Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 916038

Summary: <dev-util/jenkins-bin-{2.414.3,2.428}: HTTP/2 denial of service vulnerabilities in bundled Jetty
Product: Gentoo Security Reporter: Tomáš Mózes <hydrapolic>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: trivial CC: graaff, patrick
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: ~3 [noglsa]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 915553    

Description Tomáš Mózes 2023-10-20 05:40:06 UTC 
What's new in 2.414.3 (2023-10-18)
  Important security fix.

https://www.jenkins.io/security/advisory/2023-10-18/

Descriptions
HTTP/2 denial of service vulnerabilities in bundled Jetty
SECURITY-3291 / CVE-2023-36478, CVE-2023-44487
Severity (CVSS): High
Description:

Jenkins bundles Winstone-Jetty, a wrapper around Jetty, to act as HTTP and servlet server when started using java -jar jenkins.war. This is how Jenkins is run when using any of the installers or packages, but not when run using servlet containers such as Tomcat.

Jenkins 2.427 and earlier, LTS 2.414.2 and earlier bundles versions of Jetty affected by the security vulnerabilities CVE-2023-36478 and CVE-2023-44487. These vulnerabilities allow unauthenticated attackers to cause a denial of service.
	This only affects instances that enable HTTP/2, typically using the --http2Port argument to java -jar jenkins.war or corresponding options in service configuration files. It is disabled by default in all native installers and the Docker images provided by the Jenkins project.

Jenkins 2.428, LTS 2.414.3 updates the bundled Jetty to version 10.0.17, which is unaffected by these issues.

Administrators unable to update to these releases of Jenkins (or newer) are advised to disable HTTP/2.
Comment 1 Tomáš Mózes 2023-10-20 05:40:44 UTC 
Just updated to 2.414.3 from the previous ebuild, works fine.
Comment 2 Larry the Git Cow gentoo-dev 2023-10-20 05:48:18 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ac3c9451f421d4f824ae7d5b755397c88e90c8a6

commit ac3c9451f421d4f824ae7d5b755397c88e90c8a6
Author:     Hans de Graaff <graaff@gentoo.org>
AuthorDate: 2023-10-20 05:47:46 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-10-20 05:47:58 +0000

    dev-util/jenkins-bin: add 2.414.3, 2.428
    
    Bug: https://bugs.gentoo.org/916038
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 dev-util/jenkins-bin/Manifest                   |  2 ++
 dev-util/jenkins-bin/jenkins-bin-2.414.3.ebuild | 45 +++++++++++++++++++++++++
 dev-util/jenkins-bin/jenkins-bin-2.428.ebuild   | 45 +++++++++++++++++++++++++
 3 files changed, 92 insertions(+)