Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the XStream library’s vulnerability CVE-2021-43859. This library is used by Jenkins to serialize and deserialize various XML files, like global and job config.xml, build.xml, and numerous others. This allows attackers able to submit crafted XML files to Jenkins to be parsed as configuration, e.g. through the POST config.xml API, to cause a denial of service (DoS). Affected Versions: Jenkins weekly up to and including 2.333 Jenkins LTS up to and including 2.319.2 Fixed in: Jenkins weekly should be updated to version 2.334 Jenkins LTS should be updated to version 2.319.3 URLs: https://www.jenkins.io/security/advisory/2022-02-09/#SECURITY-2602 https://seclists.org/oss-sec/2022/q1/128
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9357669bbfba8bd5aa643b98a563996af6ed9846 commit 9357669bbfba8bd5aa643b98a563996af6ed9846 Author: Patrick Lauer <patrick@gentoo.org> AuthorDate: 2022-02-09 16:02:12 +0000 Commit: Patrick Lauer <patrick@gentoo.org> CommitDate: 2022-02-09 16:02:52 +0000 dev-util/jenkins-bin: Bump Bug: https://bugs.gentoo.org/832991 Package-Manager: Portage-3.0.30, Repoman-3.0.3 Signed-off-by: Patrick Lauer <patrick@gentoo.org> dev-util/jenkins-bin/Manifest | 6 +-- dev-util/jenkins-bin/jenkins-bin-2.319.1.ebuild | 45 ---------------------- ...n-2.319.2.ebuild => jenkins-bin-2.319.3.ebuild} | 0 dev-util/jenkins-bin/jenkins-bin-2.323.ebuild | 45 ---------------------- ...s-bin-2.330.ebuild => jenkins-bin-2.334.ebuild} | 0 5 files changed, 2 insertions(+), 94 deletions(-)
That was really quick, thank you!
