Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 832991 (CVE-2022-0538)

Summary: dev-util/jenkins-bin: unconstrained resource usage leading to DoS (CVE-2022-0538)
Product: Gentoo Security Reporter: filip ambroz <filip.ambroz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: graaff, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.jenkins.io/security/advisory/2022-02-09/#SECURITY-2602
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---

Description filip ambroz 2022-02-09 15:53:25 UTC 
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job config.xml, build.xml, and numerous others. This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the POST config.xml API, to cause a denial of service (DoS).

Affected Versions:
Jenkins weekly up to and including 2.333
Jenkins LTS up to and including 2.319.2

Fixed in:
Jenkins weekly should be updated to version 2.334
Jenkins LTS should be updated to version 2.319.3

URLs:
https://www.jenkins.io/security/advisory/2022-02-09/#SECURITY-2602
https://seclists.org/oss-sec/2022/q1/128
Comment 1 Larry the Git Cow gentoo-dev 2022-02-09 16:02:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9357669bbfba8bd5aa643b98a563996af6ed9846

commit 9357669bbfba8bd5aa643b98a563996af6ed9846
Author:     Patrick Lauer <patrick@gentoo.org>
AuthorDate: 2022-02-09 16:02:12 +0000
Commit:     Patrick Lauer <patrick@gentoo.org>
CommitDate: 2022-02-09 16:02:52 +0000

    dev-util/jenkins-bin: Bump
    
    Bug: https://bugs.gentoo.org/832991
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Patrick Lauer <patrick@gentoo.org>

 dev-util/jenkins-bin/Manifest                      |  6 +--
 dev-util/jenkins-bin/jenkins-bin-2.319.1.ebuild    | 45 ----------------------
 ...n-2.319.2.ebuild => jenkins-bin-2.319.3.ebuild} |  0
 dev-util/jenkins-bin/jenkins-bin-2.323.ebuild      | 45 ----------------------
 ...s-bin-2.330.ebuild => jenkins-bin-2.334.ebuild} |  0
 5 files changed, 2 insertions(+), 94 deletions(-)
Comment 2 filip ambroz 2022-02-09 17:42:24 UTC 
That was really quick, thank you!