Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 685856 (CVE-2019-1003049, CVE-2019-1003050) - <dev-util/jenkins-bin-{2.164.2,2.172}: multiple vulnerabilities (CVE-2019-{1003049,1003050})
Summary: <dev-util/jenkins-bin-{2.164.2,2.172}: multiple vulnerabilities (CVE-2019-{10...
Status: RESOLVED FIXED
Alias: CVE-2019-1003049, CVE-2019-1003050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://jenkins.io/security/advisory/...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-13 15:18 UTC by GLSAMaker/CVETool Bot
Modified: 2019-05-13 15:25 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-05-13 15:18:45 UTC
CVE-2019-1003049 (https://nvd.nist.gov/vuln/detail/CVE-2019-1003049):
  Users who cached their CLI authentication before Jenkins was updated to
  2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins
  2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for
  CVE-2019-1003004 in these releases did not reject existing remoting-based
  CLI authentication caches.

CVE-2019-1003050 (https://nvd.nist.gov/vuln/detail/CVE-2019-1003050):
  The f:validateButton form control for the Jenkins UI did not properly escape
  job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier,
  resulting in a cross-site scripting (XSS) vulnerability exploitable by users
  with the ability to control job names.
Comment 1 Larry the Git Cow gentoo-dev 2019-05-13 15:25:16 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6edb9edc8710c54385235cc7e85e3f3105c998c2

commit 6edb9edc8710c54385235cc7e85e3f3105c998c2
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2019-05-13 15:24:36 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2019-05-13 15:25:08 +0000

    dev-util/jenkins-bin: security cleanup
    
    Bug: https://bugs.gentoo.org/685856
    Package-Manager: Portage-2.3.66, Repoman-2.3.12
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 dev-util/jenkins-bin/Manifest                   |  4 ---
 dev-util/jenkins-bin/jenkins-bin-2.164.1.ebuild | 46 -------------------------
 dev-util/jenkins-bin/jenkins-bin-2.164.2.ebuild | 46 -------------------------
 dev-util/jenkins-bin/jenkins-bin-2.167.ebuild   | 46 -------------------------
 dev-util/jenkins-bin/jenkins-bin-2.172.ebuild   | 46 -------------------------
 5 files changed, 188 deletions(-)
Comment 2 Thomas Deutschmann gentoo-dev Security 2019-05-13 15:25:42 UTC
Repository is clean, all done.