Bug#697617: jenkins: remote code execution vulnerability

James Page james.page at ubuntu.com
Thu Jan 10 17:03:44 UTC 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 10/01/13 15:46, Miguel Landaeta wrote:
>>> We might want to consider whether updating unstable/testing to
>>> 1.480.2 is actually the best way forward at this point in
>>> time.
> Hi James,
> 
> I don't know if it is feasible at this point in the release cycle
> to have a new upstream release of jenkins in sid even if it fixes
> some security issues.

Agreed; its a last resort.

> I backported the fix for CVE-2013-0158 from stable branch and I 
> applied it to 1.447.2+dfsg-2. It applies cleanly but I'm getting a 
> FTBFS. I don't have time to review it right now but I'll go back to
> it later.
> 
> I'm attaching the debdiff I got and the FTBFS log error.

I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit
similar issues. The key problem is the extent of the patch to fix this
issue and the amount of code change in the TCP/Agent communication
area between 1.480.2 and earlier versions we already have packaged.

I'm trying to get some advice from upstream on this - hopefully I'll
hear back in the next ~24hrs

> BTW, recently the team of developers with I work with began to use 
> Jenkins so I have some interest in it. If you are OK with that I
> can jump in as co-maintainer.

Yes please!

Cheers

James

- -- 
James Page
Ubuntu Core Developer
Debian Maintainer
james.page at ubuntu.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iQIcBAEBCAAGBQJQ7vRvAAoJEL/srsug59jDePQP/3ZNVyvgr6jsG66T1Q/6QEkt
HdtZd01UkKZyjmRFwjVDTA73Iu4Y8DI7xArmt4CwzMLwBom5T77wqI80zcr2IjpM
/QRJmi9rycztfPvjdGfHSZDR2s/9i+nrHIEBEi+I35zkFROj9QTN6cbmytEw2/LU
p7oEsiysl6n/zvj5DqnsH5VjvqmQ1Y7ovR7MBT27ZRTXI39k3dzIM8eOpU/la4Mw
t2kKbMJ/M+Xm6eb5G1XHpogQ2/v7WRXMNy0LZdg18shsVrduMf99c+ScacdEWPYf
txNos0lmjV+dWfXgQFUNn390Im/u3SceounIKQ9ppiiA4osmptn2x8fwcQHHR+Bg
Ph2Yn+Oln7mIASoZ9Ge9MK3ydIDt4UHaAltGoJJdQc4gs9Zc7h/AhD0dwaNodk3E
BB3yZOKE46kAhlUx4u6PDxy2k6FmJY0eTY3J3Rp1s2V6quaNI1xvnXDkTHfDpgFr
zdznY6D5KTvuSvqXCrufg4z5D/yWev5OYLis+QYS0mf7QuOsg2F8EFRywupqps1P
qi+1+dKdiNg94Xwh+Gwt8OpT44yhWWIp2Wcg+ujisBeKf+XDrb/7V3BZk9hYSkuv
dETJrGPlKqkLvQv8fIpOhpENDYiMNtMtHGSs/C7UETcNnAH4LmsLt05GihxgFPQH
yfY6QFN5a2Gt7Km9ymag
=XG02
-----END PGP SIGNATURE-----

More information about the pkg-java-maintainers mailing list