https://bugzilla.redhat.com/show_bug.cgi?id=1335418
Bug ID: 1335418 Summary: CVE-2016-3724 jenkins: Encrypted secrets (e.g. passwords) were leaked to users with permission to read configuration (SECURITY-266) Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: abhgupta@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jialiu@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, kseifried@redhat.com, lmeyer@redhat.com, mizdebsk@redhat.com, mmccomas@redhat.com, msrb@redhat.com, tdawson@redhat.com, tiwillia@redhat.com
The following flaw was found in Jenkins:
Users with extended read access could access encrypted secrets stored directly in the configuration of those items.
As a side-effect of this change, copying a job that contains secrets in its configuration now requires the Configure permission on that job.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-...
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1335425
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1335427
--- Comment #1 from Andrej Nemec anemec@redhat.com ---
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1335427]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1335427 [Bug 1335427] CVE-2016-3721 CVE-2016-3722 CVE-2016-3723 CVE-2016-3724 CVE-2016-3725 CVE-2016-3726 CVE-2016-3727 jenkins: various flaws [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2016 |impact=moderate,public=2016 |0511,reported=20160511,sour |0511,reported=20160511,sour |ce=internet,cvss2=5.0/AV:N/ |ce=internet,cvss2=4.0/AV:N/ |AC:L/Au:N/C:P/I:N/A:N,opens |AC:L/Au:S/C:P/I:N/A:N,opens |hift-enterprise-3/jenkins=a |hift-enterprise-3/jenkins=a |ffected,openshift-enterpris |ffected,openshift-enterpris |e-2/jenkins=affected,opensh |e-2/jenkins=affected,opensh |ift-1/jenkins=affected,fedo |ift-1/jenkins=affected,fedo |ra-all/jenkins=affected |ra-all/jenkins=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
--- Comment #2 from Fedora Update System updates@fedoraproject.org --- jenkins-1.651.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1335418 Bug 1335418 depends on bug 1335427, which changed state.
Bug 1335427 Summary: CVE-2016-3721 CVE-2016-3722 CVE-2016-3723 CVE-2016-3724 CVE-2016-3725 CVE-2016-3726 CVE-2016-3727 jenkins: various flaws [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1335427
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
--- Comment #3 from Fedora Update System updates@fedoraproject.org --- jenkins-1.625.3-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
--- Comment #4 from Fedora Update System updates@fedoraproject.org --- jenkins-1.609.3-7.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.2 Red Hat OpenShift Enterprise 3.1
Via RHSA-2016:1206 https://access.redhat.com/errata/RHSA-2016:1206
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2016-06-06 15:14:05
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1349611
https://bugzilla.redhat.com/show_bug.cgi?id=1335418
--- Comment #7 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 2.2
Via RHSA-2016:1773 https://rhn.redhat.com/errata/RHSA-2016-1773.html
java-sig-commits@lists.fedoraproject.org