Bug 1861840
| Summary: | CVE-2020-2181 CVE-2020-2182 jenkins-2-plugins: jenkins-credentials-binding-plugin: various flaws [openshift-4] | |||
|---|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Vibhav Bobade <vbobade> | |
| Component: | Jenkins | Assignee: | Akram Ben Aissi <abenaiss> | |
| Status: | CLOSED ERRATA | QA Contact: | Jitendar Singh <jitsingh> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | unspecified | |||
| Version: | 4.4 | CC: | abenaiss, aos-bugs, bmontgom, eparis, jburrell, jitsingh, jokerman, mcooper, nstielau, pbhattac, proguski, scuppett, sfowler, sponnaga, talessio, vbobade, yuxzhu | |
| Target Milestone: | --- | Keywords: | Security, SecurityTracking | |
| Target Release: | 4.4.z | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | component:jenkins-2-plugins | |||
| Fixed In Version: | Doc Type: | No Doc Update | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | 1852331 | |||
| : | 1861842 (view as bug list) | Environment: | ||
| Last Closed: | 2020-09-08 12:08:12 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | 1852331 | |||
| Bug Blocks: | 1847341, 1847348, 1861842 | |||
|
Description
Vibhav Bobade
2020-07-29 17:19:35 UTC
Note also that there is an RFE for linking multiple bugs to the same PR, which should help cases like this in the future: https://issues.redhat.com/browse/DPTP-1384 Moving to MODIFIED as it is fixed by https://github.com/openshift/jenkins/pull/1128 that fixes https://bugzilla.redhat.com/show_bug.cgi?id=1857558 Failing sh-4.2$ cat /var/lib/jenkins/plugins/credentials-binding/META-INF/MANIFEST.MF |grep Implementation-Version Implementation-Version: 1.19 I removed this bug from advisory RHSA-2020:58534 as the required jenkins-credentials-binding-plugin in version 1.23 @Vibhav - Looks like the plugin has now been updated, thanks for that: http://pkgs.devel.redhat.com/cgit/rpms/jenkins-2-plugins/commit/?h=rhaos-4.4-rhel-7&id=ba276791099868a82c974e9a75db812199380fcb However, I think this should be in MODIFIED rather than ON_QA, so that ART catch it during next z-stream prep and attach it to an RHSA. VERIFIED
=============================================
jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc rsh jenkins-1-ph4kx
sh-4.2$ cat /var/lib/jenkins/plugins/junit/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 1.30
sh-4.2$ cat /var/lib/jenkins/plugins/matrix-project/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 1.17
sh-4.2$ cat /var/lib/jenkins/plugins/matrix-auth/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 2.6.2
sh-4.2$ cat /var/lib/jenkins/plugins/script-security/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 1.73
sh-4.2$ cat /var/lib/jenkins/plugins/credentials-binding/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 1.23
======================================================
jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc new-app jenkins-ephemeral -p NAMESPACE=$(oc project -q) -p JENKINS_IMAGE_STREAM_TAG=jenkins-jitsingh:latest
--> Deploying template "openshift/jenkins-ephemeral" to project jenkins-test
Jenkins (Ephemeral)
---------
Jenkins service, without persistent storage.
WARNING: Any data stored will be lost upon pod destruction. Only use this template for testing.
A Jenkins service has been created in your project. Log into Jenkins with your OpenShift account. The tutorial at https://github.com/openshift/origin/blob/master/examples/jenkins/README.md contains more information about using this template.
* With parameters:
* Jenkins Service Name=jenkins
* Jenkins JNLP Service Name=jenkins-jnlp
* Enable OAuth in Jenkins=true
* Memory Limit=1Gi
* Jenkins ImageStream Namespace=jenkins-test
* Disable memory intensive administrative monitors=false
* Jenkins ImageStreamTag=jenkins-jitsingh:latest
* Allows use of Jenkins Update Center repository with invalid SSL certificate=false
--> Creating resources ...
route.route.openshift.io "jenkins" created
deploymentconfig.apps.openshift.io "jenkins" created
serviceaccount "jenkins" created
rolebinding.authorization.openshift.io "jenkins_edit" created
service "jenkins-jnlp" created
service "jenkins" created
--> Success
Access your application via route 'jenkins-jenkins-test.apps.jenkins-hekp-4419.qe.devcluster.openshift.com'
Run 'oc status' to view your app.
====================================================================
✘ jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc new-app -f https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml
--> Deploying template "jenkins-test/maven-pipeline" for "https://raw.githubusercontent.com/openshift/origin/master/examples/jenkins/pipeline/maven-pipeline.yaml" to project jenkins-test
* With parameters:
* Application Name=openshift-jee-sample
* Source URL=https://github.com/openshift/openshift-jee-sample.git
* Source Ref=master
* GitHub Webhook Secret=FaVsf5WgOcrMCyyeEllICdBLS6Y7VmVO37TCUR32 # generated
* Generic Webhook Secret=Q7ixeIk04QEruApxVItAmGVdPKOHRuM4MHdWskcx # generated
--> Creating resources ...
imagestream.image.openshift.io "openshift-jee-sample" created
imagestream.image.openshift.io "wildfly" created
buildconfig.build.openshift.io "openshift-jee-sample" created
buildconfig.build.openshift.io "openshift-jee-sample-docker" created
deploymentconfig.apps.openshift.io "openshift-jee-sample" created
service "openshift-jee-sample" created
route.route.openshift.io "openshift-jee-sample" created
--> Success
Use 'oc start-build openshift-jee-sample' to start a build.
Use 'oc start-build openshift-jee-sample-docker' to start a build.
Access your application via route 'openshift-jee-sample-jenkins-test.apps.jenkins-hekp-4419.qe.devcluster.openshift.com'
Run 'oc status' to view your app.
jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc start-build openshift-jee-sample
build.build.openshift.io/openshift-jee-sample-1 started
jsingh@localhost ~/Downloads/openshift-install-linux-4.4.0-0.ci-2020-08-31-004507 oc get pods -w
NAME READY STATUS RESTARTS AGE
jenkins-1-deploy 0/1 Completed 0 13m
jenkins-1-ph4kx 1/1 Running 0 13m
maven-0npz1 0/1 Pending 0 0s
maven-0npz1 0/1 Pending 0 0s
maven-0npz1 0/1 ContainerCreating 0 0s
maven-0npz1 0/1 ContainerCreating 0 2s
maven-0npz1 0/1 ContainerCreating 0 4s
maven-0npz1 1/1 Running 0 37s
maven-0npz1 1/1 Terminating 0 75s
maven-0npz1 1/1 Terminating 0 76s
openshift-jee-sample-docker-1-build 0/1 Pending 0 0s
openshift-jee-sample-docker-1-build 0/1 Pending 0 0s
openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 0s
maven-0npz1 0/1 Terminating 0 77s
openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 2s
openshift-jee-sample-docker-1-build 0/1 Init:0/2 0 3s
openshift-jee-sample-docker-1-build 0/1 Init:1/2 0 4s
openshift-jee-sample-docker-1-build 0/1 PodInitializing 0 5s
openshift-jee-sample-docker-1-build 1/1 Running 0 6s
maven-0npz1 0/1 Terminating 0 84s
maven-0npz1 0/1 Terminating 0 84s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.4.20 jenkins-2-plugins security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:3625 |