Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 25 Jan 2018 09:59:31 +0100
From: Daniel Beck <>
Subject: Re: Multiple vulnerabilities in Jenkins

> On 14. Dec 2017, at 04:10, Daniel Beck <> wrote:
> A race condition during Jenkins startup could result in the wrong order of
> execution of commands during initialization.
> On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases
> (we estimate less than 20% of new instances) result in failure to
> initialize the setup wizard on the first startup. This resulted in multiple
> security-related settings not being set to their usual strict default.
> Affected instances need to be configured to restrict access.


> Additionally, there's a very short window of time after startup during
> which Jenkins may no longer show the "Please wait while Jenkins is getting
> ready to work" message, but Cross-Site Request Forgery (CSRF) protection
> may not yet be effective. As of publication of this advisory, we've been
> unable to confirm this can actually be exploited, but generally recommend
> that users upgrade their instances.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ