More info here: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01
The Jenkins project published updates today with fixes for multiple vulnerabilities. Users should upgrade to the versions below: * Jenkins (weekly) 2.44 * Jenkins (LTS) 2.32.2 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01 SECURITY-304 / CVE-2017-2598 Jenkins stored encrypted secrets on disk using AES ECB block cipher mode without IV. SECURITY-321 / CVE-2017-2599 An insufficient permission check allowed users with the permission to create new items (e.g. jobs) to overwrite existing items they don't have access to, and access some of their data SECURITY-343 / CVE-2017-2600 Overall/Read permission was sufficient to access node monitor data via the remote API. These included system configuration and runtime information of these nodes. SECURITY-349 / CVE-2011-4969 Possible cross-site scripting vulnerability in jQuery bundled with timeline widget. SECURITY-353 / CVE-2017-2601 Users with the permission to configure jobs were able to inject JavaScript into parameter names and descriptions. SECURITY-354 / CVE-2015-0886 Jenkins bundled an outdated version of jbcrypt that was affected by CVE-2015-0886. SECURITY-358 / CVE-2017-2602 Pipeline metadata files not blacklisted in agent-to-master security subsystem SECURITY-362 / CVE-2017-2603 Agents that were disconnected by users contained the disconnecting user's User object in serialized form in the config.xml remote API output. SECURITY-371 / CVE-2017-2604 Low privilege users were able to act on some administrative monitors due to insufficient permission checks. SECURITY-376 / CVE-2017-2605 The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards. SECURITY-380 / CVE-2017-2606 The method Jenkins#getItems() included a performance optimization that wrongly returned inaccessible items when the 'Logged in users can do anything' authorization strategy was used, even when no access was granted to anonymous users SECURITY-382 / CVE-2017-2607 Jenkins users, or users with SCM access, could configure jobs or modify build scripts such that they print serialized console notes that perform cross-site scripting attacks on Jenkins users viewing the build logs. SECURITY-383 / CVE-2017-2608 XStream-based APIs in Jenkins (e.g. /createItem URLs, or POST config.xml remote API) were vulnerable to a remote code execution vulnerability involving the deserialization of various types in the javax.imageio package. SECURITY-385 / CVE-2017-2609 The autocompletion for the search box provided the names of views the current user does not have access to in its suggestions. SECURITY-388 / CVE-2017-2610 User display names with less-than and greater-than were not escaped when displaying search suggestions, resulting in a cross-site scripting vulnerability. SECURITY-389 / CVE-2017-2611 The URLs /workspaceCleanup and /fingerprintCleanup did not perform permission checks, allowing users with read access to Jenkins to trigger these background processes (that are otherwise performed daily). SECURITY-392 / CVE-2017-2612 Users with read access to Jenkins were able to override Oracle JDK download credentials, resulting in future builds possibly failing to download a JDK. SECURITY-406 / CVE-2017-2613 When administrators accessed a URL like /user/example via HTTP GET, a user with the ID 'example' was created if it did not exist. While this user record was only retained until restart in most cases, administrators' web browsers could be manipulated to create a large number of user records. @ Maintainer(s): Please bump to >=dev-util/jenkins-bin-2.44 and >=dev-util/jenkins-bin-2.32.2 (LTS) and cleanup or apply masks.
Freeing alias for CVE-2015-0886 and CVE-2011-4969 because these are CVEs for vulnerabilities in embedded products but not in jenkins itself (still assigned to this bug).
dev-util/jenkins-bin-2.32.2 is now available in the lts slot.
(In reply to Hans de Graaff from comment #3) > dev-util/jenkins-bin-2.32.2 is now available in the lts slot. Thanks. We also need >=dev-util/jenkins-bin-2.44:0.
it's 2.45 already... is it so long to change the number in 1 file? How can I help you guys? )
ebuild for 2.45 is committed
@ Maintainer(s): Please cleanup an drop <dev-util/jenkins-bin-2.32.2:lts and <dev-util/jenkins-bin-2.45:0 or apply masks indicating a security problem or drop keywords.
I have masked the old jenkins-bin 1.x lts version for removal, and removed all the vulnerable lts versions.
All the other vulnerable versions have now been removed as well.
Repository is clean, all done.
commit a69fc2da16207068ae23d56bf160c7b645bbc8cb Author: Michał Górny <mgorny@gentoo.org> AuthorDate: Sat Mar 25 09:38:07 2017 Commit: Michał Górny <mgorny@gentoo.org> CommitDate: Sat Mar 25 09:44:32 2017 dev-util/jenkins-bin: Remove old, last-rited version, #607932
