Date: Wed, 18 Nov 2015 11:00:13 +0100 From: Daniel Beck <ml@...kweb.net> To: oss-security@...ts.openwall.com Subject: Re: Re: CVE request: Jenkins remote code execution vulnerability due to unsafe deserialization On 18.11.2015, at 01:54, cve-assign@...re.org wrote: > As far as we know, "the Groovy variant in 'ysoserial'" means: > > https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/Groovy1.java Exactly. My apologies for the vague description. > Also, we are guessing that Groovy is relevant because of: > > https://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin Groovy Plugin and its version is unrelated, as Groovy is included in Jenkins core. Jenkins was vulnerable even without Groovy Plugin. > If it were necessary or recommended to change any component unique to > Jenkins, then you can have an additional CVE ID for the ysoserial > Groovy aspect of SECURITY-218. (Our expectation is that separate CVE > IDs are needed because the Groovy plugin has own version numbering -- > such as version 1.27 -- that's separate from the version numbering of > Jenkins core.) We updated neither commons-collections nor Groovy, the fix for both is specific to Jenkins, in the same component, and was part of the same release of Jenkins. Does this mean the one CVE ID covers both? -- Daniel Beck
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.