Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 20 Feb 2013 23:35:55 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: kk@...suke.org
Subject: Re: Jenkins CVE request for Jenkins Security Advisory
 2013-02-16

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok no reply from anyone on this so I'm moving ahead.

On 02/17/2013 07:56 PM, Kurt Seifried wrote:
> I'm trying to sort out this security advisory so CVE #'s can be
> assigned to it, can you (kk@) please comment on this? thanks.
> 
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-02-16
>
>  ============== One of the vulnerabilities allows cross-site
> request forgery (CSRF) attacks on Jenkins master, which causes an
> user to make unwanted actions on Jenkins.

Please use CVE-2013-0327 for this issue.

> Another vulnerability enables cross-site scripting (XSS) attacks, 
> which has the similar consequence.

Please use CVE-2013-0328 for this issue.

> Another vulnerability allowed an attacker to bypass the CSRF 
> protection mechanism in place, thereby mounting more CSRF
> attackes. These attacks allow an attacker without direct access to
> Jenkins to mount an attack.

Please use CVE-2013-0329 for this issue.

> In the fourth vulnerability, a malicious user of Jenkins can trick 
> Jenkins into building jobs that he does not have direct access to.

Please use CVE-2013-0330 for this issue.

> And lastly, a vulnerability allows a malicious user of Jenkins to 
> mount a denial of service attack by feeding a carefully crafted 
> payload to Jenkins.

Please use CVE-2013-0331 for this issue.

> ================
> 
> So it sounds like 2 CSRF, 1 XSS, 1 "can trick Jenkins into building
> jobs that he does not have direct access to" (permissions bypass?) and
> a denial of service.
> 
> The 2 CSRF ones, were they discovered by separate researchers or the
> same person? Can you provide the code patches that fix them so I can
> see more details? Thanks.

Since I have to guess I'm splitting them, they can be merged if it later
turns out to be the case.

> Also if you want to get CVE #'s for Jenkins advisories please do not
> hesitate to contact me/secalert@...hat.com, this will make tracking
> these issues a lot easier!

Again, if you want CVE's for your issues please do not hesitate to
contact me or secalert@...hat.com!

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRJcBLAAoJEBYNRVNeJnmTbosQAInb6WnXlr8OoGvW6DhGfOuY
A2rCCDJ4aUbudnoiJsfNOVowUd4Cxwwu1yngfr4XEU55sFS3o4V0ZOJ94m2syLdx
3lCu4nCIg5SHZR1MJyC4EshF+FwM5GkY/VKcbnrZEIxdTHnUDPUGLOSFnjrfElqM
KQVYQqrG2EgFXog5OVz4DhFNS05/3z38MwZzs74plmevj0jO7a9EMXQ/K8AFDGsO
cApGX2pQC9olrur1ansj2N5JDmPCuToHcW0AEj4tHTZDVSHGdqN/kJ1aN9Q7+UQr
YYZqBncsBQI8iivWyedmdgh+v3ZhLZDkBhovb2bG/yVmo/CNfj/72HQLnvzAGezn
f19bmiNP1N083qY5jTXjAp6B1Ya8co9aIOmYnuagcRIJfaXntb53xTn+MTZ/PF/U
NGDs57Mw8+496qBvx1yZQlEy7F3qZWgKvK0qO6pBnvT7rm2tqzZ8fpsOr8b2lQB3
or8uLOGswH54kLF1n0Zr/Xi8qSApvzrfyKvwcWs4rK6mb+++ADnuDHipFzESy4W8
6ieGIupUFOoHJdFyb+oju4cTk1wn4euYiTpU/gvOQXBRGkKUFbldPpbr/Sh6B2BG
y6hoR4ucO6I6dEO8hVuY49Ny074ubRVtCNhsisGA4uYnxVk8hNSYv3R/uPhObPe+
/vKiQ3/u87IC21mRQB26
=BIYo
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ