[Bug 1560603] New: jenkins is unmaintained
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1560603
Bug ID: 1560603
Summary: jenkins is unmaintained
Product: Fedora
Version: rawhide
Component: jenkins
Assignee: msrb(a)redhat.com
Reporter: msimacek(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msrb(a)redhat.com
There are 24 open bugs for the component (not counting plugins).
There are 33 unfixed CVEs.
The latest upstream version is 2.107, while the package version in Fedora is
1.651
Most of the plugins are FTBFS for multiple Fedora releases.
The package is unmaintained. We should strive to avoid shipping broken
software.
If you don't have the time to maintain it, please orphan/retire it.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1548909] CVE-2018-8088 slf4j: Deserialisation vulnerability in EventData constructor can allow for arbitrary code execution
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1548909
--- Comment #20 from Doran Moppert <dmoppert(a)redhat.com> ---
Statement:
Subscription Asset Manager is now in a reduced support phase receiving only
Critical impact security fixes. This issue has been rated as having a security
impact of Important, and is not currently planned to be addressed in future
updates.
This issue did not affect the versions of Candlepin as shipped with Red Hat
Satellite 6 as Candlepin uses slf4j-api and not the affected slf4j-ext (which
is not on the Candlepin classpath).
Red Hat Enterprise Virtualization Manager 4.1 is affected by this issue.
Updated packages that address this issue are available through the Red Hat
Enterprise Linux Server channels. Virtualization Manager hosts should be
subscribed to these channels and obtain the updates via `yum update`.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1556974] New: Aliases don't behave correctly for plugins
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1556974
Bug ID: 1556974
Summary: Aliases don't behave correctly for plugins
Product: Fedora
Version: rawhide
Component: xmvn
Assignee: mizdebsk(a)redhat.com
Reporter: msimacek(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mat.booth(a)redhat.com, mizdebsk(a)redhat.com,
msimacek(a)redhat.com, msrb(a)redhat.com
Description of problem:
Plugins used via an alias don't work correctly.
For example: hawtjni recently renamed their maven-hawtjni-plugin to
hawtjni-maven-plugin. I added an alias:
%mvn_alias :hawtjni-maven-plugin :maven-hawtjni-plugin
The plugin works fine when used via the primary name (hawtjni-maven-plugin),
but doesn't work when used via the alias (maven-hawtjni-plugin). It resolves
fine, but executes the plugin with incorrect configuration.
Version-Release number of selected component (if applicable):
xmvn-minimal-3.0.0-13.fc28.noarch
maven-lib-3.5.3-1.fc29.noarch
How reproducible:
always
Steps to Reproduce:
1. Clone netty (commit a001671 = current master) and try to build it in f29
mock with -X passed to %mvn_build
2. Observe it fails
3. Add the following to %prep: sed -i
s/hawtjni-maven-plugin/maven-hawtjni-plugin/g `find -name pom.xml`
4. Observe it succeeds and was executed with different config (now contains
generatedNativeSourceDirectory key)
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1557543] New: CVE-2018-1324 apache-commons-compress: Infinite loop via extra field parser in ZipFile and ZipArchiveInputStream classes [fedora-all]
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1557543
Bug ID: 1557543
Summary: CVE-2018-1324 apache-commons-compress: Infinite loop
via extra field parser in ZipFile and
ZipArchiveInputStream classes [fedora-all]
Product: Fedora
Version: 27
Component: apache-commons-compress
Keywords: Security, SecurityTracking
Severity: medium
Priority: medium
Assignee: mizdebsk(a)redhat.com
Reporter: psampaio(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
sandro(a)mathys.io, SpikeFedora(a)gmail.com
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fedora. While only
one tracking bug has been filed, please correct all affected versions at
the same time. If you need to fix the versions independent of each other,
you may clone this bug as appropriate.
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1501817] New: jenkins: "Queue Item" remote API disclosed information about inaccessible jobs (SECURITY-618)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1501817
Bug ID: 1501817
Summary: jenkins: "Queue Item" remote API disclosed information
about inaccessible jobs (SECURITY-618)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
The remote API at /queue/item/(ID)/api showed information about tasks in the
queue (typically builds waiting to start). This included information about
tasks that the current user otherwise has no access to, e.g. due to lack of
Job/Read permission.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1501816] New: jenkins: "Computer" remote API disclosed information about inaccessible jobs (SECURITY-611)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1501816
Bug ID: 1501816
Summary: jenkins: "Computer" remote API disclosed information
about inaccessible jobs (SECURITY-611)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
The remote API at /computer/(agent-name)/api showed information about tasks
(typically builds) currently running on that agent. This included information
about tasks that the current user otherwise has no access to, e.g. due to lack
of Job/Read permission.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1501814] New: jenkins: "User" remote API disclosed users' email addresses (SECURITY-514)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1501814
Bug ID: 1501814
Summary: jenkins: "User" remote API disclosed users' email
addresses (SECURITY-514)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Information about Jenkins user accounts is generally available to anyone with
Overall/Read permissions via the /user/(username)/api remote API. This included
e.g. Jenkins users' email addresses if the Mailer Plugin is installed.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1501820] New: jenkins: Jenkins core bundled vulnerable version of the commons-httpclient library (SECURITY-555)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1501820
Bug ID: 1501820
Summary: jenkins: Jenkins core bundled vulnerable version of
the commons-httpclient library (SECURITY-555)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Jenkins bundled a version of the commons-httpclient library with the
vulnerability CVE-2012-6153 that incorrectly verified SSL certificates, making
it susceptible to man-in-the-middle attacks.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1501818] New: jenkins: "Job" remote API disclosed information about inaccessible upstream/ downstream jobs (SECURITY-617)
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1501818
Bug ID: 1501818
Summary: jenkins: "Job" remote API disclosed information about
inaccessible upstream/downstream jobs (SECURITY-617)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
The remote API at /job/(job-name)/api contained information about upstream and
downstream projects. This included information about tasks that the current
user otherwise has no access to, e.g. due to lack of Job/Read permission.
External References:
https://jenkins.io/security/advisory/2017-10-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month
[Bug 1434338] New: CVE-2017-2651 jenkins-mailer-plugin: Emails were sent to addresses not associated with actual users of Jenkins by Mailer Plugin
by bugzilla@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1434338
Bug ID: 1434338
Summary: CVE-2017-2651 jenkins-mailer-plugin: Emails were sent
to addresses not associated with actual users of
Jenkins by Mailer Plugin
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
joelsmith(a)redhat.com, kseifried(a)redhat.com,
mizdebsk(a)redhat.com, msimacek(a)redhat.com,
msrb(a)redhat.com, tdawson(a)redhat.com
The Mailer and Email Extension Plugins are able to send emails to a dynamically
created list of users based on the changelogs, like authors of SCM changes
since the last successful build.
This could in some cases result in emails being sent to people who have no user
account in Jenkins, and in rare cases even people who were not involved in
whatever project was being built, due to some mapping based on the local-part
of email addresses.
Affected versions: up to and including version 1.19
External Reference:
https://jenkins.io/security/advisory/2017-03-20/
--
You are receiving this mail because:
You are on the CC list for the bug.
6 years, 1 month