Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1418716 - (CVE-2017-1000362) CVE-2017-1000362 jenkins: Re-key admin monitor leaves behind unencrypted credentials in upgraded installations (SECURITY-376)
CVE-2017-1000362 jenkins: Re-key admin monitor leaves behind unencrypted cred...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170201,repor...
: Security
Depends On: 1418736
Blocks: 1395176 1418735
  Show dependency treegraph
 
Reported: 2017-02-02 09:59 EST by Andrej Nemec
Modified: 2018-06-29 18:17 EDT (History)
12 users (show)

See Also:
Fixed In Version: jenkins 2.44, jenkins 2.32.2
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Andrej Nemec 2017-02-02 09:59:51 EST 
The following flaw was found in Jenkins:

The re-key admin monitor was introduced in Jenkins 1.498 and re-encrypted all secrets in JENKINS_HOME with a new key. It also created a backup directory with all old secrets, and the key used to encrypt them. These backups were world-readable and not removed afterwards.

Jenkins now deletes the backup directory, if present. Upgrading from before 1.498 will no longer create a backup directory. Administrators relying on file access permissions in their manually created backups are advised to check them for the directory $JENKINS_HOME/jenkins.security.RekeySecretAdminMonitor/backups, and delete it if present.

All administrative monitors now require the user accessing them to be an administrator.

External References:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2017-02-01

Upstream patch:

https://github.com/jenkinsci/jenkins/commit/0be33cf7328fad6a7596ce9505a74561a8b1eb85
Comment 1 Andrej Nemec 2017-02-02 10:26:34 EST 
Created jenkins tracking bugs for this issue:

Affects: fedora-all [bug 1418736]
Comment 2 Adam Mariš 2017-07-25 03:59:20 EDT 
CVE-2017-2605 was rejected. Using CVE-2017-1000362 instead.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.