From ${URL} : SECURITY-171/CVE-2015-1812, SECURITY-177/CVE-2015-1813 (Reflective XSS vulnerability) An attacker without any access to Jenkins can navigate the user to a carefully crafted URL and have the user execute unintended actions. This vulnerability can be used to attack Jenkins inside firewalls from outside so long as the location of Jenkins is known to the attacker. SECURITY-180/CVE-2015-1814 (forced API token change) The part of Jenkins that issues a new API token was not adequately protected against anonymous attackers. This allows an attacker to escalate privileges on Jenkins . Severity SECURITY-171/SECURITY-177 is rated high. It is a passive attack, but it can result in a compromise of Jenkins master or loss of data. SECURITY-180 is rated critical. This attack can be mounted by any unauthenticated user, and it results in a compromise of Jenkins master or loss of data. Affected Versions All Jenkins releases <= 1.605 All LTS releases <= 1.596.1 Credit The Jenkins project would like to thank the following people for finding the vulnerabilities: Jesse Glick for finding SECURITY-171 Luca Carettoni for finding SECURITY-177 Missoum Said for finding SECURITY-180 Fix Main line users should upgrade to Jenkins 1.606 LTS users should upgrade to 1.596.2 @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
*jenkins-bin-1.596.2 (29 Mar 2015) *jenkins-bin-1.606 (29 Mar 2015) 29 Mar 2015; Manuel Rüger <mrueg@gentoo.org> +jenkins-bin-1.596.2.ebuild, +jenkins-bin-1.606.ebuild, -jenkins-bin-1.596.1.ebuild, -jenkins-bin-1.605.ebuild: Version bump. Remove old.
Closing as noglsa.
