Jenkins and DWF assignment

• To: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
• Subject: Jenkins and DWF assignment
• From: jericho <jericho@attrition.org>
• Date: Thu, 27 Apr 2017 23:10:38 -0500
• Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
• Delivery-date: Fri Apr 28 07:59:43 2017
• Importance: high
• List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
• List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
• List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
• List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
• Sender: <owner-cve-editorial-board-list@lists.mitre.org>
• Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
• Spamdiagnosticoutput: 1:2
• User-agent: Alpine 2.00 (LNX 1167 2008-08-23)

Kurt,

https://jenkins.io/security/advisory/2017-04-26/

   XStream: Java crash when trying to instantiate void/Void  
SECURITY-503
   / CVE-2017-1000355 Jenkins uses the XStream library to serialize and
   deserialize XML. Its maintainer recently published a security
   vulnerability that allows anyone able to provide XML to Jenkins for
   processing using XStream to crash the Java process. In Jenkins this
   typically applies to users with permission to create or configure 
items
   (jobs), views, or agents.  Jenkins now prohibits the attempted
   deserialization of void / Void that results in a crash.

Thanks,

Brian

• Prev by Date: Re: Mozilla improper CVE assignment, does not conform to CNA rules
• Previous by thread: RE: Notes from April 17 meeting
• Index(es):
  • Date
  • Thread