[Bug 1311948] New: CVE-2016-0790 jenkins: Non-constant time comparison of API token (SECURITY-241)
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Bug ID: 1311948 Summary: CVE-2016-0790 jenkins: Non-constant time comparison of API token (SECURITY-241) Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: anemec@redhat.com CC: abhgupta@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jialiu@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, jokerman@redhat.com, kseifried@redhat.com, lmeyer@redhat.com, mizdebsk@redhat.com, mmccomas@redhat.com, msrb@redhat.com, tiwillia@redhat.com
The following flaw was found in Jenkins:
The verification of user-provided API tokens with the expected value did not use a constant-time comparison algorithm, potentially allowing attackers to use statistical methods to determine valid API tokens using brute-force methods.
External References:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-...
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1311951
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1311952
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1311952 [Bug 1311952] CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1311948 Bug 1311948 depends on bug 1311952, which changed state.
Bug 1311952 Summary: CVE-2016-0788 CVE-2016-0789 CVE-2016-0790 CVE-2016-0791 CVE-2016-0792 jenkins: security advisory 2016-02-24 [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1311952
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1320308
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1320309
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1324676 Depends On| |1324677
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1324911
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
--- Comment #3 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.1
Via RHSA-2016:0711 https://access.redhat.com/errata/RHSA-2016:0711
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
--- Comment #4 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 2.2
Via RHSA-2016:1773 https://rhn.redhat.com/errata/RHSA-2016-1773.html
https://bugzilla.redhat.com/show_bug.cgi?id=1311948
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |ERRATA Last Closed| |2016-08-25 19:27:57
java-sig-commits@lists.fedoraproject.org
-
Red Hat Bugzilla