https://bugzilla.redhat.com/show_bug.cgi?id=1566947
Bug ID: 1566947
Summary: jenkins: CLI leaked existence of views and agents with
attacker-specified names to users without Overall/Read
permission (SECURITY-754)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: ahardin(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, mchappel(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com
The Jenkins CLI sent different error responses for commands with view and agent
arguments depending on the existence of the specified views or agents to
unauthorized users. This allowed attackers to determine whether views or agents
with specified names exist.
External References:
https://jenkins.io/security/advisory/2018-04-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1566950
Bug ID: 1566950
Summary: jenkins: Cross-site scripting vulnerability in
confirmation dialogs displaying item names
(SECURITY-759)
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: amaris(a)redhat.com
CC: ahardin(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
kseifried(a)redhat.com, mchappel(a)redhat.com,
mizdebsk(a)redhat.com, msrb(a)redhat.com
Some JavaScript confirmation dialogs included the item name in an unsafe
manner, resulting in a possible cross-site scripting vulnerability exploitable
by users with permission to create or configure items.
External References:
https://jenkins.io/security/advisory/2018-04-11/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1565390
Bug ID: 1565390
Summary: maven-jar-plugin-3.1.0 is available
Product: Fedora
Version: rawhide
Component: maven-jar-plugin
Keywords: FutureFeature, Triaged
Assignee: mizdebsk(a)redhat.com
Reporter: upstream-release-monitoring(a)fedoraproject.org
QA Contact: extras-qa(a)fedoraproject.org
CC: akurtako(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
mizdebsk(a)redhat.com
Latest upstream release: 3.1.0
Current version/release in rawhide: 3.0.2-4.fc27
URL: http://repo2.maven.org/maven2/org/apache/maven/plugins/maven-jar-plugin/
Please consult the package updates policy before you issue an update to a
stable branch: https://fedoraproject.org/wiki/Updates_Policy
More information about the service that created this bug can be found at:
https://fedoraproject.org/wiki/Upstream_release_monitoring
Please keep in mind that with any upstream change, there may also be packaging
changes that need to be made. Specifically, please remember that it is your
responsibility to review the new version to ensure that the licensing is still
correct and that no non-free or legally problematic items have been added
upstream.
Based on the information from anitya:
https://release-monitoring.org/project/1917/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1510896
Bug ID: 1510896
Summary: Problem to start tomcat with a user whose group has a
name different to the user
Product: Fedora
Version: rawhide
Component: tomcat
Severity: medium
Assignee: ivan.afonichev(a)gmail.com
Reporter: csutherl(a)redhat.com
QA Contact: extras-qa(a)fedoraproject.org
CC: alee(a)redhat.com, aneelica(a)redhat.com,
csutherl(a)redhat.com, djorm(a)redhat.com,
dknox(a)redhat.com, etienne.carriere(a)finances.gouv.fr,
hajek(a)oakland.edu, ivan.afonichev(a)gmail.com,
java-sig-commits(a)lists.fedoraproject.org,
jclere(a)redhat.com, jonderka(a)redhat.com,
krzysztof.daniel(a)gmail.com, lnovich(a)redhat.com,
luvilla(a)redhat.com, mbabacek(a)redhat.com,
mczernek(a)redhat.com, me(a)coolsvap.net,
mhasko(a)redhat.com, rhatlapa(a)redhat.com,
tfonteyn(a)redhat.com, tomcat-qe(a)redhat.com
Depends On: 1505762, 915447
Blocks: 835616
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=915447
[Bug 915447] Problem to start tomcat with a user whose group has a name
different to the user
https://bugzilla.redhat.com/show_bug.cgi?id=1505762
[Bug 1505762] Problem to start tomcat with a user whose group has a name
different to the user
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1545904
Bug ID: 1545904
Summary: CVE-2018-6356 jenkins: Path traversal allows access to
files outside plugin resources
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
A flaw was found in Jenkins weekly up to and including 2.106 and Jenkins LTS up
to and including 2.89.3. Jenkins did not properly prevent specifying relative
paths that escape a base directory for URLs accessing plugin resource files.
This allowed users with Overall/Read permission to download files from the
Jenkins master they should not have access to.
On Windows, any file accessible to the Jenkins master process could be
downloaded. On other operating systems, any file within the Jenkins home
directory accessible to the Jenkins master process could be downloaded.
References:
https://jenkins.io/security/advisory/2018-02-14/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1545899
Bug ID: 1545899
Summary: jenkins: Improperly secured form validation for proxy
configuration allows Server-Side Request Forgery
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: low
Priority: low
Assignee: security-response-team(a)redhat.com
Reporter: lpardo(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
A flaw was found in Jenkins weekly up to and including 2.106 and Jenkins LTS up
to and including 2.89.3. The form validation for the proxy configuration form
did not check the permission of the user accessing it, allowing anyone with
Overall/Read access to Jenkins to cause Jenkins to send a GET request to a
specified URL, optionally with a specified proxy configuration.
If that request’s HTTP response code indicates success, the form validation is
returning a generic success message, otherwise the HTTP status code is
returned. It was not possible to reuse an existing proxy configuration to send
those requests; that configuration had to be provided by the attacker.
References:
https://jenkins.io/security/advisory/2018-02-14/
--
You are receiving this mail because:
You are on the CC list for the bug.
https://bugzilla.redhat.com/show_bug.cgi?id=1526596
Bug ID: 1526596
Summary: jenkins: CSRF protection delayed after startup
Product: Security Response
Component: vulnerability
Keywords: Security
Severity: medium
Priority: medium
Assignee: security-response-team(a)redhat.com
Reporter: psampaio(a)redhat.com
CC: bleanhar(a)redhat.com, ccoleman(a)redhat.com,
dedgar(a)redhat.com, dmcphers(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jkeck(a)redhat.com,
kseifried(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
A race condition during Jenkins startup could result in the wrong order of
execution of commands during initialization.
There’s a very short window of time after startup during which Jenkins may no
longer show the "Please wait while Jenkins is getting ready to work" message,
but Cross-Site Request Forgery (CSRF) protection may not yet be effective.
External references:
https://jenkins.io/security/advisory/2017-12-14/
--
You are receiving this mail because:
You are on the CC list for the bug.