[Bug 1446128] New: CVE-2017-1000355 jenkins: Java crash when trying to instantiate void/Void (SECURITY-503)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1446128
Bug ID: 1446128
Summary: CVE-2017-1000355 jenkins: Java crash when trying to
instantiate void/Void (SECURITY-503)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
Jenkins uses the XStream library to serialize and deserialize XML. Its
maintainer recently published a security vulnerability that allows anyone able
to provide XML to Jenkins for processing using XStream to crash the Java
process. In Jenkins this typically applies to users with permission to create
or configure items (jobs), views, or agents.
Jenkins now prohibits the attempted deserialization of void / Void that results
in a crash.
Affected versions:
All Jenkins main line releases up to and including 2.56
All Jenkins LTS releases up to and including 2.46.1
Fixed in:
Jenkins main line users should update to 2.57
Jenkins LTS users should update to 2.46.2
External References:
https://jenkins.io/security/advisory/2017-04-26/#xstream-java-crash-when-...
http://www.openwall.com/lists/oss-security/2017/04/03/4
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 11 months
[Bug 1443567] New: missing Requires: xmlgraphics-commons in squiggle and rasterizer subpackage
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1443567
Bug ID: 1443567
Summary: missing Requires: xmlgraphics-commons in squiggle and
rasterizer subpackage
Product: Fedora
Version: 25
Component: batik
Assignee: mizdebsk(a)redhat.com
Reporter: martin.gieseking(a)uos.de
QA Contact: extras-qa(a)fedoraproject.org
CC: c.david86(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com
Currently, the packages batik-squiggle and batik-rasterizer don't depend on
xmlgraphics-commons which is required by "squiggle" and "rasterizer" to work
properly. Both utilities fail to start if it's not installed. It would be nice
if you could add the missing Requires to the subpackages.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 12 months
[Bug 1443593] New: CVE-2017-5662 batik: XML external entity processing vulnerability [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1443593
Bug ID: 1443593
Summary: CVE-2017-5662 batik: XML external entity processing
vulnerability [fedora-all]
Product: Fedora
Version: 25
Component: batik
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: anemec(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: c.david86(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jvanek(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 12 months
[Bug 1443637] New: CVE-2017-5645 log4j: Socket receiver deserialization vulnerability [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1443637
Bug ID: 1443637
Summary: CVE-2017-5645 log4j: Socket receiver deserialization
vulnerability [fedora-all]
Product: Fedora
Version: 25
Component: log4j
Keywords: Security, SecurityTracking
Severity: high
Priority: high
Assignee: mizdebsk(a)redhat.com
Reporter: anemec(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: devrim(a)gunduz.org,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1446122] New: CVE-2017-1000354 jenkins: Login command allowed impersonating any Jenkins user (SECURITY-466)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1446122
Bug ID: 1446122
Summary: CVE-2017-1000354 jenkins: Login command allowed
impersonating any Jenkins user (SECURITY-466)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
The login command available in the remoting-based CLI stored the encrypted user
name of the successfully authenticated user in a cache file used to
authenticate further commands. Users with sufficient permission to create
secrets in Jenkins, and download their encrypted values (e.g. with
Job/Configure permission), were able to impersonate any other Jenkins user on
the same instance.
This has been fixed by storing the cached authentication as a hash-based MAC
with a key specific to the Jenkins instance and the CLI authentication cache.
Previously cached authentications are invalidated when upgrading Jenkins to a
version containing a fix for this.
Affected versions:
All Jenkins main line releases up to and including 2.56
All Jenkins LTS releases up to and including 2.46.1
Fixed in:
Jenkins main line users should update to 2.57
Jenkins LTS users should update to 2.46.2
External Reference:
https://jenkins.io/security/advisory/2017-04-26/#cli-login-command-allowe...
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1446110] New: CVE-2017-1000356 jenkins: Multiple CSRF vulnerabilities (SECURITY-412 through SECURITY-420)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1446110
Bug ID: 1446110
Summary: CVE-2017-1000356 jenkins: Multiple CSRF
vulnerabilities (SECURITY-412 through SECURITY-420)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: abhgupta(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com,
tdawson(a)redhat.com, tiwillia(a)redhat.com
Multiple Cross-Site Request Forgery vulnerabilities in Jenkins allowed
malicious users to perform several administrative actions by tricking a victim
into opening a web page. The most notable ones:
SECURITY-412: Restart Jenkins immediately, after all builds are finished,
or after all plugin installations and builds are finished
SECURITY-412: Schedule a downgrade of Jenkins to a previously installed
version if Jenkins previously upgraded itself
SECURITY-413: Install and (optionally) dynamically load any plugin present
on a configured update site
SECURITY-414: Remove any update site from the Jenkins configuration
SECURITY-415: Change a user’s API token
SECURITY-416: Submit system configuration
SECURITY-417: Submit global security configuration
SECURITY-418, SECURITY-420: For Jenkins user database authentication realm:
create an account if signup is enabled; or create an account if the victim is
an administrator, possibly deleting the existing default admin user in the
process
SECURITY-419: Create a new agent, possibly executing arbitrary shell
commands on the master node by choosing the appropriate launch method
SECURITY-420: Cancel a scheduled restart
SECURITY-420: Configure the global logging levels
SECURITY-420: Create a copy of an existing agent
SECURITY-420: Create copies of views in users' "My Views" or as children of
the experimental "Tree View" feature
SECURITY-420: Enter "quiet down" mode in which no new builds are started
SECURITY-420: On Windows, after successful installation as a service,
restart
SECURITY-420: On Windows, try to install Jenkins as a service
SECURITY-420: Set the descriptions of items (jobs), builds, and users
SECURITY-420: Submit global tools configuration (Jenkins 2.0 and up)
SECURITY-420: Toggle keeping a build forever (i.e. exclude or include it in
log rotation)
SECURITY-420: Try to connect all disconnected agents simultaneously
SECURITY-420: Update the node monitor data on all agents
Affected versions:
All Jenkins main line releases up to and including 2.56
All Jenkins LTS releases up to and including 2.46.1
Fixed in:
Jenkins main line users should update to 2.57
Jenkins LTS users should update to 2.46.2
External Reference:
https://jenkins.io/security/advisory/2017-04-26/
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years
[Bug 1441541] New: jenkins-xstream: XStream: DoS when unmarshalling void type [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1441541
Bug ID: 1441541
Summary: jenkins-xstream: XStream: DoS when unmarshalling void
type [fedora-all]
Product: Fedora
Version: 25
Component: jenkins-xstream
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: msrb(a)redhat.com
Reporter: anemec(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
msrb(a)redhat.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
7 years