Bug 1032391 (CVE-2013-6372)

Summary: CVE-2013-6372 Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aneelica, bleanhar, ccoleman, dmcphers, jdetiber, jialiu, jrusnack, lmeyer, mjc, mmcgrath, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-10-28 22:54:37 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1033371, 1033372, 1033373    
Bug Blocks: 1032405, 1103334    

Description Kurt Seifried 2013-11-20 05:27:37 UTC 
Kohsuke Kawaguchi reports:

Insecure storage of passwords in Subversion plugin.

Description
Just noticed, that ssh-key passphrases in <JOB>/subversion.credentials are only coded in base64 an can easily be decoded.
maybe this is fixed already. My setup is old and grown over time. Although i am running 1.500 the config-files may be old.
i did run the "re-keying" process, as jenkins told me to do. Nevertheless, passphrases are still stored in base64

This was originally reported by Lennart Starr
Comment 2 Vincent Danen 2013-11-21 19:01:00 UTC 
This is now public:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20
Comment 3 David Jorm 2013-11-21 22:21:49 UTC 
Upstream patch commit:

https://github.com/jenkinsci/subversion-plugin/commit/7d4562d6f7e40de04bbe29577b51c79f07d05ba6
Comment 5 Kurt Seifried 2014-06-25 07:24:36 UTC 
Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.
Comment 6 Kurt Seifried 2014-10-28 22:54:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html