The CLI client (jenkins-cli.jar) in Jenkins 2.451 and earlier, LTS 2.440.2 and earlier bundles versions of the Apache MINA SSHD library that are susceptible to CVE-2023-48795 (Terrapin attack). This vulnerability allows a machine-in-the-middle attacker to reduce the security of an SSH connection. The above is fixed in 2.452 and LTS 2.440.3
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=77c13a83cffa6d587da5be93760a0c5ac08a4fbb commit 77c13a83cffa6d587da5be93760a0c5ac08a4fbb Author: Hans de Graaff <graaff@gentoo.org> AuthorDate: 2024-04-18 05:43:38 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2024-04-18 05:44:33 +0000 dev-util/jenkins-bin: add 2.440.3, 2.454 Bug: https://bugs.gentoo.org/930152 Signed-off-by: Hans de Graaff <graaff@gentoo.org> dev-util/jenkins-bin/Manifest | 2 ++ dev-util/jenkins-bin/jenkins-bin-2.440.3.ebuild | 44 +++++++++++++++++++++++++ dev-util/jenkins-bin/jenkins-bin-2.454.ebuild | 44 +++++++++++++++++++++++++ 3 files changed, 90 insertions(+)