Project

General

Profile

Bug #12596

Check Jenkins 2017-04-26 security advisory

Added by intrigeri over 2 years ago. Updated over 2 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Continuous Integration
Target version:
Start date:
05/25/2017
Due date:
% Done:

100%

Feature Branch:
Type of work:
Sysadmin
Blueprint:
Starter:
Affected tool:

Description

Forwarded on Apr 27, pinged on May 16, no reply => let's track this on a ticket instead of trusting email.

Are we affected? Anything we should do to fix it?


Related issues

Blocks Tails - Feature #13233: Core work 2017Q3: Sysadmin (Maintain our already existing services) Resolved 06/29/2017

History

#1 Updated by intrigeri over 2 years ago

  • Target version changed from Tails_3.0 to Tails_3.1

It can wait one more month => cleaning up a bit your 3.0 plate :)

#2 Updated by intrigeri over 2 years ago

  • Blocks Feature #13233: Core work 2017Q3: Sysadmin (Maintain our already existing services) added

#3 Updated by bertagaz over 2 years ago

  • Assignee changed from bertagaz to intrigeri
  • QA Check set to Ready for QA

intrigeri wrote:

Are we affected? Anything we should do to fix it?

We are affected, in that the version of Jenkins we use is supposed to be vulnerable.

Now, as we're not running it publicly, but behind a web proxy, all the CLI vulnerabilities in this advisory are somehow mitigated. It's not available on the internet without the HTTP password.

The rest of the advisory is about a XSS vulnerability. I guess this one could work if one of us was logged in in Jenkins and would click on a malicious link. OTOH, we don't find (and click if we do hopefully) that kind of link everywhere on the web, mostly on this Redmine instance.

We don't have much alternatives other than upgrading Jenkins if we consider this issue is important. Bot sure when it's doable yet.

#4 Updated by intrigeri over 2 years ago

  • Status changed from Confirmed to Resolved
  • Assignee deleted (intrigeri)
  • % Done changed from 0 to 100
  • QA Check changed from Ready for QA to Pass

OK, I see. Basically we have no choice, given the version of Jenkins we're still running, than relying purely on our HTTP password authentication and ignoring such issues. This is not a really good situation to be in, but I see no realistic short term option so I'll live with it. Marking as "Resolved" then.

Also available in: Atom PDF