[Bug 1291795] New: CVE-2015-7537 jenkins: CSRF vulnerability in some
administrative actions (SECURITY-225)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291795
Bug ID: 1291795
Summary: CVE-2015-7537 jenkins: CSRF vulnerability in some
administrative actions (SECURITY-225)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abhgupta(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mizdebsk(a)redhat.com,
mmccomas(a)redhat.com, msrb(a)redhat.com,
tiwillia(a)redhat.com
Several administration/configuration related URLs could be accessed using GET,
which allowed attackers to circumvent CSRF protection. This could allow
unprivileged attackers to perform some administrative actions via CSRF.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=dy8TFEUMji&a=cc_unsubscribe
7 years, 4 months
[Bug 1291794] New: CVE-2015-7536 jenkins: stored XSS vulnerability
through workspace files and archived artifacts (SECURITY-95)
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291794
Bug ID: 1291794
Summary: CVE-2015-7536 jenkins: stored XSS vulnerability
through workspace files and archived artifacts
(SECURITY-95)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: mprpic(a)redhat.com
CC: abhgupta(a)redhat.com, ccoleman(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jialiu(a)redhat.com, joelsmith(a)redhat.com,
jokerman(a)redhat.com, kseifried(a)redhat.com,
lmeyer(a)redhat.com, mizdebsk(a)redhat.com,
mmccomas(a)redhat.com, msrb(a)redhat.com,
tiwillia(a)redhat.com
In certain configurations, low privilege users were able to create e.g. HTML
files in workspaces and archived artifacts that could result in XSS when
accessed by other users. Jenkins now sends Content-Security-Policy headers that
enables sandboxing and prohibits script execution by default.
This could allow low-privilege users to perform limited XSS in certain
configurations.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+20...
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=BQv8HX1t7u&a=cc_unsubscribe
7 years, 4 months
[Bug 1291799] New: CVE-2015-7536 CVE-2015-7537 CVE-2015-7538
CVE-2015-7539 jenkins: various flaws [fedora-all]
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1291799
Bug ID: 1291799
Summary: CVE-2015-7536 CVE-2015-7537 CVE-2015-7538
CVE-2015-7539 jenkins: various flaws [fedora-all]
Product: Fedora
Version: 23
Component: jenkins
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: msrb(a)redhat.com
Reporter: mprpic(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Blocks: 1291794 (CVE-2015-7536), 1291795 (CVE-2015-7537),
1291797 (CVE-2015-7538), 1291798 (CVE-2015-7539)
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
[bug automatically created by: add-tracking-bugs]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1291794
[Bug 1291794] CVE-2015-7536 jenkins: stored XSS vulnerability through
workspace files and archived artifacts (SECURITY-95)
https://bugzilla.redhat.com/show_bug.cgi?id=1291795
[Bug 1291795] CVE-2015-7537 jenkins: CSRF vulnerability in some
administrative actions (SECURITY-225)
https://bugzilla.redhat.com/show_bug.cgi?id=1291797
[Bug 1291797] CVE-2015-7538 jenkins: CSRF protection ineffective
(SECURITY-233)
https://bugzilla.redhat.com/show_bug.cgi?id=1291798
[Bug 1291798] CVE-2015-7539 jenkins: Jenkins plugin manager vulnerable to
MITM attacks (SECURITY-234)
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=s1ovB160TH&a=cc_unsubscribe
7 years, 4 months
[Bug 1287780] New: Jenkins guice version causes build problems
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1287780
Bug ID: 1287780
Summary: Jenkins guice version causes build problems
Product: Fedora
Version: 23
Component: jenkins
Assignee: msrb(a)redhat.com
Reporter: jcosta(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Description of problem:
Similar to #1287638, this time for guice. I wasn't able to consistently
reproduce this issue, but once a job starts failing with a
"StackOverflowError", all subsequent builds fail with the same issue.
Example:
16:14:54 java.io.IOException: remote file operation failed:
/home/jenkins/workspace/hawkular-accounts-pr-builder at
hudson.remoting.Channel@304a0a3b:caipora: java.io.IOException: Remote call on
caipora failed
16:14:54 at hudson.FilePath.act(FilePath.java:987)
16:14:54 at hudson.FilePath.act(FilePath.java:969)
16:14:54 at
hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.parsePoms(MavenModuleSetBuild.java:960)
16:14:54 at
hudson.maven.MavenModuleSetBuild$MavenModuleSetBuildExecution.doRun(MavenModuleSetBuild.java:679)
16:14:54 at
hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:537)
16:14:54 at hudson.model.Run.execute(Run.java:1741)
16:14:54 at
hudson.maven.MavenModuleSetBuild.run(MavenModuleSetBuild.java:531)
16:14:54 at
hudson.model.ResourceController.execute(ResourceController.java:98)
16:14:54 at hudson.model.Executor.run(Executor.java:408)
16:14:54 Caused by: java.io.IOException: Remote call on caipora failed
16:14:54 at hudson.remoting.Channel.call(Channel.java:789)
16:14:54 at hudson.FilePath.act(FilePath.java:980)
16:14:54 ... 8 more
16:14:54 Caused by: java.lang.StackOverflowError
16:14:54 at sun.reflect.GeneratedMethodAccessor14.invoke(Unknown Source)
Version-Release number of selected component (if applicable):
How reproducible:
Not sure. Once a job starts failing, all subsequent jobs fail.
Additional info:
Similar to #1287638, this can be fixed by adding guice-4.0-beta.jar from
WEB-INF/lib of a WAR downloaded from jenkins-ci.org into /usr/share/java/ and
changing the symlink for /usr/share/jenkins/webroot/WEB-INF/lib/guice.jar to
/usr/share/java/guice-4.0-beta.jar
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=QOM5Z4er71&a=cc_unsubscribe
7 years, 4 months
[Bug 1287638] New: guava version is not correct
by Red Hat Bugzilla
https://bugzilla.redhat.com/show_bug.cgi?id=1287638
Bug ID: 1287638
Summary: guava version is not correct
Product: Fedora
Version: 23
Component: jenkins
Assignee: msrb(a)redhat.com
Reporter: jcosta(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Description of problem:
Using a stock Jenkins installed via "dnf install jenkins", the Github plugins
won't work due to a missing method that should be provided by the guava
library. The version that is shipped with the official Jenkins WAR is 11.0,
whereas the version provided by the Jenkins in Fedora is 18.0.
Version-Release number of selected component (if applicable):
How reproducible:
Always
Steps to Reproduce:
1. Install Jenkins via dnf install jenkins
2. Install the GitHub plugin
3. On the Jenkins configuration page, hit "Verify credentials". An exception is
shown.
Actual results:
An exception is shown after clicking on "ERROR"
Expected results:
Unauthorized request (401), if no credentials have been entered, or success if
credentials were entered.
Additional info:
As a workaround, one can download download Guava 11.0 and install it under
/usr/share/java/ , and then:
rm /usr/share/jenkins/webroot/WEB-INF/lib/guava.jar
ln -s /usr/share/java/guava-11.0.1.jar
/usr/share/jenkins/webroot/WEB-INF/lib/guava.jar
The easiest is to download the Jenkins WAR from jenkins-ci.org and use the
guava JAR from there.
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug https://bugzilla.redhat.com/token.cgi?t=HZnT5ORpDU&a=cc_unsubscribe
7 years, 4 months