[jenkins] 02/04: Documented the security issue with master/slave setups (CVE-2014-3665)

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Fri Dec 5 11:38:04 UTC 2014 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch master
in repository jenkins.

commit 0f3f8144fdc5f84d63e9e22cb3f21e7a397f1ba7
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Fri Dec 5 12:15:14 2014 +0100

    Documented the security issue with master/slave setups (CVE-2014-3665)
---
 debian/changelog                                        |  7 ++++++-
 debian/jenkins.README.Debian                            | 12 ++++++++++--
 debian/patches/0029-master-slave-security-warning.patch | 17 +++++++++++++++++
 debian/patches/series                                   |  1 +
 4 files changed, 34 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 9e2a02a..d9e805c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,8 @@
-jenkins (1.565.3-3) unstable; urgency=medium
+jenkins (1.565.3-3) UNRELEASED; urgency=medium
 
   * Team upload.
+
+  [ Yann Rouillard ]
   * Added dependency on libcglib3-java to fix NoClassDefFoundError at runtime.
   * Removed Context Resource symlinks directives as they don't work anymore in
     Tomcat 8 and are not required for Jenkins (Closes: #769594)
@@ -9,6 +11,9 @@ jenkins (1.565.3-3) unstable; urgency=medium
   * Backported upstream patch to ensure HttpOnly cookie flag is properly set
     and avoid warning messages about Security cookie flag (Closes: #769682)
 
+  [ Emmanuel Bourg ]
+  * Documented the security issue with master/slave setups (CVE-2014-3665)
+
  -- Yann Rouillard <yann at pleiades.fr.eu.org>  Sat, 15 Nov 2014 12:14:33 +0000
 
 jenkins (1.565.3-2) unstable; urgency=medium
diff --git a/debian/jenkins.README.Debian b/debian/jenkins.README.Debian
index f14d271..170cb37 100644
--- a/debian/jenkins.README.Debian
+++ b/debian/jenkins.README.Debian
@@ -37,5 +37,13 @@ Jenkins:
 	  + see man jenkins-monitor-job for more details.
     - Jenkins CLI: jenkins-cli
       + see man jenkins-cli for more details.
-   
- -- James Page <james.page at ubuntu.com>  Wed, 20 Jul 2011 11:34:02 +0100
+
+
+Master/Slave Security Considerations
+------------------------------------
+
+Jenkins master and slaves behave as if they altogether form a single
+distributed process. This means a slave can ask a master to do just about
+anything within the confinement of the operating system, such as accessing
+files on the master or trigger other jobs on Jenkins. Therefore adding
+untrusted slaves to the cluster is not recommended.
diff --git a/debian/patches/0029-master-slave-security-warning.patch b/debian/patches/0029-master-slave-security-warning.patch
new file mode 100644
index 0000000..9e16647
--- /dev/null
+++ b/debian/patches/0029-master-slave-security-warning.patch
@@ -0,0 +1,17 @@
+Description: Warn about the security issue with master/slave setups in the UI
+Author: Emmanuel Bourg <ebourg at apache.org>
+Forwarded: not-needed
+--- a/core/src/main/resources/hudson/model/ComputerSet/new.jelly
++++ b/core/src/main/resources/hudson/model/ComputerSet/new.jelly
+@@ -35,6 +35,11 @@
+   <l:layout norefresh="true" permission="${createPermission}">
+     <st:include page="sidepanel.jelly" />
+     <l:main-panel>
++
++      <p class="warning">WARNING: Do not add untrusted slaves to your configuration as they could run any command on the master node.<br/>
++      See the <a href="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30">Jenkins Security Advisory 2014-10-30</a>
++      for more information.</p>
++
+       <j:invokeStatic var="slaves" className="hudson.slaves.NodeDescriptor" method="allInstantiable" />
+       <n:form nameTitle="${%Node name}" copyTitle="${%Copy Existing Node}" copyNames="${it._slaveNames}"
+               descriptors="${slaves}" checkUrl="checkName" xmlns:n="/lib/hudson/newFromList" />
diff --git a/debian/patches/series b/debian/patches/series
index 8192d0b..fb76c72 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -23,3 +23,4 @@ build/0019-io-compat.pach.patch
 0026-add-jsr305-dependency.patch
 0027-add-cglib-dependency.patch
 0028-properly-set-httponly-flag-for-tomcat.patch
+0029-master-slave-security-warning.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/jenkins.git

More information about the pkg-java-commits mailing list