[adminFFM 00111] Fwd: [oss-security] Multiple vulnerabilities in Jenkins

Magnus Frühling magnus.fruehling at me.com
Do Dez 14 10:30:42 CET 2017 


Mit freundlichen Grüßen,

Magnus Frühling

-—-—-—-—-—-—-—-—-—-—-—-—-

Mobil gesendet...

Anfang der weitergeleiteten E‑Mail:

> Von: Daniel Beck <ml at beckweb.net>
> Datum: 14. Dezember 2017 um 04:10:26 MEZ
> An: oss-security at lists.openwall.com
> Betreff: [oss-security] Multiple vulnerabilities in Jenkins
> Antwort an: oss-security at lists.openwall.com
> 
> Jenkins is an open source automation server which enables developers around
> the world to reliably build, test, and deploy their software. The following
> releases contain fixes for security vulnerabilities:
> 
> * Jenkins (weekly) 2.95
> * Jenkins (LTS) 2.89.2
> 
> Descriptions of the vulnerabilities are below. Some more details, 
> severity, and attribution can be found here:
> https://jenkins.io/security/advisory/2017-12-14/
> 
> We provide advance notification for security updates on this mailing list:
> https://groups.google.com/d/forum/jenkinsci-advisories
> 
> If you discover security vulnerabilities in Jenkins, please report them as
> described here:
> https://jenkins.io/security/#reporting-vulnerabilities
> 
> ---
> 
> SECURITY-667
> A race condition during Jenkins startup could result in the wrong order of
> execution of commands during initialization.
> 
> On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases
> (we estimate less than 20% of new instances) result in failure to
> initialize the setup wizard on the first startup. This resulted in multiple
> security-related settings not being set to their usual strict default.
> Affected instances need to be configured to restrict access.
> 
> Additionally, there's a very short window of time after startup during
> which Jenkins may no longer show the "Please wait while Jenkins is getting
> ready to work" message, but Cross-Site Request Forgery (CSRF) protection
> may not yet be effective. As of publication of this advisory, we've been
> unable to confirm this can actually be exploited, but generally recommend
> that users upgrade their instances.
> 
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.freifunk.net/mailman/private/admin-ffm-freifunk.net/attachments/20171214/0dc941fa/attachment.html>

Mehr Informationen über die Mailingliste admin-ffm