1) CVE-2020-2160 Description: "An extension point in Jenkins allows selectively disabling cross-site request forgery (CSRF) protection for specific URLs. Implementations of that extension point received a different representation of the URL path than the Stapler web framework uses to dispatch requests in Jenkins 2.227 and earlier, LTS 2.204.5 and earlier. This discrepancy allowed attackers to craft URLs that would bypass the CSRF protection of any target URL." 2) CVE-2020-2161 Description: "Users with Agent/Configure permissions can define labels for nodes. These labels can be referenced in job configurations to restrict where a job can be run. In Jenkins 2.227 and earlier, LTS 2.204.5 and earlier, the form validation for label expressions in job configuration forms did not properly escape label names, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by users able to define node labels." 3) CVE-2020-2162 Description: "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier served files uploaded as file parameters to a build without specifying appropriate Content-Security-Policy HTTP headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users with permissions to build a job with file parameters. Jenkins now sets Content-Security-Policy HTTP headers when serving files uploaded via a file parameter to the same value as used for files in workspaces and archived artifacts not served using the Resource Root URL." 4) CVE-2020-2163 Description: "Jenkins 2.227 and earlier, LTS 2.204.5 and earlier processed HTML embedded in list view column headers. This resulted in a stored cross-site scripting (XSS) vulnerability exploitable by users able to control the content of column headers... Jenkins no longer processes HTML embedded in list view column headers."
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=409180265366a89318a7de312b9a2422ed36b72b commit 409180265366a89318a7de312b9a2422ed36b72b Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2020-03-26 06:03:07 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2020-03-26 06:03:07 +0000 dev-util/jenkins-bin: add 2.204.6 and 2.228 Security fixes Bug: https://bugs.gentoo.org/714730 Package-Manager: Portage-2.3.89, Repoman-2.3.20 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-util/jenkins-bin/Manifest | 2 ++ dev-util/jenkins-bin/jenkins-bin-2.204.6.ebuild | 46 +++++++++++++++++++++++++ dev-util/jenkins-bin/jenkins-bin-2.228.ebuild | 46 +++++++++++++++++++++++++ 3 files changed, 94 insertions(+)
Cleanup done.
Tree is clean, thanks!