[java-sig-commits] [Bug 1797084] New: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret

31 Jan 2020


      https://bugzilla.redhat.com/show_bug.cgi?id=1797084
Bug ID: 1797084
           Summary: CVE-2020-2101 jenkins: Non-constant time comparison of
                    inbound TCP agent connection secret
           Product: Security Response
          Hardware: All
                OS: Linux
            Status: NEW
         Component: vulnerability
          Keywords: Security
          Severity: medium
          Priority: medium
          Assignee: security-response-team@redhat.com
          Reporter: psampaio@redhat.com
                CC: abenaiss@redhat.com, adam.kaplan@redhat.com,
                    aos-bugs@redhat.com, bmontgom@redhat.com,
                    eparis@redhat.com, extras-orphan@fedoraproject.org,
                    java-sig-commits@lists.fedoraproject.org,
                    jburrell@redhat.com, jokerman@redhat.com,
                    mizdebsk@redhat.com, msrb@redhat.com,
                    nstielau@redhat.com, pbhattac@redhat.com,
                    sponnaga@redhat.com, vbobade@redhat.com,
                    wzheng@redhat.com
  Target Milestone: ---
    Classification: Other
Jenkins 2.218 and earlier, LTS 2.204.1 and earlier did not use a constant-time
comparison function for validating connection secrets, which could potentially
allow an attacker to use a timing attack to obtain this secret.
References:
https://jenkins.io/security/advisory/2020-01-29/#SECURITY-1659
http://www.openwall.com/lists/oss-security/2020/01/29/1
-- 
You are receiving this mail because:
You are on the CC list for the bug.

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

[java-sig-commits] [Bug 1797084] New: CVE-2020-2101 jenkins: Non-constant time comparison of inbound TCP agent connection secret