Bug 1852331 - CVE-2020-2181 CVE-2020-2182 jenkins-2-plugins: jenkins-credentials-binding-plugin: various flaws [openshift-4]
Summary: CVE-2020-2181 CVE-2020-2182 jenkins-2-plugins: jenkins-credentials-binding-pl...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Jenkins
Version: 4.5
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: 4.5.z
Assignee: Akram Ben Aissi
QA Contact: Jitendar Singh
URL:
Whiteboard: component:jenkins-2-plugins
Depends On: 1848216
Blocks: 1861840
TreeView+ depends on / blocked
 
Reported: 2020-06-30 07:17 UTC by Vibhav Bobade
Modified: 2020-09-01 06:59 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1848216
: 1861840 (view as bug list)
Environment:
Last Closed: 2020-08-26 09:20:17 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift jenkins pull 1100 None closed Bug 1852331: CVE-2020-2182 jenkins-credentials-binding-plugin 1.0.23 [release 4.5] 2020-08-31 02:24:54 UTC

Description Vibhav Bobade 2020-06-30 07:17:45 UTC
+++ This bug was initially created as a clone of Bug #1848216 +++

openshift-4 tracking bug for jenkins-2-plugins: see the bugs linked in the "Blocks" field of this bug for full details of the security issue(s).

This bug is never intended to be made public, please put any public notes in the blocked bugs.

Impact: Moderate
Public Date: 06-May-2020
PM Fix/Wontfix Decision By: 16-Sep-2020
Resolve Bug By: 06-May-2021

In case the dates above are already past, please evaluate this bug in your next prioritization review and make a decision then. Remember to explicitly set CLOSED:WONTFIX if you decide not to fix this bug.

Please see the Security Errata Policy for further details: https://docs.engineering.redhat.com/x/9RBqB

--- Additional comment from Stephen Cuppett on 2020-06-18 18:30:40 UTC ---

Setting to target the z-stream. This isn't due prior to GA and is not a showstopper.

--- Additional comment from Jitendar Singh on 2020-06-25 05:44:41 UTC ---

 jsingh@localhost  ~/go/src/github.com/redhat-developer  oc get pods
NAME               READY   STATUS      RESTARTS   AGE
jenkins-1-build    0/1     Completed   0          11m
jenkins-1-deploy   0/1     Completed   0          2m15s
jenkins-1-pm4rl    1/1     Running     0          2m11s
 jsingh@localhost  ~/go/src/github.com/redhat-developer  oc rsh jenkins-1-pm4rl
sh-4.2$ cat /var/lib/jenkins/plugins/credentials-binding/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 1.23
sh-4.2$ exit
exit
=====================================================
VERIFIED

Comment 1 Yuxiang Zhu 2020-07-27 08:33:52 UTC
It doesn't seem to me the latest jenkins-2-plugins-4.5.1595405982-1.el7 RPM include this fix. The linked PR is only for upstream okd build.
I think this bug should only be moved to MODIFIED once it is included in ART build.

Comment 2 Jitendar Singh 2020-07-30 08:48:10 UTC
waiting for the nightly

Comment 3 Akram Ben Aissi 2020-08-05 14:50:13 UTC
The ART request was not done, so, the RPM for plugins was not updated.
ART request created here: https://issues.redhat.com/browse/ART-2104

Comment 4 Jitendar Singh 2020-08-18 07:55:08 UTC
verfied
===================================
jsingh@localhost  ~/Downloads/openshift-install-linux-4.6.0-0.nightly-2020-08-18-015339  oc rsh jenkins-1-db4zh
sh-4.2$ cat /var/lib/jenkins/plugins/credentials-binding/META-INF/MANIFEST.MF |grep Implementation-Version
Implementation-Version: 1.23

========================================================
jenkins image quay.io/openshift-release-dev/ocp-v4.0-art-dev@sha256:134e9b676dc612686563ec25dba8230ee7133640569022638820e5f52c7833e6 came from brew build openshift-jenkins-2-container-v4.5.0-202008131017.p0


Note You need to log in before you can comment on or make changes to this bug.