CVE-2021-21639: Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not validate the type of object created after loading the data submitted to the config.xml REST API endpoint of a node. This allows attackers with Computer/Configure permission to replace a node with one of a different type. CVE-2021-21640: Jenkins 2.286 and earlier, LTS 2.277.1 and earlier does not properly check that a newly created view has an allowed name. When a form to create a view is submitted, the name is included twice in the submission. One instance is validated, but the other instance is used to create the value. This allows attackers with View/Create permission to create views with invalid or already-used names. Fixed in 2.287 and 2.277.2. Please bump.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=da3f1fd43545c71118efda7cd29165e86cc9c2a1 commit da3f1fd43545c71118efda7cd29165e86cc9c2a1 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-04-07 14:58:13 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-04-07 14:58:13 +0000 dev-util/jenkins-bin: security cleanup Bug: https://bugs.gentoo.org/780849 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 5 --- .../{jenkins-bin.init2 => jenkins-bin-r2.init} | 0 ...jenkins-bin.service2 => jenkins-bin-r2.service} | 0 dev-util/jenkins-bin/files/jenkins-bin.service | 10 ----- dev-util/jenkins-bin/jenkins-bin-2.263.3-r1.ebuild | 45 ---------------------- dev-util/jenkins-bin/jenkins-bin-2.263.4.ebuild | 45 ---------------------- dev-util/jenkins-bin/jenkins-bin-2.277.1.ebuild | 45 ---------------------- dev-util/jenkins-bin/jenkins-bin-2.277.2.ebuild | 4 +- dev-util/jenkins-bin/jenkins-bin-2.280.ebuild | 45 ---------------------- dev-util/jenkins-bin/jenkins-bin-2.283.ebuild | 45 ---------------------- dev-util/jenkins-bin/jenkins-bin-2.287.ebuild | 4 +- 11 files changed, 4 insertions(+), 244 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f6074154e24b18e34ee4aa32bdc7770199e1782c commit f6074154e24b18e34ee4aa32bdc7770199e1782c Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-04-07 14:54:31 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-04-07 14:54:31 +0000 dev-util/jenkins-bin: bump to v2.287 Bug: https://bugs.gentoo.org/780849 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 1 + dev-util/jenkins-bin/jenkins-bin-2.287.ebuild | 45 +++++++++++++++++++++++++++ 2 files changed, 46 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=aa7dbf87b6ec60aa3f584fb8c1709b59865128b8 commit aa7dbf87b6ec60aa3f584fb8c1709b59865128b8 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2021-04-07 14:52:45 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2021-04-07 14:52:45 +0000 dev-util/jenkins-bin: bump to v2.277.2 Bug: https://bugs.gentoo.org/780849 Package-Manager: Portage-3.0.18, Repoman-3.0.3 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 1 + dev-util/jenkins-bin/jenkins-bin-2.277.2.ebuild | 45 +++++++++++++++++++++++++ 2 files changed, 46 insertions(+)
Well that was easy. Thanks Whissi :)
