Date: Thu, 25 Jan 2018 09:59:31 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Re: Multiple vulnerabilities in Jenkins > On 14. Dec 2017, at 04:10, Daniel Beck <ml@...kweb.net> wrote: > > SECURITY-667 > A race condition during Jenkins startup could result in the wrong order of > execution of commands during initialization. > > On Jenkins 2.81 and newer, including LTS 2.89.1, this could in rare cases > (we estimate less than 20% of new instances) result in failure to > initialize the setup wizard on the first startup. This resulted in multiple > security-related settings not being set to their usual strict default. > Affected instances need to be configured to restrict access. CVE-2017-1000503 > Additionally, there's a very short window of time after startup during > which Jenkins may no longer show the "Please wait while Jenkins is getting > ready to work" message, but Cross-Site Request Forgery (CSRF) protection > may not yet be effective. As of publication of this advisory, we've been > unable to confirm this can actually be exploited, but generally recommend > that users upgrade their instances. CVE-2017-1000504
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ