Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 17 Apr 2024 18:35:21 +0200
From: Daniel Beck <>
Subject: Terrapin vulnerability in Jenkins CLI client

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.452
* Jenkins LTS 2.440.3

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:

We provide advance notification for security updates on this mailing list:

If you discover security vulnerabilities in Jenkins, please report them as
described here:


SECURITY-3386 / CVE-2023-48795
The CLI client (`jenkins-cli.jar`) in Jenkins 2.451 and earlier, LTS
2.440.2 and earlier bundles versions of the Apache MINA SSHD library that
are susceptible to CVE-2023-48795 (Terrapin attack). This vulnerability
allows a machine-in-the-middle attacker to reduce the security of an SSH

NOTE: This only affects the Jenkins CLI client when using the `-ssh`
connection mode, which is not the default.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.