Bug 18033

Summary: jenkins-remoting new security issue CVE-2016-0792
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, herman.viaene, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/680602/
Whiteboard: has_procedure advisory MGA5-32-OK
Source RPM: jenkins-remoting-2.39-3.mga5.src.rpm CVE:
Status comment:

Description David Walser 2016-03-18 17:48:02 CET 
Upstream has issued an advisory on February 24:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24

Fedora has issued advisories for this on March 17:
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179006.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179009.html

Mageia 5 is also affected (jenkins-remoting).

It's also not clear why we have these packaged at all, as they don't appear to be required by anything.
David Walser 2016-03-23 19:41:43 CET

CC: (none) => geiger.david68210

Comment 1 David Walser 2016-03-23 19:58:37 CET 
David pointed out that the jenkins package issues are already fixed in the version in Cauldron (although it still doesn't need to be packaged in Mageia as far as I can tell).  Apparently the jenkins-remoting issue is also fixed in 2.55 (as well as 2.53.3), so Cauldron is not affected.  I don't know if the Mageia 5 package can be updated or if it has to be patched.

Version: Cauldron => 5
Summary: jenkins, jenkins-remoting new security issues CVE-2016-078[89] and CVE-2016-079[0-2] => jenkins-remoting new security issueCVE-2016-0792
Source RPM: jenkins-1.642.2-4.mga6.src.rpm, jenkins-remoting-2.55-2.mga6.src.rpm => jenkins-remoting-2.39-3.mga5.src.rpm

David Walser 2016-03-23 19:58:53 CET

Summary: jenkins-remoting new security issueCVE-2016-0792 => jenkins-remoting new security issue CVE-2016-0792

Comment 2 David GEIGER 2016-05-03 12:41:51 CEST 
So ok done for mga5 with jenkins-remoting-2.53.3-1.mga5.
Comment 3 David GEIGER 2016-05-03 15:58:15 CEST 
Assigning to QA,

Advisory:
========================

Updated jenkins-remoting packages fix security vulnerability:

Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution.

SECURITY-247 / CVE-2016-0792

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0792
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179009.html
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24
========================

Updated packages in 5/core/updates_testing:
========================
jenkins-remoting-2.53.3-1.mga5
jenkins-remoting-javadoc-2.53.3-1.mga5

Source RPM: 
========================
jenkins-remoting-2.53.3-1.mga5.src.rpm

Assignee: mageia => qa-bugs

Comment 4 Herman Viaene 2016-05-04 15:09:00 CEST 
MGA5-32 on AcerD620 Xfce
No installation issues.
At CLI:
urpmq --whatrequires jenkins-remoting
returns nothing, so testing seems to end here.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA5-32-OK

Comment 5 claire robinson 2016-05-05 17:31:28 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 claire robinson 2016-05-05 18:03:03 CEST 
Advisory uploaded.

Whiteboard: MGA5-32-OK => has_procedure advisory MGA5-32-OK

Comment 7 Mageia Robot 2016-05-05 18:27:20 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0162.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED