Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <A2C87D38-1E04-47A1-93FE-8FB4770AEA89@beckweb.net>
Date: Wed, 15 Aug 2018 17:10:32 +0200
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Multiple vulnerabilities in Jenkins

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* Jenkins weekly 2.138
* Jenkins LTS 2.121.3

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2018-08-15/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-637
Jenkins allowed deserialization of URL objects via Remoting (agent 
communication) and XStream.

This could in rare cases be used by attackers to have Jenkins look up 
specified hosts' DNS records.


SECURITY-672
When attempting to authenticate using API token, an ephemeral user record 
was created to validate the token in case an external security realm was 
used, and the user record in Jenkins not previously saved, as (legacy) API 
tokens could exist without a persisted user record.

This behavior could be abused to create a large number of ephemeral user 
records in memory.


SECURITY-790
The form validation for cron expressions (e.g. "Poll SCM", "Build 
periodically") could enter infinite loops when cron expressions only 
matching certain rare dates were entered, blocking request handling 
threads indefinitely.


SECURITY-996
The "Remember me" feature can be disabled in the Jenkins security 
configuration.

This did not disable the processing of previously set "Remember me" 
cookies, so they still allowed users to be logged in.


SECURITY-1071
Users with Overall/Read permission were able to access the URL serving 
agent logs on the UI due to a lack of permission checks.


SECURITY-1076
Users with Overall/Read permission were able to access the URL used to 
cancel scheduled restart jobs initiated via the update center ("Restart 
Jenkins when installation is complete and no jobs are running") due to a 
lack of permission checks.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.