rtyler
/
jenkins.io
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use metadata for most security advisory sections

This commit is contained in:
Daniel Beck 2018-01-22 17:14:29 +01:00
parent 30874398c2
commit 37a0b47b64
3 changed files with 183 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
content/_layouts/advisory.html.haml Normal file
View File

@ -0,0 +1,97 @@
---
layout: simplepage
section: security
---
:ruby
plugins = page.issues.collect { |issue| issue.plugins }.flatten.uniq.sort { |x,y| site._generated[:update_center].plugins[x.name].title <=> site._generated[:update_center].plugins[y.name].title }
credits = page.issues.reduce({}) do |issues, issue|
if issue.has_key?("reporter")
if !issues.has_key?(issue.reporter)
issues[issue.reporter] = []
end
if !issues[issue.reporter].include?(issue.id)
issues[issue.reporter] << issue.id
end
end
issues
end
credits = credits.sort_by { |k,v| k }
versions = page.issues.collect { |issue| issue.plugins }.flatten
fixed_plugins = plugins.dup.keep_if { |p| p.fixed }
unfixed_plugins = plugins.dup.keep_if { |p| !p.fixed }
This advisory announces vulnerabilities in the following Jenkins deliverables:
%ul
- if page.core
Jenkins core
- plugins.each do | plugin |
%li
%a{:href => 'https://plugins.jenkins.io/' + plugin.name }
= site._generated[:update_center].plugins[plugin.name].title
= content
%h2
Severity
%ul
- page.issues.each do | issue |
%li
= "#{issue.id}:"
%a{ :href => 'http://www.first.org/cvss/calculator/3.0#' + issue.cvss.vector }
= issue.cvss.severity
%h2
Affected Versions
%ul
- plugins.each do | plugin |
- if plugin.previous
%li
%strong
= site._generated[:update_center].plugins[plugin.name].title
up to and including
= plugin.previous
%h2
Fix
- if fixed_plugins.length > 0
%ul
- fixed_plugins.each do | plugin |
%li
%strong
= site._generated[:update_center].plugins[plugin.name].title
should be updated to version
= plugin.fixed
%p
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
- if unfixed_plugins.length > 0
%p
As of publication of this advisory, no fixes are available for the following plugins:
%ul
- unfixed_plugins.each do | plugin |
%li
= site._generated[:update_center].plugins[plugin.name].title
- if credits.length > 0
%h2
Credit
%p
The Jenkins project would like to thank the reporters for discovering and
%a{href => '/security/#reporting-vulnerabilities'}
reporting
these vulnerabilities:
%ul
- credits.each do | reporter, issues |
%li
%strong
= reporter
for
= issues.join(", ")

142
content/security/advisory/2018-01-22.adoc
View File

@ -1,22 +1,89 @@
---
layout: simplepage
layout: advisory
title: Jenkins Security Advisory 2018-01-22
section: security
kind: plugins
issues:
- id: SECURITY-507
reporter: Oleg Nenashev, CloudBees, Inc.
cvss:
severity: low
vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
plugins:
- name: translation
fixed: 1.16
previous: 1.15
- id: SECURITY-607
reporter: Jesse Glick, CloudBees, Inc.
cvss:
severity: medium
vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
plugins:
- name: release
fixed: 2.10
previous: 2.9
- id: SECURITY-655
reporter: Adith Sudhakar
cvss:
severity: high
vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
plugins:
- name: pmd
fixed: 1.8
previous: 1.7
- id: SECURITY-656
reporter: Adith Sudhakar
cvss:
severity: high
vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
plugins:
- name: checkstyle
fixed: 3.50
previous: 3.49
- id: SECURITY-657
reporter: Adith Sudhakar
cvss:
severity: high
vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
plugins:
- name: dry
fixed: 2.50
previous: 2.49
- id: SECURITY-658
reporter: Adith Sudhakar
cvss:
severity: high
vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
plugins:
- name: findbugs
fixed: 4.72
previous: 4.71
- id: SECURITY-675
cvss:
severity: medium
vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
plugins:
- name: warnings
fixed: 4.65
previous: 4.64
- id: SECURITY-694
cvss:
severity: medium
vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
plugins:
- name: ant
fixed: 1.8
previous: 1.7
- id: SECURITY-695
cvss:
severity: high
vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
plugins:
- name: workflow-durable-task-step
fixed: 2.18
previous: 2.17
---
This advisory announces vulnerabilities in these Jenkins plugins:
* plugin:ant[Ant]
* plugin:checkstyle[Checkstyle]
* plugin:dry[DRY]
* plugin:findbugs[FindBugs]
* plugin:workflow-durable-task-step[Pipeline: Nodes and Processes]
* plugin:pmd[PMD]
* plugin:release[Release]
* plugin:translation[Translation Assistance]
* plugin:warnings[Warnings]
== Description
@ -64,52 +131,3 @@ This is the same vulnerability that was announced without a fix on link:/securit
Contrary to what we wrote in that security advisory, Ant Plugin shows both the JDK and Ant tools on the configuration screen, and the vulnerability in Ant plugin was responsible for both problems we confirmed in the previous advisory.
Ant plugin now correctly escapes tool names shown on the job configuration screen.
== Severity
* SECURITY-507: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N[low]
* SECURITY-607: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N[medium]
* SECURITY-655: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L[high]
* SECURITY-656: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L[high]
* SECURITY-657: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L[high]
* SECURITY-658: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L[high]
* SECURITY-675: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N[medium]
* SECURITY-694: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N[medium]
* SECURITY-695: link:http://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L[high]
== Affected versions
* Ant plugin up to and including 1.7
* Checkstyle plugin up to and including 3.49
* DRY plugin up to and including 2.49
* FindBugs plugin up to and including 4.71
* Pipeline: Nodes and Processes plugin up to and including 2.17
* PMD plugin up to and including 3.49
* Release plugin up to and including 2.9
* Translation Assistance plugin up to and including 1.15
* Warnings plugin up to and including 4.64
== Fix
* Ant plugin should be updated to version 1.8
* Checkstyle plugin should be updated to version 3.50
* DRY plugin should be updated to version 2.50
* FindBugs plugin should be updated to version 4.72
* Pipeline: Nodes and Processes plugin should be updated to version 2.18
* PMD plugin should be updated to version 3.50
* Release plugin should be updated to version 2.10
* Translation Assistance plugin should be updated to version 1.16
* Warnings plugin should be updated to version 4.65
These versions include fixes to the vulnerabilities described above.
All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
== Credit
The Jenkins project would like to thank the reporters for discovering and link:/security/#reporting-vulnerabilities[reporting] these vulnerabilities:
* *Adith Sudhakar* for SECURITY-655, SECURITY-656, SECURITY-657, SECURITY-658
* *Jesse Glick, CloudBees, Inc.* for SECURITY-607, SECURITY-675
* *Oleg Nenashev, CloudBees, Inc.* for SECURITY-507

6
scripts/fetch-external-resources
View File

@ -37,6 +37,12 @@ RESOURCES = [
nil,
nil
],
[
'https://updates.jenkins.io/update-center.actual.json',
'content/_data/_generated/update_center.yml',
nil,
nil
],
[
'https://ci.jenkins.io/job/Infra/job/backend-extension-indexer/job/master/lastSuccessfulBuild/artifact/*.adoc/*zip*/extension-indexer.zip',
'content/_tmp/extension-indexer.zip',