aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorrea <rea@FreeBSD.org>2014-10-31 19:09:17 +0800
committerrea <rea@FreeBSD.org>2014-10-31 19:09:17 +0800
commit8a76f1c4ba157c49d57f577cf5f96698cc2f1c5f (patch)
tree308dee68fec7ccd54a577df11eeec431200e7c74 /security
parent7b0c9c4b45beeae58974a142e8660e8c68f1daca (diff)
downloadfreebsd-ports-gnome-8a76f1c4ba157c49d57f577cf5f96698cc2f1c5f.tar.gz
freebsd-ports-gnome-8a76f1c4ba157c49d57f577cf5f96698cc2f1c5f.tar.zst
freebsd-ports-gnome-8a76f1c4ba157c49d57f577cf5f96698cc2f1c5f.zip
VuXML: document vulnerability in Jenkins
CVE-2014-3665, remote code execution on master servers that can be initiated by (untrusted) slaves, https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30
Diffstat (limited to 'security')
-rw-r--r--security/vuxml/vuln.xml53
1 files changed, 53 insertions, 0 deletions
diff --git a/security/vuxml/vuln.xml b/security/vuxml/vuln.xml
index ab65a59b9f42..89ebcf0c4fbb 100644
--- a/security/vuxml/vuln.xml
+++ b/security/vuxml/vuln.xml
@@ -57,6 +57,59 @@ Notes:
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="0dad9114-60cc-11e4-9e84-0022156e8794">
+ <topic>jenkins -- slave-originated arbitrary code execution on master servers</topic>
+ <affects>
+ <package>
+ <name>jenkins</name>
+ <range><lt>1.587</lt></range>
+ </package>
+ <package>
+ <name>jenkins-lts</name>
+ <range><lt>1.580.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>Kohsuke Kawaguchi from Jenkins team reports:</p>
+ <blockquote cite="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30">
+ <p>Historically, Jenkins master and slaves behaved as if
+ they altogether form a single distributed process. This
+ means a slave can ask a master to do just about anything
+ within the confinement of the operating system, such as
+ accessing files on the master or trigger other jobs on
+ Jenkins.</p>
+ <p>This has increasingly become problematic, as larger
+ enterprise deployments have developed more sophisticated
+ trust separation model, where the administators of a master
+ might take slaves owned by other teams. In such an
+ environment, slaves are less trusted than the master.
+ Yet the "single distributed process" assumption was not
+ communicated well to the users, resulting in vulnerabilities
+ in some deployments.</p>
+ <p>SECURITY-144 (CVE-2014-3665) introduces a new subsystem
+ to address this problem. This feature is off by default for
+ compatibility reasons. See Wiki for more details, who should
+ turn this on, and implications.</p>
+ <p>CVE-2014-3566 is rated high. It only affects
+ installations that accept slaves from less trusted
+ computers, but this will allow an owner of of such slave to
+ mount a remote code execution attack on Jenkins.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2014-3665</cvename>
+ <url>https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30</url>
+ <url>https://wiki.jenkins-ci.org/display/JENKINS/Slave+To+Master+Access+Control</url>
+ <url>http://www.cloudbees.com/jenkins-security-advisory-2014-10-30</url>
+ </references>
+ <dates>
+ <discovery>2014-10-30</discovery>
+ <entry>2014-10-31</entry>
+ </dates>
+ </vuln>
+
<vuln vid="f8c88d50-5fb3-11e4-81bd-5453ed2e2b49">
<topic>libssh -- PRNG state reuse on forking servers</topic>
<affects>