[adminFFM 00111] Fwd: [oss-security] Multiple vulnerabilities in Jenkins
Magnus Frühling
magnus.fruehling at me.com
Do Dez 14 10:30:42 CET 2017
Mit freundlichen Grüßen,
Magnus Frühling
-—-—-—-—-—-—-—-—-—-—-—-—-
Mobil gesendet...
Anfang der weitergeleiteten E‑Mail:
> Von: Daniel Beck <ml at beckweb.net>
> Datum: 14. Dezember 2017 um 04:10:26 MEZ
> An: oss-security at lists.openwall.com
> Betreff: [oss-security] Multiple vulnerabilities in Jenkins
> Antwort an: oss-security at lists.openwall.com
>
> Jenkins is an open source automation server which enables developers around
> the world to reliably build, test, and deploy their software. The following
> releases contain fixes for security vulnerabilities:
>
> * Jenkins (weekly) 2.95
> * Jenkins (LTS) 2.89.2
>
> Descriptions of the vulnerabilities are below. Some more details,
> severity, and attribution can be found here:
> https://jenkins.io/security/advisory/2017-12-14/
>
> We provide advance notification for security updates on this mailing list:
> https://groups.google.com/d/forum/jenkinsci-advisories
>
> If you discover security vulnerabilities in Jenkins, please report them as
> described here:
> https://jenkins.io/security/#reporting-vulnerabilities
>
> ---
>
> SECURITY-667
> A race condition during Jenkins startup could result in the wrong order of
> execution of commands during initialization.
>
> On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases
> (we estimate less than 20% of new instances) result in failure to
> initialize the setup wizard on the first startup. This resulted in multiple
> security-related settings not being set to their usual strict default.
> Affected instances need to be configured to restrict access.
>
> Additionally, there's a very short window of time after startup during
> which Jenkins may no longer show the "Please wait while Jenkins is getting
> ready to work" message, but Cross-Site Request Forgery (CSRF) protection
> may not yet be effective. As of publication of this advisory, we've been
> unable to confirm this can actually be exploited, but generally recommend
> that users upgrade their instances.
>
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.freifunk.net/mailman/private/admin-ffm-freifunk.net/attachments/20171214/0dc941fa/attachment.html>
Mehr Informationen über die Mailingliste admin-ffm