oss-sec mailing list archives
Re: Security advisory in Jenkins
From: Solar Designer <solar () openwall com>
Date: Thu, 2 Oct 2014 06:11:27 +0400
Bryan - I think Kohsuke is not subscribed. I've added CC. On Wed, Oct 01, 2014 at 08:36:59PM -0500, Bryan Drewery wrote:
On 10/1/2014 6:25 PM, Kohsuke Kawaguchi wrote:I just wanted to share that the Jenkins project issued a security advisory today. These issues are independently found and we've aggregated into a single release. The relevant CVE IDs, our bug tracking IDs are available here <https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01> . The new versions can be downloaded from here <http://mirrors.jenkins-ci.org/>. (This is the first time I do this, so my apologies in advance for probably failing to follow the expected format.)Kudos to all for finding and fixing these issues. It was quite a surprising list though. Were these fixes kept from release for an extended time? The timeframe for CVE-2013-2186 is especially concerning.
Many of these issues were brought to the distros list on Fri Sep 26 17:10:16 2014 UTC, and got their CVE IDs assigned there. However, CVE-2013-2186 was not among those. I don't know why the old CVE ID, nor how that issue was handled. Alexander
Current thread:
- Security advisory in Jenkins Kohsuke Kawaguchi (Oct 01)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Security advisory in Jenkins Bryan Drewery (Oct 01)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Security advisory in Jenkins Kohsuke Kawaguchi (Oct 03)
- Re: Security advisory in Jenkins Luca Carettoni (Oct 03)
- Re: Security advisory in Jenkins Bryan Drewery (Oct 07)
- Re: Security advisory in Jenkins Kohsuke Kawaguchi (Oct 07)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Re: Security advisory in Jenkins Reed Loden (Oct 06)
- Re: Re: Security advisory in Jenkins Kurt Seifried (Oct 06)