CVE-2019-1003049 (https://nvd.nist.gov/vuln/detail/CVE-2019-1003049): Users who cached their CLI authentication before Jenkins was updated to 2.150.2 and newer, or 2.160 and newer, would remain authenticated in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, because the fix for CVE-2019-1003004 in these releases did not reject existing remoting-based CLI authentication caches. CVE-2019-1003050 (https://nvd.nist.gov/vuln/detail/CVE-2019-1003050): The f:validateButton form control for the Jenkins UI did not properly escape job URLs in Jenkins 2.171 and earlier and Jenkins LTS 2.164.1 and earlier, resulting in a cross-site scripting (XSS) vulnerability exploitable by users with the ability to control job names.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6edb9edc8710c54385235cc7e85e3f3105c998c2 commit 6edb9edc8710c54385235cc7e85e3f3105c998c2 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2019-05-13 15:24:36 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2019-05-13 15:25:08 +0000 dev-util/jenkins-bin: security cleanup Bug: https://bugs.gentoo.org/685856 Package-Manager: Portage-2.3.66, Repoman-2.3.12 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 4 --- dev-util/jenkins-bin/jenkins-bin-2.164.1.ebuild | 46 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.164.2.ebuild | 46 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.167.ebuild | 46 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.172.ebuild | 46 ------------------------- 5 files changed, 188 deletions(-)
Repository is clean, all done.
