Bug 20231

Summary:	jenkins several security issues
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	Nicolas Lécureuil <mageia>
Status:	RESOLVED OLD	QA Contact:	Sec team <security>
Severity:	normal
Priority:	Normal	CC:	geiger.david68210
Version:	5
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:
Source RPM:	jenkins-1.651.3-1.mga6.src.rpm	CVE:	CVE-2016-9299
Status comment:

Description David Walser 2017-02-02 01:51:04 CET

Upstream has issued an advisory today (February 1):
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01

The issues are fixed upstream in 2.32.2.

Our Jenkins version is from last June, and it looks like they've moved on to a new LTS branch.

David Walser 2017-02-02 01:51:35 CET

CC: (none) => geiger.david68210
Whiteboard: (none) => MGA5TOO

Comment 1 David Walser 2017-03-06 02:12:06 CET

Fedora has addressed CVE-2016-9299 today (March 5) in jenkins and jenkins-remoting:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/ZE7XYOLIPAJFIIPWZPAVZYEAOAT6LHIJ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XKRLBXFPKTEBV4JI66GC2KQDE3TLZMYR/

Comment 2 David Walser 2017-04-27 12:11:08 CEST

Upstream has issued an advisory on April 26:
https://jenkins.io/security/advisory/2017-04-26/

The issues are fixed in 2.46.2.

Comment 3 Nicolas Lécureuil 2017-05-03 15:03:55 CEST

CVE-2016-9299 is now fixed in cauldron.
I will see for the new LTS soon ( after fixing jetty )

Status: NEW => RESOLVED
CVE: (none) => CVE-2016-9299
Resolution: (none) => FIXED
Whiteboard: MGA5TOO => (none)

Comment 4 David Walser 2017-05-04 04:02:29 CEST

Nothing has been done to the jenkins package in Cauldron in 6 months.

This bug was marked as Mageia 5 too because jenkins-remoting is in Mageia 5 and is one of the affected ones.

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)
Whiteboard: (none) => MGA5TOO

Comment 5 David Walser 2017-07-07 12:00:55 CEST

Not sure if jenkins-remoting in Mageia 6 is affected by an issue in Comment 2, but I'll mark this as OK for Mageia 6 for now.  jenkins-remoting in Mageia 5 still needs to be addressed, at least for Comment 1.

Whiteboard: MGA5TOO => (none)
Version: Cauldron => 5

Comment 6 David Walser 2017-10-12 00:41:15 CEST

Upstream has issued an advisory today (October 11):
https://jenkins.io/security/advisory/2017-10-11/

The issues are fixed in 2.73.2.

Comment 7 David Walser 2017-11-09 17:56:32 CET

Upstream has issued an advisory on November 8:
https://jenkins.io/security/advisory/2017-11-08/

The issues are fixed in 2.73.3.

Comment 8 David Walser 2017-12-14 14:43:48 CET

Upstream has issued an advisory today (December 14):
https://jenkins.io/security/advisory/2017-12-14/

The issues are fixed in 2.89.2.

Comment 9 David Walser 2017-12-27 04:37:11 CET

This package is unsupportable.

Resolution: (none) => OLD
Status: REOPENED => RESOLVED