Bug 799779 (CVE-2021-21670, CVE-2021-21671)

Summary:	<dev-util/jenkins-bin-{2.289.1,2.300}: multiple vulnerabilities (CVE-2021-{21670,21671})
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	graaff, patrick
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---

Description John Helmert III archtester

2021-07-01 23:04:04 UTC

CVE-2021-21670:

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier allows users to cancel queue items and abort builds of jobs for which they have Item/Cancel permission even when they do not have Item/Read permission.

CVE-2021-21671:

Jenkins 2.299 and earlier, LTS 2.289.1 and earlier does not invalidate the previous session on login.


Please bump.

Comment 1 John Helmert III archtester

2021-07-01 23:05:48 UTC

No, sorry! Please cleanup

Comment 2 Larry the Git Cow gentoo-dev

2021-07-07 08:31:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b75d8eed752aa6eab438f3422f8a3a2ac3e46cb

commit 5b75d8eed752aa6eab438f3422f8a3a2ac3e46cb
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2021-07-07 08:15:48 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2021-07-07 08:31:02 +0000

    dev-util/jenkins-bin: cleanup of vulnerable versions
    
    Bug: https://bugs.gentoo.org/799779
    Package-Manager: Portage-3.0.20, Repoman-3.0.2
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-util/jenkins-bin/Manifest                      |  2 -
 dev-util/jenkins-bin/jenkins-bin-2.289.1-r1.ebuild | 45 ----------------------
 dev-util/jenkins-bin/jenkins-bin-2.297-r1.ebuild   | 45 ----------------------
 3 files changed, 92 deletions(-)

Comment 3 John Helmert III archtester

2021-07-08 00:32:09 UTC

Thanks!