Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

jenkins: multiple security vulnerabilities

Related Vulnerabilities: CVE-2014-3661   CVE-2014-3662   CVE-2014-3663   CVE-2014-3664   CVE-2014-3680   CVE-2014-3681   CVE-2014-3666   CVE-2014-3667   CVE-2013-2186   CVE-2014-1869  

Source

Debian Bug report logs - #763899
jenkins: multiple security vulnerabilities

version graph

Package: jenkins; Maintainer for jenkins is (unknown);

Reported by: Nobuhiro Ban <ban.nobuhiro@gmail.com>

Date: Fri, 3 Oct 2014 15:03:02 UTC

Severity: grave

Tags: security

Found in version jenkins/1.565.2-2

Fixed in version jenkins/1.565.3-1

Done: Emmanuel Bourg <ebourg@apache.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#763899; Package jenkins. (Fri, 03 Oct 2014 15:03:06 GMT) (full text, mbox, link).

Acknowledgement sent to Nobuhiro Ban <ban.nobuhiro@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>. (Fri, 03 Oct 2014 15:03:06 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Nobuhiro Ban <ban.nobuhiro@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: jenkins: multiple security vulnerabilities
Date: Sat, 4 Oct 2014 00:01:37 +0900
Package: jenkins
Version: 1.565.2-2
Severity: grave
Tags: security

Dear Maintainer,

The upstream vendor announced a security advisory.
In this advisory, some vulnerabilities are rated critical severity.

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01
>SECURITY-87/CVE-2014-3661 (anonymous DoS attack through CLI handshake)
>SECURITY-110/CVE-2014-3662 (User name discovery)
>SECURITY-127&128/CVE-2014-3663 (privilege escalation in job configuration permission)
>SECURITY-131/CVE-2014-3664 (directory traversal attack)
>SECURITY-138/CVE-2014-3680 (Password exposure in DOM)
>SECURITY-143/CVE-2014-3681 (XSS vulnerability in Jenkins core)
>SECURITY-150/CVE-2014-3666 (remote code execution from CLI)
>SECURITY-155/CVE-2014-3667 (exposure of plugin code)
>SECURITY-159/CVE-2013-2186 (arbitrary file system write)
>SECURITY-149/CVE-2014-1869 (XSS vulnerabilities in ZeroClipboard)

(SECURITY-113 is not about Jenkins core.)


Regards,
Nobuhiro

Reply sent to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility. (Fri, 03 Oct 2014 15:51:13 GMT) (full text, mbox, link).

Notification sent to Nobuhiro Ban <ban.nobuhiro@gmail.com>:
Bug acknowledged by developer. (Fri, 03 Oct 2014 15:51:13 GMT) (full text, mbox, link).

Message #10 received at 763899-close@bugs.debian.org (full text, mbox, reply):

From: Emmanuel Bourg <ebourg@apache.org>
To: 763899-close@bugs.debian.org
Subject: Bug#763899: fixed in jenkins 1.565.3-1
Date: Fri, 03 Oct 2014 15:49:44 +0000
Source: jenkins
Source-Version: 1.565.3-1

We believe that the bug you reported is fixed in the latest version of
jenkins, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 763899@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated jenkins package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 03 Oct 2014 17:19:29 +0200
Source: jenkins
Binary: libjenkins-java libjenkins-plugin-parent-java jenkins-common jenkins jenkins-slave jenkins-external-job-monitor jenkins-cli jenkins-tomcat
Architecture: source all
Version: 1.565.3-1
Distribution: unstable
Urgency: high
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
 jenkins    - Continuous Integration and Job Scheduling Server
 jenkins-cli - Jenkins CI Command Line Interface
 jenkins-common - Jenkins common Java components and web application
 jenkins-external-job-monitor - Jenkins CI external job monitoring
 jenkins-slave - Jenkins slave node helper
 jenkins-tomcat - Jenkins CI on Tomcat 8
 libjenkins-java - Jenkins CI core Java libraries
 libjenkins-plugin-parent-java - Jenkins Plugin Parent Maven POM
Closes: 763899
Changes:
 jenkins (1.565.3-1) unstable; urgency=high
 .
   * Team upload.
   * New upstream release
     - Fixes multiple security vulnerabilities (Closes: #763899)
     - Refreshed the patches
     - Removed 0018-fileupload-compat.patch (applied upstream)
   * Fixed debian/orig-tar.sh
Checksums-Sha1:
 b6fa1becb39c56cc0e7682f65bf8c7a5dd302017 4721 jenkins_1.565.3-1.dsc
 02d5c8078acbf333e1215a4ea38bc53fb4c3fcdb 3161796 jenkins_1.565.3.orig.tar.xz
 21d336cd4bb8f79648dc230d0300f27532e4dab1 42368 jenkins_1.565.3-1.debian.tar.xz
 4e7febf64964533a1ff1ca707b60c37d7d736c4a 6458420 libjenkins-java_1.565.3-1_all.deb
 28f6671672090b827b868fd9fca04abbe02753d8 16622 libjenkins-plugin-parent-java_1.565.3-1_all.deb
 d7092af6c7e94f0451c2651103eef7b4fb9c44d8 38324750 jenkins-common_1.565.3-1_all.deb
 05c28c68a6f19b5a2ae129dece13e55d6f9f8103 20912 jenkins_1.565.3-1_all.deb
 fd9f6ecf0eff835f77b136fee78483575c7df4b3 19828 jenkins-slave_1.565.3-1_all.deb
 c27133a825946f75e542ff5c1bf5e4212fdaa0ee 16654 jenkins-external-job-monitor_1.565.3-1_all.deb
 6f93ab2898ff9c2ef50e4761b84d02400491a0db 862376 jenkins-cli_1.565.3-1_all.deb
 497665071c23c89bb4eff667c821fcfc229eabcd 16690 jenkins-tomcat_1.565.3-1_all.deb
Checksums-Sha256:
 3cd3ba9a8d797f348de31c93fb700d98e60c2abbfe1fa0a0789b6f938c9919e4 4721 jenkins_1.565.3-1.dsc
 59d1e7bedb083fe8feb3ba25697e895386f95233cfd08595f7299ec31a9dc483 3161796 jenkins_1.565.3.orig.tar.xz
 3d1c2402d3c600b74bdb91e7a7b8fdffff93c9166f60fbddf6064d186da861df 42368 jenkins_1.565.3-1.debian.tar.xz
 5cb536c288eea160b9dbc43df47e78ae98371128ad20095203ff18c1495fc21b 6458420 libjenkins-java_1.565.3-1_all.deb
 5b34706daea1c0e80abb979b68bf3a623626475b341e399d773dccb5c4e63d76 16622 libjenkins-plugin-parent-java_1.565.3-1_all.deb
 538d16bc9e5d7323fc832e5e2782ffa1b2c1ced5901d05fe0bf1258b354893a9 38324750 jenkins-common_1.565.3-1_all.deb
 92c287bbadd1ace30a63f94a680bd9ee0b3c1877ed75250c79923c435a21d45c 20912 jenkins_1.565.3-1_all.deb
 49d04b62990a056c10259fdf02010c742c172275672236f7bbd3a6d190a0cec2 19828 jenkins-slave_1.565.3-1_all.deb
 cf1049b61329a30b3ab086bbf73fbd6400b02a19f311bfbe3474da46cca2f062 16654 jenkins-external-job-monitor_1.565.3-1_all.deb
 2bf0bff58063f32b82c94d92725e2e8953feec39b431a3dcda694305140e17e7 862376 jenkins-cli_1.565.3-1_all.deb
 e395fe83910da3878e8ccbdef51937e36c46c0a538bb1a2795557cebf425b360 16690 jenkins-tomcat_1.565.3-1_all.deb
Files:
 ce1c067e408a1478e4721738150d651e 6458420 java optional libjenkins-java_1.565.3-1_all.deb
 8b822be51468e4521428f3b08a406583 16622 java optional libjenkins-plugin-parent-java_1.565.3-1_all.deb
 2b643b6a7ec8c288b3d7be45e6210265 38324750 java optional jenkins-common_1.565.3-1_all.deb
 9d1dc3c0a1f0cd4583ea9a42d45fe954 20912 java optional jenkins_1.565.3-1_all.deb
 b4d44855b3618cddecbaa45731dd04c9 19828 java optional jenkins-slave_1.565.3-1_all.deb
 3780ce498cae6c018ccc369e8e2c3eab 16654 java optional jenkins-external-job-monitor_1.565.3-1_all.deb
 946dad1b8cbbe735b89dea4c997e4ff5 862376 java optional jenkins-cli_1.565.3-1_all.deb
 1a8166c65495ca1378b52a55f1968814 16690 java optional jenkins-tomcat_1.565.3-1_all.deb
 def44e63b00d58ffc726f4d4b7c2d152 4721 java optional jenkins_1.565.3-1.dsc
 0d3d1f21f2c3ec3e64ed938ae0d28119 3161796 java optional jenkins_1.565.3.orig.tar.xz
 ec8897c4302a13a2605888d295d95d1d 42368 java optional jenkins_1.565.3-1.debian.tar.xz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJULsK3AAoJEPUTxBnkudCsDgAP/3mUqkhSnwEOq2ypYHn/vkU8
iMlQu8rV2sNbG6+ukTrtYfEiSPp3LFf7rSeWhbb70kSbV10WfVwevHjXh4Npi4G4
AiTb7C3UiPggGUFilwnNPcrKR+ZLc6BbpG+I6cEubyz9KRN0fL1Oje2mXqIlZsOf
CoZ9w5YJ0qeW9YMW2SzTh/q7niTIzpe5aF07OPJ++e/U/X0L3nuc3l4PtC5tylTn
QOhILBYIHYBhGWC+fVoKVhujvRBOpZjmKdsrrBiON6elHiI6Gm9/XPc4Yz8YD+pr
8UxJ3hFAtV604xRdq3ecb2Bi9HY2+XIcVl2ErBhTa7rbMJXGxNG3gEE5ISm0fXhe
xkS2hM0uijKvIR+z1Az/Ojp05HtPd6FKvvSWWDD606TMy250aK53w2sLl8Qttzo/
KOE3n0vtqjonwmqgCAJh4e5ddSnfnaAqARipbSAq4TqHYAtDqS1AR9RuMUzEa6Zh
n5M6aNjBaNL7lCC6PeedjX1T2bTQPypjOa5sM/FdgdxSYjYlecTGro1rpIX/B5SU
7KctG7mnWXro/tzyLrBpu448hLLmvx1WDYjBo2O2zUGHm+SB0KfT1FW6PhyhUUxk
8xt7wrJ52lYc4tRrRDCVxiDXQjK26AElReIrYaLdMZpbjg23YmKLyPZ1Kffm9OpI
L+u/7d05sJYt20CwtJ5F
=KC8S
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 03 Nov 2014 08:01:50 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:30:30 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started