Date: Sun, 1 Mar 2015 19:01:03 +0000 (UTC) From: Li-Wen Hsu <lwhsu@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r380224 - in branches/2015Q1: devel/jenkins security/vuxml Message-ID: <201503011901.t21J13C0016428@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: lwhsu Date: Sun Mar 1 19:01:02 2015 New Revision: 380224 URL: https://svnweb.freebsd.org/changeset/ports/380224 QAT: https://qat.redports.org/buildarchive/r380224/ Log: MFH: r380172 Add entry for security issue in jenkins Reviewed by: zi MFH: r380173 - Update to 1.600 Security: 7480b6ac-adf1-443e-a33c-3a3c0becba1e Notified by: swills Approved by: portmgr (swills) Modified: branches/2015Q1/devel/jenkins/Makefile branches/2015Q1/devel/jenkins/distinfo branches/2015Q1/security/vuxml/vuln.xml Directory Properties: branches/2015Q1/ (props changed) Modified: branches/2015Q1/devel/jenkins/Makefile ============================================================================== --- branches/2015Q1/devel/jenkins/Makefile Sun Mar 1 18:56:56 2015 (r380223) +++ branches/2015Q1/devel/jenkins/Makefile Sun Mar 1 19:01:02 2015 (r380224) @@ -1,7 +1,7 @@ # $FreeBSD$ PORTNAME= jenkins -PORTVERSION= 1.595 +PORTVERSION= 1.600 CATEGORIES= devel java MASTER_SITES= http://mirrors.jenkins-ci.org/war/${PORTVERSION}/ DISTNAME= jenkins Modified: branches/2015Q1/devel/jenkins/distinfo ============================================================================== --- branches/2015Q1/devel/jenkins/distinfo Sun Mar 1 18:56:56 2015 (r380223) +++ branches/2015Q1/devel/jenkins/distinfo Sun Mar 1 19:01:02 2015 (r380224) @@ -1,2 +1,2 @@ -SHA256 (jenkins/1.595/jenkins.war) = 2424e6316ec45d524d132203438e8d767a5e9bed747b2c583047ff944f2e2935 -SIZE (jenkins/1.595/jenkins.war) = 68215690 +SHA256 (jenkins/1.600/jenkins.war) = 9b7d9d1fd6dce1077599a31468b1ef2ebe7b849f6d2f52f943541b944d9c29f9 +SIZE (jenkins/1.600/jenkins.war) = 68808007 Modified: branches/2015Q1/security/vuxml/vuln.xml ============================================================================== --- branches/2015Q1/security/vuxml/vuln.xml Sun Mar 1 18:56:56 2015 (r380223) +++ branches/2015Q1/security/vuxml/vuln.xml Sun Mar 1 19:01:02 2015 (r380224) @@ -57,6 +57,79 @@ Notes: --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="7480b6ac-adf1-443e-a33c-3a3c0becba1e"> + <topic>jenkins -- multiple vulnerabilities</topic> + <affects> + <package> + <name>jenkins</name> + <range><le>1.600</le></range> + </package> + <package> + <name>jenkins-lts</name> + <range><le>1.580.3</le></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <p>Kohsuke Kawaguchi from Jenkins team reports:</p> + <blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27">; + <h1>Description</h1> + <h5>SECURITY-125 (Combination filter Groovy script unsecured)</h5> + <p>This vulnerability allows users with the job configuration + privilege to escalate his privileges, resulting in arbitrary code + execution to the master.</p> + <h5>SECURITY-162 (directory traversal from artifacts via symlink)</h5> + <p>This vulnerability allows users with the job configuration + privilege or users with commit access to the build script to + access arbitrary files/directories on the master, resulting in + the exposure of sensitive information, such as encryption keys.</p> + <h5>SECURITY-163 (update center metadata retrieval DoS attack)</h5> + <p>This vulnerability allows authenticated users to disrupt the + operation of Jenkins by feeding malicious update center data into + Jenkins, affecting plugin installation and tool installation.</p> + <h5>SECURITY-165 (external entity injection via XPath)</h5> + <p>This vulnerability allows users with the read access to Jenkins + to retrieve arbitrary XML document on the server, resulting in + the exposure of sensitive information inside/outside Jenkins.</p> + <h5>SECURITY-166 (HudsonPrivateSecurityRealm allows creation of + reserved names)</h5> + <p>For users using "Jenkins' own user database" setting, Jenkins + doesn't refuse reserved names, thus allowing privilege escalation.</p> + <h5>SECURITY-167 (External entity processing in XML can reveal + sensitive local files)</h5> + <p>This vulnerability allows attackers to create malicious XML + documents and feed that into Jenkins, which causes Jenkins to + retrieve arbitrary XML document on the server, resulting in the + exposure of sensitive information inside/outside Jenkins.</p> + <h1>Severity</h1> + <p>SECURITY-125 is rated <strong>critical</strong>. This attack can be + only mounted by users with some trust, but it results in arbitrary + code execution on the master.</p> + <p>SECURITY-162 is rated <strong>critical</strong>. This attack can be + only mounted by users with some trust, but it results in the + exposure of sensitive information.</p> + <p>SECURITY-163 is rated <strong>medium</strong>, as it results in the + loss of functionality.</p> + <p>SECURITY-165 is rated <strong>critical</strong>. This attack is + easy to mount, and it results in the exposure of sensitive + information.</p> + <p>SECURITY-166 is rated <strong>critical</strong>. For users who use + the affected feature, this attack results in arbitrary code + execution on the master.</p> + <p>SECURITY-167 is rated <strong>critical</strong>. This attack is + easy to mount, and it results in the exposure of sensitive information.</p> + </blockquote> + </body> + </description> + <references> + <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2015-02-27</url>; + </references> + <dates> + <discovery>2015-03-01</discovery> + <entry>2015-03-01</entry> + </dates> + </vuln> + <vuln vid="9c7b6c20-a324-11e4-879c-00e0814cab4e"> <topic>django -- multiple vulnerabilities</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201503011901.t21J13C0016428>