CVE-2020-2229: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the tooltip content of help icons. Tooltip values can be contributed by plugins, some of which use user-specified values. This results in a stored cross-site scripting (XSS) vulnerability. CVE-2020-2230: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the project naming strategy description that is displayed on item creation. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Overall/Manage permission. CVE-2020-2231: Jenkins 2.251 and earlier, LTS 2.235.3 and earlier does not escape the remote address of the host starting a build via 'Trigger builds remotely'. This results in a stored cross-site scripting (XSS) vulnerability exploitable by users with Job/Configure permission or knowledge of the Authentication Token. Maintainers, please bump to 2.252 mainline and 2.235.4 LTS.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=95fb5f80398b4be830adbccd73fd636def95a43c commit 95fb5f80398b4be830adbccd73fd636def95a43c Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-12 20:01:53 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-12 20:01:59 +0000 dev-util/jenkins-bin: security cleanup Bug: https://bugs.gentoo.org/736894 Package-Manager: Portage-3.0.2, Repoman-2.3.23 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 6 ---- dev-util/jenkins-bin/jenkins-bin-2.235.1.ebuild | 46 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.235.2.ebuild | 46 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.235.3.ebuild | 46 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.242.ebuild | 46 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.245.ebuild | 46 ------------------------- dev-util/jenkins-bin/jenkins-bin-2.251.ebuild | 46 ------------------------- 7 files changed, 282 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=12887e61cf421e4bb4a10a09bcda407234bdc119 commit 12887e61cf421e4bb4a10a09bcda407234bdc119 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-12 20:01:24 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-12 20:01:59 +0000 dev-util/jenkins-bin: bump to v2.252 Bug: https://bugs.gentoo.org/736894 Package-Manager: Portage-3.0.2, Repoman-2.3.23 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 1 + dev-util/jenkins-bin/jenkins-bin-2.252.ebuild | 46 +++++++++++++++++++++++++++ 2 files changed, 47 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=964d89e161f7c66017a01d2e550ec74c04325b58 commit 964d89e161f7c66017a01d2e550ec74c04325b58 Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2020-08-12 20:00:07 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2020-08-12 20:01:58 +0000 dev-util/jenkins-bin: bump to v2.235.4 Bug: https://bugs.gentoo.org/736894 Package-Manager: Portage-3.0.2, Repoman-2.3.23 Signed-off-by: Thomas Deutschmann <whissi@gentoo.org> dev-util/jenkins-bin/Manifest | 1 + dev-util/jenkins-bin/jenkins-bin-2.235.4.ebuild | 46 +++++++++++++++++++++++++ 2 files changed, 47 insertions(+)
Thanks Whissi. All done.