Upstream has issued an advisory on February 24: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 Fedora has issued advisories for this on March 17: https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179006.html https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179009.html Mageia 5 is also affected (jenkins-remoting). It's also not clear why we have these packaged at all, as they don't appear to be required by anything.
CC: (none) => geiger.david68210
David pointed out that the jenkins package issues are already fixed in the version in Cauldron (although it still doesn't need to be packaged in Mageia as far as I can tell). Apparently the jenkins-remoting issue is also fixed in 2.55 (as well as 2.53.3), so Cauldron is not affected. I don't know if the Mageia 5 package can be updated or if it has to be patched.
Version: Cauldron => 5Summary: jenkins, jenkins-remoting new security issues CVE-2016-078[89] and CVE-2016-079[0-2] => jenkins-remoting new security issueCVE-2016-0792Source RPM: jenkins-1.642.2-4.mga6.src.rpm, jenkins-remoting-2.55-2.mga6.src.rpm => jenkins-remoting-2.39-3.mga5.src.rpm
Summary: jenkins-remoting new security issueCVE-2016-0792 => jenkins-remoting new security issue CVE-2016-0792
So ok done for mga5 with jenkins-remoting-2.53.3-1.mga5.
Assigning to QA, Advisory: ======================== Updated jenkins-remoting packages fix security vulnerability: Jenkins has several API endpoints that allow low-privilege users to POST XML files that then get deserialized by Jenkins. Maliciously crafted XML files sent to these API endpoints could result in arbitrary code execution. SECURITY-247 / CVE-2016-0792 References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0792 https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179009.html https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-02-24 ======================== Updated packages in 5/core/updates_testing: ======================== jenkins-remoting-2.53.3-1.mga5 jenkins-remoting-javadoc-2.53.3-1.mga5 Source RPM: ======================== jenkins-remoting-2.53.3-1.mga5.src.rpm
Assignee: mageia => qa-bugs
MGA5-32 on AcerD620 Xfce No installation issues. At CLI: urpmq --whatrequires jenkins-remoting returns nothing, so testing seems to end here.
CC: (none) => herman.viaeneWhiteboard: (none) => MGA5-32-OK
Validating.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory uploaded.
Whiteboard: MGA5-32-OK => has_procedure advisory MGA5-32-OK
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0162.html
Status: NEW => RESOLVEDResolution: (none) => FIXED