Debian Bug report logs -
#706725
jenkins: multiple security vulnerabilities
Reported by: Nobuhiro Ban <ban.nobuhiro@gmail.com>
Date: Fri, 3 May 2013 18:57:02 UTC
Severity: grave
Tags: security
Found in version jenkins/1.447.2+dfsg-3
Fixed in version jenkins/1.509.2+dfsg-1
Done: James Page <james.page@ubuntu.com>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>:
Bug#706725; Package jenkins.
(Fri, 03 May 2013 18:57:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Nobuhiro Ban <ban.nobuhiro@gmail.com>:
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
Your message had a Version: pseudo-header with an invalid package
version:
1.447.2+dfsg-3, 1.480.3+dfsg-1~exp2
please either use found or fixed to the control server with a correct
version, or reply to this report indicating the correct version so the
maintainer (or someone else) can correct it for you.
(Fri, 03 May 2013 18:57:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: jenkins
Version: 1.447.2+dfsg-3, 1.480.3+dfsg-1~exp2
Severity: grave
Tags: security
Dear Maintainer,
The upstream vendor announced a security advisory.
In this advisory, one vulnerability is rated critical severity,
two are high and one is medium.
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-05-02
>SECURITY-63 / CVE-2013-2034
>SECURITY-67 / CVE-2013-2033
>SECURITY-69 / CVE-2013-2034
>SECURITY-71 / CVE-2013-1808
Regards,
Nobuhiro
[Message part 2 (text/html, inline)]
Marked as found in versions jenkins/1.447.2+dfsg-3.
Request was from Nobuhiro Ban <ban.nobuhiro@gmail.com>
to control@bugs.debian.org.
(Fri, 03 May 2013 19:09:04 GMT) (full text, mbox, link).
Reply sent
to James Page <james.page@ubuntu.com>:
You have taken responsibility.
(Tue, 13 Aug 2013 12:51:35 GMT) (full text, mbox, link).
Notification sent
to Nobuhiro Ban <ban.nobuhiro@gmail.com>:
Bug acknowledged by developer.
(Tue, 13 Aug 2013 12:51:35 GMT) (full text, mbox, link).
Message #12 received at 706725-close@bugs.debian.org (full text, mbox, reply):
Source: jenkins
Source-Version: 1.509.2+dfsg-1
We believe that the bug you reported is fixed in the latest version of
jenkins, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 706725@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
James Page <james.page@ubuntu.com> (supplier of updated jenkins package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Tue, 13 Aug 2013 12:35:19 +0100
Source: jenkins
Binary: libjenkins-java libjenkins-plugin-parent-java jenkins-common jenkins jenkins-slave jenkins-external-job-monitor jenkins-cli jenkins-tomcat
Architecture: source all
Version: 1.509.2+dfsg-1
Distribution: unstable
Urgency: low
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: James Page <james.page@ubuntu.com>
Description:
jenkins - Continuous Integration and Job Scheduling Server
jenkins-cli - Jenkins CI Command Line Interface
jenkins-common - Jenkins common Java components and web application
jenkins-external-job-monitor - Jenkins CI external job monitoring
jenkins-slave - Jenkins slave node helper
jenkins-tomcat - Jenkins CI on Tomcat 6
libjenkins-java - Jenkins CI core Java libraries
libjenkins-plugin-parent-java - Jenkins Plugin Parent Maven POM
Closes: 701163 704848 706725
Changes:
jenkins (1.509.2+dfsg-1) unstable; urgency=low
.
* New upstream release (Closes: #706725):
- d/control: Update versioned BD's:
* jenkins-executable-war >= 1.28.
* jenkins-instance-identity >= 1.3.
* libjenkins-remoting-java >= 2.23.
* libjenkins-winstone-java >= 0.9.10-jenkins-44.
* libstapler-java >= 1.207.
* libjenkins-json-java >= 2.4-jenkins-1.
* libstapler-adjunct-timeline-java >= 1.4.
* libstapler-adjunct-codemirror-java >= 1.2.
* libmaven-hpi-plugin-java >= 1.93.
* libjenkins-xstream-java >= 1.4.4-jenkins-3.
- d/maven.rules: Map to older version of animal-sniffer-maven-plugin.
- Add patch for compatibility with guava >= 0.14.
- Add patch to exclude asm4 dependency via jnr-posix.
- Fixes the following security vulnerabilities:
CVE-2013-2034, CVE-2013-2033, CVE-2013-2034, CVE-2013-1808
* d/patches/*: Switch to using git patch-queue for managing patches.
* De-duplicate jars between libjenkins-java and jenkins-external-job-monitor
(Closes: #701163):
- d/control: Add dependency between jenkins-external-job-monitor ->
libjenkins-java.
- d/rules:
Drop installation of jenkins-core in jenkins-external-job-monitor.
- d/jenkins-external-job-monitor.{links,install}: Link to jenkins-core
in /usr/share/java instead of included version.
* Wait longer for jenkins to stop during restarts (Closes: #704848):
- d/jenkins.init: Re-sync init script from upstream codebase.
Checksums-Sha1:
39d4f2c480b706093dddf4e289b13bfbe0cfb2f9 4621 jenkins_1.509.2+dfsg-1.dsc
27642c65257acee5f11536c9159f18714bcf7864 4765515 jenkins_1.509.2+dfsg.orig.tar.gz
5807e48b059da4eecaacf6cb21dad801ad979375 49458 jenkins_1.509.2+dfsg-1.debian.tar.gz
f9c6d0f9889a978ccf2bb0221c33bf4043477e5d 5857062 libjenkins-java_1.509.2+dfsg-1_all.deb
5e534f94b5ac7790b5394ef42d428dee226d3a5e 15594 libjenkins-plugin-parent-java_1.509.2+dfsg-1_all.deb
225fce3f8c555af50b55b39d24b9a325f00f7ab2 34996356 jenkins-common_1.509.2+dfsg-1_all.deb
55a441628f7f66fb0ed6cf13ea4df3d20d5f4cfa 19718 jenkins_1.509.2+dfsg-1_all.deb
71ec5518ef4fcebefe6a2d54f35b13f7af75eb98 18744 jenkins-slave_1.509.2+dfsg-1_all.deb
49777111ad49cf806aaeace1bb5d05cc33d12c4f 15632 jenkins-external-job-monitor_1.509.2+dfsg-1_all.deb
4641ce2f2bad36fe83227cb1b62fe0dc740e2c19 714598 jenkins-cli_1.509.2+dfsg-1_all.deb
7a300a880ae03a7d578407b6c74b1595505248e6 15658 jenkins-tomcat_1.509.2+dfsg-1_all.deb
Checksums-Sha256:
2f64a5c355ef69218890c36e95451ac0a2100d46aba9e455acb49ced00ef5515 4621 jenkins_1.509.2+dfsg-1.dsc
b268c708709be5617d5b834fa7f4dde2dee52c2cf3453625ecd2ac2cc9f9351c 4765515 jenkins_1.509.2+dfsg.orig.tar.gz
26cfb7a95ea8cc113891cc813d6ba36aba313a62e5cec7cb7f93f5977bfcccdf 49458 jenkins_1.509.2+dfsg-1.debian.tar.gz
ad6196638137b4ddf596ba2521acf621e7f77d25231f3d2b34d0d4f43fafb48e 5857062 libjenkins-java_1.509.2+dfsg-1_all.deb
ca53b77ec09932b488baca6b4e411e38008da54f9b968c0c26ccf0a8eb1534cd 15594 libjenkins-plugin-parent-java_1.509.2+dfsg-1_all.deb
4271446132caad5189863589f9a4bddc8ea85b5ffa630428044a1fbcee3e2527 34996356 jenkins-common_1.509.2+dfsg-1_all.deb
8b0e0d80c5ac57897a4f46f411da49ecbd3ed680b0c5d4d7b81cc31babfe18b0 19718 jenkins_1.509.2+dfsg-1_all.deb
4dbd80f6766c59a2685ac7de117aa689ea1b6217a2c3df031c945957be8a9807 18744 jenkins-slave_1.509.2+dfsg-1_all.deb
5e24eaa0d0047c54883ed6510991a49727d21100f80442fdf9a8bc4c52e0a2a7 15632 jenkins-external-job-monitor_1.509.2+dfsg-1_all.deb
25026bfef647a6849e63a43a1b160c461afa57a132cbbac2d2a0618d6f9597a7 714598 jenkins-cli_1.509.2+dfsg-1_all.deb
e3cd97e2a15b9432f3daee39467ee2b6c951669b3a7b4ab11b3b0d4be3a8430e 15658 jenkins-tomcat_1.509.2+dfsg-1_all.deb
Files:
5020e6ae2cf183cd4ecc973f8551a93a 4621 java optional jenkins_1.509.2+dfsg-1.dsc
797a881b12b8812c93e2404bb1cf05d0 4765515 java optional jenkins_1.509.2+dfsg.orig.tar.gz
2be906815f59e5bce5eb7785e792448d 49458 java optional jenkins_1.509.2+dfsg-1.debian.tar.gz
5c6258e98b9a6794310f8d39462dea05 5857062 java optional libjenkins-java_1.509.2+dfsg-1_all.deb
047554df1c27d07f35ca2c9912ce4291 15594 java optional libjenkins-plugin-parent-java_1.509.2+dfsg-1_all.deb
3b79ba8cc7b524fa6421b10fa005e77a 34996356 java optional jenkins-common_1.509.2+dfsg-1_all.deb
64523b521a80c84348d9ca222c3c109d 19718 java optional jenkins_1.509.2+dfsg-1_all.deb
76b71a5bb5439a1dc5b6ea27ffa9d849 18744 java optional jenkins-slave_1.509.2+dfsg-1_all.deb
840c59e12a6525ed01c7409627171c17 15632 java optional jenkins-external-job-monitor_1.509.2+dfsg-1_all.deb
1fae16ea71ee778d5a94a845adb57d58 714598 java optional jenkins-cli_1.509.2+dfsg-1_all.deb
057c3fff121a2d3da16f564d4a309c90 15658 java optional jenkins-tomcat_1.509.2+dfsg-1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)
iQIcBAEBCAAGBQJSChwNAAoJEL/srsug59jDzSYQAK5Icw/FWajZILLYPfrCU1AS
p5je8ZtFRSlr0NNsMLitpnX57SqHj4+Uy+w0QVfUwm+ItJIuN8GS7VnrTnOq87Vq
9EGO7jg4WGfK5zn2iO9q9RNC0ob1SzvzpSocd9WKvIxWbYly8m6FAT4vFBnz8nQS
VxwEopXQgUSFnz/74R6cRE4zdg/AmCcTVUkTiKfzAG8pSgeQHw1F0yEPj2QturZy
9cMfrczN9ufEJ6BOdgJZyVsazDk60JblLFL+OC2lsw8rqdxaO1dOteJrQOfT9+57
uKh6gG6m2wyftXP1xp9AR77xcqwrK4SaYWmlQzhOAuyrLQmuA2tDsCJzy9D8IqMm
damhepVRfkmJ76v9BYqcZv9S3a4kZRSfWpdNP+3UdtT1Wk0cKoSlGgwKAe/iA2I6
LyLJEeKF1sNh76wLohXIoNJ210yPqrA611kaQ6STwDCoGUrwTZ5+Xt7P/rfYA1Y0
OCM21cdFTTnuqS5cCpkvmo7x553WT4WovnWGcFtr2av3ACSO2Vi9TR6nPV0Phc6W
rMmcgUZJMS+Cq00Zxir7ekTVsIv9LDvFf240xDBxqzSsO7jAVsesJuy6g0TG8W3A
wfI2UWQc7Jstn2MZ6QK7U4RdeO1A/fwbb1y5neV63PRxFvuGJq92x/Lb4qfD4/44
n+JOP2cuiK8yPRerOUMg
=BWwH
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 11 Sep 2013 07:28:29 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:53:58 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon