NEHVyVncjU39gVLCrIrS0U06V6PSDZ+9wfnWDQE/Jzuo WUgOh09YEhxJYdqWt+OsrvMirtCY1w5CzofS+TQ414GHj7mVZAVgRgZwxf3N+Vaz u2avaaqC1cQcb2ZTPfsN/bDlFRNFREJTpHtLhfCmhhAwsveL9LkOCX/NcJOQm/LP PF1WWrPzrDyLzqdNhp6awnndOFOvkq27Pkb0V4G8wom1chgPONEKSrzYFmzphKo9 zPOxiVkK8FOu4hb4J+KNS57KN/t3v/mUad7aoXMVlMUtMv2dbCIGhW2Nf89YbaWC YSbcdTVk0EM/0ar2P3gvcAZGlppMKjbbAYvAWWN/3BPdfYyRwVsw1Hq72tPvrr6a 7hBZ6uKzool8RZAf9qSfSWC/a17NELKXnrbtb8bglHGwOgltkQHoRWC2fyL4t+w+ QH1HdLeP/Yc/GCZK1jwtOVRW5XxIXqyzcD+/YncIUVNqtIFLmBZbLEw56JspxxKl Nix1M9OYKIDa1rBKjYER5ICZXdrv1hUerqLgGe4/+E8x/WT2XB6m1bTkt6YOsn5Y jiqHFGUNyH80R1k5EBKF =biqm -END PGP SIGNATURE- __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#697617: jenkins: remote code execution vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 On 10/01/13 15:46, Miguel Landaeta wrote: We might want to consider whether updating unstable/testing to 1.480.2 is actually the best way forward at this point in time. Hi James, I don't know if it is feasible at this point in the release cycle to have a new upstream release of jenkins in sid even if it fixes some security issues. Agreed; its a last resort. I backported the fix for CVE-2013-0158 from stable branch and I applied it to 1.447.2+dfsg-2. It applies cleanly but I'm getting a FTBFS. I don't have time to review it right now but I'll go back to it later. I'm attaching the debdiff I got and the FTBFS log error. I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit similar issues. The key problem is the extent of the patch to fix this issue and the amount of code change in the TCP/Agent communication area between 1.480.2 and earlier versions we already have packaged. I'm trying to get some advice from upstream on this - hopefully I'll hear back in the next ~24hrs BTW, recently the team of developers with I work with began to use Jenkins so I have some interest in it. If you are OK with that I can jump in as co-maintainer. Yes please! Cheers James - -- James Page Ubuntu Core Developer Debian Maintainer james.p...@ubuntu.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBCAAGBQJQ7vRvAAoJEL/srsug59jDePQP/3ZNVyvgr6jsG66T1Q/6QEkt HdtZd01UkKZyjmRFwjVDTA73Iu4Y8DI7xArmt4CwzMLwBom5T77wqI80zcr2IjpM /QRJmi9rycztfPvjdGfHSZDR2s/9i+nrHIEBEi+I35zkFROj9QTN6cbmytEw2/LU p7oEsiysl6n/zvj5DqnsH5VjvqmQ1Y7ovR7MBT27ZRTXI39k3dzIM8eOpU/la4Mw t2kKbMJ/M+Xm6eb5G1XHpogQ2/v7WRXMNy0LZdg18shsVrduMf99c+ScacdEWPYf txNos0lmjV+dWfXgQFUNn390Im/u3SceounIKQ9ppiiA4osmptn2x8fwcQHHR+Bg Ph2Yn+Oln7mIASoZ9Ge9MK3ydIDt4UHaAltGoJJdQc4gs9Zc7h/AhD0dwaNodk3E BB3yZOKE46kAhlUx4u6PDxy2k6FmJY0eTY3J3Rp1s2V6quaNI1xvnXDkTHfDpgFr zdznY6D5KTvuSvqXCrufg4z5D/yWev5OYLis+QYS0mf7QuOsg2F8EFRywupqps1P qi+1+dKdiNg94Xwh+Gwt8OpT44yhWWIp2Wcg+ujisBeKf+XDrb/7V3BZk9hYSkuv dETJrGPlKqkLvQv8fIpOhpENDYiMNtMtHGSs/C7UETcNnAH4LmsLt05GihxgFPQH yfY6QFN5a2Gt7Km9ymag =XG02 -END PGP SIGNATURE- __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#697617: jenkins: remote code execution vulnerability
On Thu, Jan 10, 2013 at 2:03 PM, James Page james.p...@ubuntu.com wrote: I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit similar issues. The key problem is the extent of the patch to fix this issue and the amount of code change in the TCP/Agent communication area between 1.480.2 and earlier versions we already have packaged. Yeah, and besides that this is going to be a large patch. I don't think Release Team is going to be much happy about that at this stage either. I'm trying to get some advice from upstream on this - hopefully I'll hear back in the next ~24hrs Good to know, I'll stay tuned. BTW, recently the team of developers with I work with began to use Jenkins so I have some interest in it. If you are OK with that I can jump in as co-maintainer. Yes please! Fine, Cheers, -- Miguel Landaeta, miguel at miguel.cc secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/ Faith means not wanting to know what is true. -- Nietzsche __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#697617: jenkins: remote code execution vulnerability
Package: jenkins Version: 1.447.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory, that is rated critical severity. See: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 Regards, Nobuhiro __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Bug#697617: jenkins: remote code execution vulnerability
Control: retitle -1 jenkins: CVE-2013-0158: remote code execution vulnerability Hi On Tue, Jan 08, 2013 at 02:06:39AM +0900, Nobuhiro Ban wrote: Package: jenkins Version: 1.447.2+dfsg-2 Severity: grave Tags: security Dear Maintainer, The upstream vendor announced a security advisory, that is rated critical severity. See: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 CVE-2013-0158 was assigned to this issue. Please include the CVE when fixing this issue. Regards, Salvatore signature.asc Description: Digital signature __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.
Processed: Re: Bug#697617: jenkins: remote code execution vulnerability
Processing control commands: retitle -1 jenkins: CVE-2013-0158: remote code execution vulnerability Bug #697617 [jenkins] jenkins: remote code execution vulnerability Changed Bug title to 'jenkins: CVE-2013-0158: remote code execution vulnerability' from 'jenkins: remote code execution vulnerability' -- 697617: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697617 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems __ This is the maintainer address of Debian's Java team http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers. Please use debian-j...@lists.debian.org for discussions and questions.