Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 685856 (CVE-2019-1003049, CVE-2019-1003050)

Summary: <dev-util/jenkins-bin-{2.164.2,2.172}: multiple vulnerabilities (CVE-2019-{1003049,1003050})
Product: Gentoo Security Reporter: GLSAMaker/CVETool Bot <glsamaker>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: graaff, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://jenkins.io/security/advisory/2019-04-10/
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 15:18:45 UTC 
CVE-2019-1003049 (https://nvd.nist.gov/vuln/detail/CVE-2019-1003049):
  Users who cached their CLI authentication before Jenkins was updated to
  2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins
  2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for
  CVE-2019-1003004 in these releases did not reject existing remoting-based
  CLI authentication caches.

CVE-2019-1003050 (https://nvd.nist.gov/vuln/detail/CVE-2019-1003050):
  The f:validateButton form control for the Jenkins UI did not properly escape
  job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier,
  resulting in a cross-site scripting (XSS) vulnerability exploitable by users
  with the ability to control job names.
Comment 1 Larry the Git Cow gentoo-dev 2019-05-13 15:25:16 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6edb9edc8710c54385235cc7e85e3f3105c998c2

commit 6edb9edc8710c54385235cc7e85e3f3105c998c2
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-05-13 15:24:36 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-05-13 15:25:08 +0000

    dev-util/jenkins-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/685856
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-util/jenkins-bin/Manifest                   |  4 ---
 dev-util/jenkins-bin/jenkins-bin-2.164.1.ebuild | 46 -------------------------
 dev-util/jenkins-bin/jenkins-bin-2.164.2.ebuild | 46 -------------------------
 dev-util/jenkins-bin/jenkins-bin-2.167.ebuild   | 46 -------------------------
 dev-util/jenkins-bin/jenkins-bin-2.172.ebuild   | 46 -------------------------
 5 files changed, 188 deletions(-)
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-05-13 15:25:42 UTC 
Repository is clean, all done.