Bug#697617: jenkins: remote code execution vulnerability

Thu Jan 10 15:46:10 UTC 2013

On Thu, Jan 10, 2013 at 7:20 AM, James Page <james.page at ubuntu.com> wrote:
> Thanks Miguel;  I'm also about to upload the latest version of Jenkins
> to experimental which includes a fix for this issue and
> http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=696816 (which
> requires a new version of jenkins-winstone as well).
>
> We might want to consider whether updating unstable/testing to 1.480.2
> is actually the best way forward at this point in time.

Hi James,

I don't know if it is feasible at this point in the release cycle to
have a new upstream release of jenkins in sid even if it fixes some
security issues.

I backported the fix for CVE-2013-0158 from stable branch and I
applied it to 1.447.2+dfsg-2. It applies cleanly but I'm getting a
FTBFS. I don't have time to review it right now but I'll go back to it
later.

I'm attaching the debdiff I got and the FTBFS log error.

BTW, recently the team of developers with I work with began to use
Jenkins so I have some interest in it. If you are OK with that I can
jump in as co-maintainer.

Regards,

-- 
Miguel Landaeta, miguel at miguel.cc
secure email with PGP 0x6E608B637D8967E9 available at http://keyserver.pgp.com/
"Faith means not wanting to know what is true." -- Nietzsche
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jenkins_1.447.2+dfsg-3.debdiff
Type: application/octet-stream
Size: 121702 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20130110/6e3b0517/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: jenkins_1.447.2+dfsg-3_amd64.build
Type: application/octet-stream
Size: 109218 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-java-maintainers/attachments/20130110/6e3b0517/attachment-0003.obj>