Jenkins uses the XStream library to serialize and deserialize XML. Its maintainer recently published a security vulnerability that allows anyone able to provide XML to Jenkins for processing using XStream to crash the Java process. In Jenkins this typically applies to users with permission to create or configure items (jobs), views, or agents. Jenkins now prohibits the attempted deserialization of void / Void that results in a crash. Affected versions: All Jenkins main line releases up to and including 2.56 All Jenkins LTS releases up to and including 2.46.1 Fixed in: Jenkins main line users should update to 2.57 Jenkins LTS users should update to 2.46.2 External References: https://jenkins.io/security/advisory/2017-04-26/#xstream-java-crash-when-trying-to-instantiate-void-void http://www.openwall.com/lists/oss-security/2017/04/03/4
Acknowledgments: Name: the Jenkins project
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1446133] Affects: openshift-1 [bug 1446134]
Any update on these issues? The security team here are wanting me to make their scan notices about this go away.