Bug 1861840
Summary: | CVE-2020-2181 CVE-2020-2182 jenkins-2-plugins: jenkins-credentials-binding-plugin: various flaws [openshift-4] | |||
---|---|---|---|---|
Product: | OpenShift Container Platform | Reporter: | Vibhav Bobade <vbobade> | |
Component: | Jenkins | Assignee: | Akram Ben Aissi <abenaiss> | |
Status: | CLOSED ERRATA | QA Contact: | Jitendar Singh <jitsingh> | |
Severity: | medium | Docs Contact: | ||
Priority: | unspecified | |||
Version: | 4.4 | CC: | abenaiss, aos-bugs, bmontgom, eparis, jburrell, jitsingh, jokerman, mcooper, nstielau, pbhattac, proguski, scuppett, sfowler, sponnaga, talessio, vbobade, yuxzhu | |
Target Milestone: | --- | Keywords: | Security, SecurityTracking | |
Target Release: | 4.4.z | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | component:jenkins-2-plugins | |||
Fixed In Version: | Doc Type: | No Doc Update | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 1852331 | |||
: | 1861842 (view as bug list) | Environment: | ||
Last Closed: | 2020-09-08 12:08:12 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1852331 | |||
Bug Blocks: | 1847341, 1847348, 1861842 |
Description
Vibhav Bobade
2020-07-29 17:19:35 UTC
Note also that there is an RFE for linking multiple bugs to the same PR, which should help cases like this in the future: https://issues.redhat.com/browse/DPTP-1384 Moving to MODIFIED as it is fixed by https://github.com/openshift/jenkins/pull/1128 that fixes https://bugzilla.redhat.com/show_bug.cgi?id=1857558 Failing sh-4.2$ cat /var/lib/jenkins/plugins/credentials-binding/META-INF/MANIFEST.MF |grep Implementation-Version Implementation-Version: 1.19 I removed this bug from advisory RHSA-2020:58534 as the required jenkins-credentials-binding-plugin in version 1.23 @Vibhav - Looks like the plugin has now been updated, thanks for that: http://pkgs.devel.redhat.com/cgit/rpms/jenkins-2-plugins/commit/?h=rhaos-4.4-rhel-7&id=ba276791099868a82c974e9a75db812199380fcb However, I think this should be in MODIFIED rather than ON_QA, so that ART catch it during next z-stream prep and attach it to an RHSA. VERIFIED ============================================= jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc rsh jenkins-1-ph4kx sh-4.2$ cat /var/lib/jenkins/plugins/junit/META-INF/MANIFEST.MF |grep Implementation-Version Implementation-Version: 1.30 sh-4.2$ cat /var/lib/jenkins/plugins/matrix-project/META-INF/MANIFEST.MF |grep Implementation-Version Implementation-Version: 1.17 sh-4.2$ cat /var/lib/jenkins/plugins/matrix-auth/META-INF/MANIFEST.MF |grep Implementation-Version Implementation-Version: 2.6.2 sh-4.2$ cat /var/lib/jenkins/plugins/script-security/META-INF/MANIFEST.MF |grep Implementation-Version Implementation-Version: 1.73 sh-4.2$ cat /var/lib/jenkins/plugins/credentials-binding/META-INF/MANIFEST.MF |grep Implementation-Version Implementation-Version: 1.23 ====================================================== jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc new-app jenkins-ephemeral -p NAMESPACE=$(oc project -q) -p JENKINS_IMAGE_STREAM_TAG=jenkins-jitsingh:latest --> Deploying template "openshift/jenkins-ephemeral" to project jenkins-test Jenkins (Ephemeral) --------- Jenkins service, without persistent storage. WARNING: Any data stored will be lost upon pod destruction. Only use this template for testing. A Jenkins service has been created in your project. Log into Jenkins with your OpenShift account. The tutorial at https://github.com/openshift/origin/blob/master/examples/jenkins/README.md contains more information about using this template. * With parameters: * Jenkins Service Name=jenkins * Jenkins JNLP Service Name=jenkins-jnlp * Enable OAuth in Jenkins=true * Memory Limit=1Gi * Jenkins ImageStream Namespace=jenkins-test * Disable memory intensive administrative monitors=false * Jenkins ImageStreamTag=jenkins-jitsingh:latest * Allows use of Jenkins Update Center repository with invalid SSL certificate=false --> Creating resources ... route.route.openshift.io "jenkins" created deploymentconfig.apps.openshift.io "jenkins" created serviceaccount "jenkins" created rolebinding.authorization.openshift.io "jenkins_edit" created service "jenkins-jnlp" created service "jenkins" created --> Success Access your application via route 'jenkins-jenkins-test.apps.jenkins-hekp-4419.qe.devcluster.openshift.com' Run 'oc status' to view your app. ==================================================================== ✘ jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml --> Deploying template "jenkins-test/maven-pipeline" for "https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml" to project jenkins-test * With parameters: * Application Name=openshift-jee-sample * Source URL=https://github.com/openshift/openshift-jee-sample.git * Source Ref=master * GitHub Webhook Secret=FaVsf5WgOcrMCyyeEllICdBLS6Y7VmVO37TCUR32 # generated * Generic Webhook Secret=Q7ixeIk04QEruApxVItAmGVdPKOHRuM4MHdWskcx # generated --> Creating resources ... imagestream.image.openshift.io "openshift-jee-sample" created imagestream.image.openshift.io "wildfly" created buildconfig.build.openshift.io "openshift-jee-sample" created buildconfig.build.openshift.io "openshift-jee-sample-docker" created deploymentconfig.apps.openshift.io "openshift-jee-sample" created service "openshift-jee-sample" created route.route.openshift.io "openshift-jee-sample" created --> Success Use 'oc start-build openshift-jee-sample' to start a build. Use 'oc start-build openshift-jee-sample-docker' to start a build. Access your application via route 'openshift-jee-sample-jenkins-test.apps.jenkins-hekp-4419.qe.devcluster.openshift.com' Run 'oc status' to view your app. jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc start-build openshift-jee-sample build.build.openshift.io/openshift-jee-sample-1 started jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc get pods -w NAME READY STATUS RESTARTS AGE jenkins-1-deploy 0/1 Completed 0 13m jenkins-1-ph4kx 1/1 Running 0 13m maven-0npz1 0/1 Pending 0 0s maven-0npz1 0/1 Pending 0 0s maven-0npz1 0/1 ContainerCreating 0 0s maven-0npz1 0/1 ContainerCreating 0 2s maven-0npz1 0/1 ContainerCreating 0 4s maven-0npz1 1/1 Running 0 37s maven-0npz1 1/1 Terminating 0 75s maven-0npz1 1/1 Terminating 0 76s openshift-jee-sample-docker-1-build 0/1 Pending 0 0s openshift-jee-sample-docker-1-build 0/1 Pending 0 0s openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 0s maven-0npz1 0/1 Terminating 0 77s openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 2s openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 3s openshift-jee-sample-docker-1-build 0/1 Init:1/2 0 4s openshift-jee-sample-docker-1-build 0/1 PodInitializing 0 5s openshift-jee-sample-docker-1-build 1/1 Running 0 6s maven-0npz1 0/1 Terminating 0 84s maven-0npz1 0/1 Terminating 0 84s Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.4.20 jenkins-2-plugins security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3625 |