Date: Mon, 20 Jun 2016 19:00:33 +0200 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Jenkins plugins -- multiple fixes The Jenkins project published plugin updates today with fixes for multiple vulnerabilities. Users should upgrade these plugins to the indicated versions: * Async Http Client Plugin 126.96.36.199 * Build Failure Analyzer 1.16.0 * Image Gallery Plugin 1.4 * TAP Plugin 1.25 Summary and description of the vulnerabilities are below. Some more details, severity, and attribution can be found here: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11 We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you find security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- 1) SECURITY-85 / CVE-2016-4986: Path traversal vulnerability in TAP Plugin The plugin did not correctly filter a parameter and allowed reading arbitrary files on the file system. 2) SECURITY-278 / CVE-2016-4987: Path traversal vulnerability in Image Gallery Plugin The plugin did not correctly validate form fields and allowed listing arbitrary directories and reading arbitrary files on the file system. 3) SECURITY-290 / CVE-2016-4988: Cross-site scripting vulnerability in Build Failure Analyzer Plugin The plugin did not escape a parameter echoed on an HTML page, resulting in a reflected XSS vulnerability. 4) SECURITY-305 / CVE-2013-7397 and CVE-2013-7398: Async HTTP Client Plugin does not properly validate certificates Async HTTP Client Plugin provides the Async HTTP Client Java library to other plugins. It is based on the 1.7.x line of AHC, which by default is vulnerable to CVE-2013-7397 and CVE-2013-7398, allowing man-in-the-middle attacks. The fixes for these vulnerabilities were backported.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ