[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Jenkins and DWF assignment
- To: jericho <jericho@attrition.org>
- Subject: Re: Jenkins and DWF assignment
- From: Kurt Seifried <kurt@seifried.org>
- Date: Tue, 2 May 2017 12:48:14 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=seifried.org;
- Cc: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Tue May 2 15:00:02 2017
- In-reply-to: <alpine.LNX.2.00.1704272308550.32256@forced.attrition.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <alpine.LNX.2.00.1704272308550.32256@forced.attrition.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
The general thought was this is an intersection flaw, xstream has a safe option, it's just not the default, so until an actual app uses it unsafely, there's no flaw per se (much like SSL/TLS libs that don't check hostnames by default, but have a switch to do so).
On Thu, Apr 27, 2017 at 10:10 PM, jericho <jericho@attrition.org> wrote:
Kurt,
https://jenkins.io/security/advisory/2017-04-26/
Jenkins assigned a series of IDs using DWF-format yesterday. In the middle of them is an assignment for an issue that impacts them, but is in a third-party library.
XStream: Java crash when trying to instantiate void/Void SECURITY-503
/ CVE-2017-1000355 Jenkins uses the XStream library to serialize and
deserialize XML. Its maintainer recently published a security
vulnerability that allows anyone able to provide XML to Jenkins for
processing using XStream to crash the Java process. In Jenkins this
typically applies to users with permission to create or configure items
(jobs), views, or agents. Jenkins now prohibits the attempted
deserialization of void / Void that results in a crash.
Can you clarify if this assignment was made by DWF, with the knowledge that one of the IDs was for a third-party library, or if Jenkins requested a block and assigned it themselves?
Thanks,
Brian
Kurt Seifried
kurt@seifried.org
kurt@seifried.org
- Prev by Date: Current standards/criteria for 'Undefined Behavior'
- Next by Date: Agenda for CVE Board Meeting May 3
- Previous by thread: Re: Current standards/criteria for 'Undefined Behavior'
- Next by thread: Agenda for CVE Board Meeting May 3
- Index(es):
