Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 18 Nov 2015 11:00:13 +0100
From: Daniel Beck <>
Subject: Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization

On 18.11.2015, at 01:54, wrote:

> As far as we know, "the Groovy variant in 'ysoserial'" means:

Exactly. My apologies for the vague description.

> Also, we are guessing that Groovy is relevant because of:

Groovy Plugin and its version is unrelated, as Groovy is included in Jenkins core. Jenkins was vulnerable even without Groovy Plugin.

> If it were necessary or recommended to change any component unique to
> Jenkins, then you can have an additional CVE ID for the ysoserial
> Groovy aspect of SECURITY-218. (Our expectation is that separate CVE
> IDs are needed because the Groovy plugin has own version numbering --
> such as version 1.27 -- that's separate from the version numbering of
> Jenkins core.)

We updated neither commons-collections nor Groovy, the fix for both is specific to Jenkins, in the same component, and was part of the same release of Jenkins. Does this mean the one CVE ID covers both?

Daniel Beck

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.