Bug 19028

Summary: jenkins-remoting, owasp-java-html-sanitizer, tiger-types new security issue CVE-2016-3102
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Nicolas Lécureuil <mageia>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210
Version: 5   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: jenkins-remoting, owasp-java-html-sanitizer, tiger-types CVE:
Status comment:

Description David Walser 2016-07-22 21:45:18 CEST 
Jenkins has issued an advisory on April 11:
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11

According to this RedHat bug, it may affect jenkins-remoting, owasp-java-html-sanitizer, and tiger-types in Mageia 5:
https://bugzilla.redhat.com/show_bug.cgi?id=1326403

Fedora advisories for those packages:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/KSYJXBX5UGIKZXAPMLSANUC76ANDH7DR/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZYYKALUJH7IZHFDEC3QANIX3RLUT2EKV/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/POSZHNPL7GYBIDPZECG6DYV7UKDSAJI4/

They just updated them to 2.57, 20160422.1, and 2.2, respectively.  We already have these versions in Cauldron.
David Walser 2016-07-22 21:45:27 CEST

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2016-11-18 16:33:33 CET 
According to these full commits: https://github.com/jenkinsci/remoting/commits/2.59.x , I don't found any reference about SECURITY-258 / CVE-2016-3102.
Comment 2 David Walser 2017-12-27 01:01:26 CET 
We won't be fixing these kind of packages for Mageia 5.  It would be nice if we could drop them from Cauldron, as they're not really supportable.

Resolution: (none) => OLD
Status: NEW => RESOLVED