oss-sec mailing list archives
Re: Security advisory in Jenkins
From: Bryan Drewery <bdrewery () FreeBSD org>
Date: Tue, 07 Oct 2014 13:45:37 -0500
On 10/3/2014 4:44 PM, Kohsuke Kawaguchi wrote:
We are still learning how we should handle vulnerabilities, so I'm sure there's room for improvements. We have multiple release lines to which the fixes have to be released simultaneously, and overall this overhead is significant. That's why we did one massive release that contains all the fixes. Wrt CVE-2013-2186, a week ago we got a report from somebody that he did a security scan and found that we are still using a vulnerable version of the library to which CVE-2013-2186 is assigned. In this release we use a newer version of the library that addresses the problem, and I thought it'd be appropriate to raise a flag to the users that if they continue to use older versions, they'd remain vulnerable to CVE-2013-2186. That's why it's in the advisory. It is not because we sat on a report for more than a year. When you say the timeframe is especially concerning, perhaps you mean you are concerned that we fail to notice this vulnerability in our library for more than a year, and if so, you are of course right. Jenkins project has gotten a long list of library dependencies, and I haven't found any practical means to get notified when vulnerabilities are found in any one of them.
I understand. Is there any practical way you could not bundle dependencies? Then it would not be a problem. I don't know enough about Java's build system to know if this is possible. -- Regards, Bryan Drewery
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- Security advisory in Jenkins Kohsuke Kawaguchi (Oct 01)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Security advisory in Jenkins Bryan Drewery (Oct 01)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Security advisory in Jenkins Kohsuke Kawaguchi (Oct 03)
- Re: Security advisory in Jenkins Luca Carettoni (Oct 03)
- Re: Security advisory in Jenkins Bryan Drewery (Oct 07)
- Re: Security advisory in Jenkins Kohsuke Kawaguchi (Oct 07)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Re: Security advisory in Jenkins Reed Loden (Oct 06)
- Re: Re: Security advisory in Jenkins Kurt Seifried (Oct 06)