Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Nov 2015 11:00:13 +0100
From: Daniel Beck <ml@...kweb.net>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization


On 18.11.2015, at 01:54, cve-assign@...re.org wrote:

> As far as we know, "the Groovy variant in 'ysoserial'" means:
> 
>  https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Groovy1.java


Exactly. My apologies for the vague description.

> Also, we are guessing that Groovy is relevant because of:
> 
>  https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin


Groovy Plugin and its version is unrelated, as Groovy is included in Jenkins core. Jenkins was vulnerable even without Groovy Plugin.

> If it were necessary or recommended to change any component unique to
> Jenkins, then you can have an additional CVE ID for the ysoserial
> Groovy aspect of SECURITY-218. (Our expectation is that separate CVE
> IDs are needed because the Groovy plugin has own version numbering --
> such as version 1.27 -- that's separate from the version numbering of
> Jenkins core.)

We updated neither commons-collections nor Groovy, the fix for both is specific to Jenkins, in the same component, and was part of the same release of Jenkins. Does this mean the one CVE ID covers both?

-- 
Daniel Beck

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.