A CVE has been assigned for a security issue in Jenkins: http://openwall.com/lists/oss-security/2016/11/14/9 It sounds like an upstream advisory will be posted for it on Wednesday (the 16th) here: https://wiki.jenkins-ci.org/display/SECURITY/Home
Assignee: bugsquad => mageiaCC: (none) => geiger.david68210, marja11
Freeze push requested for cauldron (jenkins and jenkins-remoting)
Fixed for mga5 updating jenkins-remoting to 2.53.4 release!
David, what about Bug 19028 also affecting this package? Advisory: ======================== Updated jenkins-remoting packages fix security vulnerability: An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java object to the Jenkins CLI, making Jenkins connect to an attacker-controlled LDAP server, which in turn can send a serialized payload leading to code execution, bypassing existing protection mechanisms (CVE-2016-9299). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9299 https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-11-16 ======================== Updated packages in core/updates_testing: ======================== jenkins-remoting-2.53.4-1.mga5 jenkins-remoting-javadoc-2.53.4-1.mga5 from jenkins-remoting-2.53.4-1.mga5.src.rpm
Assignee: mageia => qa-bugsCC: (none) => mageiaVersion: Cauldron => 5
(In reply to David Walser from comment #3) > David, what about Bug 19028 also affecting this package? According to these full commits: https://github.com/jenkinsci/remoting/commits/2.59.x , I don't found any reference about SECURITY-258 / CVE-2016-3102.
Version: 5 => Cauldron
Version: Cauldron => 5
CC: (none) => davidwhodginsSummary: jenkins new security issue CVE-2016-9299 => jenkins-remoting new security issue CVE-2016-9299Whiteboard: (none) => advisory
MGA5-32 on AcerD620 No installation issues Refering to bug 18033, there are no immediate dependencies on jenkins-remoting. Did some reading on the jenkins project, seems "continuous integration and continuous application delivery .... to build and test your software projects". I uunderstand from that: no easy simple test for it.
CC: (none) => herman.viaeneWhiteboard: advisory => advisory MGA5-32-OK
Trying M5 x64 Curious. As Herman pointed out: # urpmq --whatrequires jenkins-remoting jenkins-remoting However, selecting version 2.53.3-1 from normal repos to install, popped up the following [additional] dependancies: - ant-1.9.4-5.mga5.noarch - antlr-tool-2.7.7-30.mga5.noarch - apache-commons-io-2.4-8.mga5.noarch - bea-stax-1.2.0-7.mga5.noarch - bea-stax-api-1.2.0-7.mga5.noarch - cglib-3.1-4.mga5.noarch - constant-pool-scanner-1.2-5.mga5.noarch - dom4j-1.6.1-23.mga5.noarch - easymock-3.2-4.mga5.noarch - findbugs-3.0.0-1.mga5.noarch - findbugs-bcel-6.0-0.1.20140707svn1547656.1.mga5.noarch - hamcrest-1.3-6.mga5.noarch - hsqldb1-1.8.1.3-5.mga5.noarch - isorelax-0-0.5.release20050331.8.mga5.noarch - java-1.8.0-openjdk-devel-1.8.0.111-1.b16.1.mga5.x86_64 - jaxen-1.1.6-6.mga5.noarch - jcip-annotations-1.0-7.mga5.noarch - jdom-1.1.3-6.mga5.noarch - jFormatString-0-6.11.20111215svn.3.mga5.noarch - jsr-305-1-0.7.20090319svn.6.mga5.noarch - junit-4.11-7.mga5.noarch - log4j12-1.2.17-7.mga5.noarch - msv-msv-2013.6.1-3.mga5.noarch - msv-xsdlib-2013.6.1-3.mga5.noarch - objectweb-asm-5.0.2-3.mga5.noarch - objenesis-1.2-16.mga5.noarch - qdox-1.12.1-7.mga5.noarch - relaxngDatatype-1.0-12.mga5.noarch - ws-jaxme-0.5.2-7.mga5.noarch - xpp2-2.1.10-12.mga5.noarch - xpp3-1.1.4-0.c.1.mga5.noarch The description for it is: "This package is primarily used by Jenkins for slave node management, but it could be potentially reused outside of this project." Except that the base package 'jenkins' is not to be found! Just to test the update process, I installed the package 'jenkins-remoting-2.53.3-1.mga5' and all the junk it wants from normal repos; then updated it - without problems - from Updates Testing to: 'jenkins-remoting-2.53.4-1.mga5' which merits OK in the circumstances. Validating at the same time; Advisory already uploaded.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-32-OK => advisory MGA5-32-OK MGA5-64-OKCC: (none) => lewyssmith, sysadmin-bugs
Postscript. This seems to be a test of package management. Comment 6 shows all the 31 additional pkgs installed with 'jenkins-remoting' - many of which were nested dependancies. When I uninstalled it, it took just 13 others with it: ant-1.9.4-5.mga5.noarch dom4j-1.6.1-23.mga5.noarch easymock-3.2-4.mga5.noarch findbugs-3.0.0-1.mga5.noarch hamcrest-1.3-6.mga5.noarch jaxen-1.1.6-6.mga5.noarch jdom-1.1.3-6.mga5.noarch jenkins-remoting-2.53.4-1.mga5.noarch junit-4.11-7.mga5.noarch msv-msv-2013.6.1-3.mga5.noarch qdox-1.12.1-7.mga5.noarch ws-jaxme-0.5.2-7.mga5.noarch xpp3-1.1.4-0.c.1.mga5.noarch and reported the following 12 as newly orphaned: apache-commons-io-2.4-8.mga5.noarch cglib-3.1-4.mga5.noarch findbugs-bcel-6.0-0.1.20140707svn1547656.1.mga5.noarch hsqldb1-1.8.1.3-5.mga5.noarch isorelax-0-0.5.release20050331.8.mga5.noarch jFormatString-0-6.11.20111215svn.3.mga5.noarch log4j12-1.2.17-7.mga5.noarch msv-xsdlib-2013.6.1-3.mga5.noarch objectweb-asm-5.0.2-3.mga5.noarch objenesis-1.2-16.mga5.noarch relaxngDatatype-1.0-12.mga5.noarch xpp2-2.1.10-12.mga5.noarch In addition to these listed orphans (taken care of by --auto-orphans), I manually removed (by cross-checking): antlr-tool-2.7.7-30.mga5.noarch bea-stax bea-stax-api java-1.8.0-openjdk-devel-1.8.0.111-1.b16.1.mga5.x86_64 jcip-annotations-1.0-7.mga5.noarch jsr-305-1-0.7.20090319svn.6.mga5.noarch = 31!
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2016-0406.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED
URL: (none) => https://lwn.net/Vulnerabilities/707705/