Bug#697617: jenkins: remote code execution vulnerability

Guido Günther agx at sigxcpu.org
Wed Jan 30 20:33:18 UTC 2013


Hi James,
On Thu, Jan 10, 2013 at 05:03:44PM +0000, James Page wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> On 10/01/13 15:46, Miguel Landaeta wrote:
> >>> We might want to consider whether updating unstable/testing to
> >>> 1.480.2 is actually the best way forward at this point in
> >>> time.
> > Hi James,
> > 
> > I don't know if it is feasible at this point in the release cycle
> > to have a new upstream release of jenkins in sid even if it fixes
> > some security issues.
> 
> Agreed; its a last resort.
> 
> > I backported the fix for CVE-2013-0158 from stable branch and I 
> > applied it to 1.447.2+dfsg-2. It applies cleanly but I'm getting a 
> > FTBFS. I don't have time to review it right now but I'll go back to
> > it later.
> > 
> > I'm attaching the debdiff I got and the FTBFS log error.
> 
> I did much the same for the version in Ubuntu 12.04 (1.424.6); and hit
> similar issues. The key problem is the extent of the patch to fix this
> issue and the amount of code change in the TCP/Agent communication
> area between 1.480.2 and earlier versions we already have packaged.
> 
> I'm trying to get some advice from upstream on this - hopefully I'll
> hear back in the next ~24hrs

Any news on this one. Jenkins has become a candidate for removal due
to this one and I'd be sad to see a release without it.
Cheers,
 -- Guido



More information about the pkg-java-maintainers mailing list