Red Hat Bugzilla – Bug 1032391
CVE-2013-6372 Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)
Last modified: 2014-10-29 08:15:04 EDT
Kohsuke Kawaguchi reports:
Insecure storage of passwords in Subversion plugin.
Just noticed, that ssh-key passphrases in <JOB>/subversion.credentials are only coded in base64 an can easily be decoded.
maybe this is fixed already. My setup is old and grown over time. Although i am running 1.500 the config-files may be old.
i did run the "re-keying" process, as jenkins told me to do. Nevertheless, passphrases are still stored in base64
This was originally reported by Lennart Starr
This is now public:
Upstream patch commit:
Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 2.1
Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html