Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 3 Oct 2014 15:21:36 -0700
From: Luca Carettoni <luca.carettoni@...isoft.com>
To: oss-security@...ts.openwall.com
Cc: Solar Designer <solar@...nwall.com>
Subject: Re: Security advisory in Jenkins

Ironically, you could use OWASP Dependency-Check Jenkins plugin
https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin

As it uses NVD, CVE-2013-2186 is tracked.

Cheers,
Luca

On Fri, Oct 3, 2014 at 2:44 PM, Kohsuke Kawaguchi <kk@...suke.org> wrote:

> We are still learning how we should handle vulnerabilities, so I'm sure
> there's room for improvements.
>
> We have multiple release lines to which the fixes have to be released
> simultaneously, and overall this overhead is significant. That's why we did
> one massive release that contains all the fixes.
>
> Wrt CVE-2013-2186, a week ago we got a report from somebody that he did a
> security scan and found that we are still using a vulnerable version of the
> library to which CVE-2013-2186 is assigned. In this release we use a newer
> version of the library that addresses the problem, and I thought it'd be
> appropriate to raise a flag to the users that if they continue to use older
> versions, they'd remain vulnerable to CVE-2013-2186. That's why it's in the
> advisory. It is not because we sat on a report for more than a year.
>
> When you say the timeframe is especially concerning, perhaps you mean you
> are concerned that we fail to notice this vulnerability in our library for
> more than a year, and if so, you are of course right. Jenkins project has
> gotten a long list of library dependencies, and I haven't found any
> practical means to get notified when vulnerabilities are found in any one
> of them.
>
> 2014-10-01 19:11 GMT-07:00 Solar Designer <solar@...nwall.com>:
>
> > Bryan - I think Kohsuke is not subscribed.  I've added CC.
> >
> > On Wed, Oct 01, 2014 at 08:36:59PM -0500, Bryan Drewery wrote:
> > > On 10/1/2014 6:25 PM, Kohsuke Kawaguchi wrote:
> > > > I just wanted to share that the Jenkins project issued a security
> > advisory
> > > > today. These issues are independently found and we've aggregated
> into a
> > > > single release.
> > > >
> > > > The relevant CVE IDs, our bug tracking IDs are available here
> > > > <
> >
> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01
> > >
> > > > .
> > > >
> > > > The new versions can be downloaded from here
> > > > <http://mirrors.jenkins-ci.org/>.
> > > >
> > > > (This is the first time I do this, so my apologies in advance for
> > probably
> > > > failing to follow the expected format.)
> > >
> > > Kudos to all for finding and fixing these issues. It was quite a
> > > surprising list though. Were these fixes kept from release for an
> > > extended time? The timeframe for CVE-2013-2186 is especially
> concerning.
> >
> > Many of these issues were brought to the distros list on Fri Sep 26
> > 17:10:16 2014 UTC, and got their CVE IDs assigned there.  However,
> > CVE-2013-2186 was not among those.  I don't know why the old CVE ID,
> > nor how that issue was handled.
> >
> > Alexander
> >
>
>
>
> --
> Kohsuke Kawaguchi

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ