Re: Security advisory in Jenkins

[Bryan Drewery <bdrewery () FreeBSD org>]

On 10/3/2014 4:44 PM, Kohsuke Kawaguchi wrote:
> We are still learning how we should handle vulnerabilities, so I'm sure
> there's room for improvements.
>
> We have multiple release lines to which the fixes have to be released
> simultaneously, and overall this overhead is significant. That's why we did
> one massive release that contains all the fixes.
>
> Wrt CVE-2013-2186, a week ago we got a report from somebody that he did a
> security scan and found that we are still using a vulnerable version of the
> library to which CVE-2013-2186 is assigned. In this release we use a newer
> version of the library that addresses the problem, and I thought it'd be
> appropriate to raise a flag to the users that if they continue to use older
> versions, they'd remain vulnerable to CVE-2013-2186. That's why it's in the
> advisory. It is not because we sat on a report for more than a year.
>
> When you say the timeframe is especially concerning, perhaps you mean you
> are concerned that we fail to notice this vulnerability in our library for
> more than a year, and if so, you are of course right. Jenkins project has
> gotten a long list of library dependencies, and I haven't found any
> practical means to get notified when vulnerabilities are found in any one
> of them.

I understand. Is there any practical way you could not bundle
dependencies? Then it would not be a problem. I don't know enough about
Java's build system to know if this is possible.


-- 
Regards,
Bryan Drewery

Attachment: signature.asc
Description: OpenPGP digital signature