Your message dated Fri, 05 Dec 2014 11:49:09 +0000 with message-id <e1xwrnl-0008w1...@franck.debian.org> and subject line Bug#769682: fixed in jenkins 1.565.3-3 has caused the Debian Bug report #769682, regarding jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 769682: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Subject: jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat Package: jenkins-tomcat Version: 1.565.3-2.1 Severity: grave Tags: security Dear Maintainer, The Jenkins currently shipped with Debian doesn't correctly set the HttpOnly and Secure options on session cookies. The first option prohibits the cookies to be read by scripts, thus preventing XSS scripts vulnerabilities from stealing sessions. The second option prohibits the session cookie to be sent over clear HTTP connection, thus preventing malvolent users to steal session cookie while redirecting users to HTTP access. There is already an upstream bug for this problem located at this url: https://issues.jenkins-ci.org/browse/JENKINS-25019 with a proposed fix that only adresses the HttpOnly issue for Tomcat. The problem is reported in Tomcat log with the following lines: WARNING: Failed to set secure cookie flag java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at jenkins.model.JenkinsLocationConfiguration.updateSecureSessionFlag(JenkinsLocationConfiguration.java:123) at jenkins.model.JenkinsLocationConfiguration.load(JenkinsLocationConfiguration.java:71) at jenkins.model.JenkinsLocationConfiguration.<init>(JenkinsLocationConfiguration.java:46) at jenkins.model.JenkinsLocationConfiguration$$FastClassByGuice$$a6785528.newInstance(<generated>) at net.sf.cglib.reflect.FastConstructor.newInstance(FastConstructor.java:40) at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61) at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:429) [...] at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.IllegalStateException: Property HttpOnly can not be added to SessionCookieConfig for context /jenkins as the context has been initialised at org.apache.catalina.core.ApplicationSessionCookieConfig.setHttpOnly(ApplicationSessionCookieConfig.java:107) ... 90 more Thanks in advance for your help on this issue. Yann Rouillard -- System Information: Debian Release: jessie/sid APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16-2-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages jenkins-tomcat depends on: ii jenkins-common 1.565.3-2 ii tomcat8 8.0.14-1 jenkins-tomcat recommends no packages. jenkins-tomcat suggests no packages. -- Configuration Files: /etc/jenkins/jenkins-tomcat.xml changed [not included] -- no debconf information
--- End Message ---
--- Begin Message ---Source: jenkins Source-Version: 1.565.3-3 We believe that the bug you reported is fixed in the latest version of jenkins, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 769...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Emmanuel Bourg <ebo...@apache.org> (supplier of updated jenkins package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Fri, 05 Dec 2014 12:27:57 +0100 Source: jenkins Binary: libjenkins-java libjenkins-plugin-parent-java jenkins-common jenkins jenkins-slave jenkins-external-job-monitor jenkins-cli jenkins-tomcat Architecture: source all Version: 1.565.3-3 Distribution: unstable Urgency: medium Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> Changed-By: Emmanuel Bourg <ebo...@apache.org> Description: jenkins - Continuous Integration and Job Scheduling Server jenkins-cli - Jenkins CI Command Line Interface jenkins-common - Jenkins common Java components and web application jenkins-external-job-monitor - Jenkins CI external job monitoring jenkins-slave - Jenkins slave node helper jenkins-tomcat - Jenkins CI on Tomcat 8 libjenkins-java - Jenkins CI core Java libraries libjenkins-plugin-parent-java - Jenkins Plugin Parent Maven POM Closes: 726489 769594 769682 Changes: jenkins (1.565.3-3) unstable; urgency=medium . * Team upload. . [ Yann Rouillard ] * Added dependency on libcglib3-java to fix NoClassDefFoundError at runtime. * Removed Context Resource symlinks directives as they don't work anymore in Tomcat 8 and are not required for Jenkins (Closes: #769594) * Removed useless properties Debug and AllowLinking in Context definition to suppress warnings in Tomcat logs. * Backported upstream patch to ensure HttpOnly cookie flag is properly set and avoid warning messages about Security cookie flag (Closes: #769682) . [ Emmanuel Bourg ] * Documented the security issue with master/slave setups (CVE-2014-3665) * Documented in /etc/default/jenkins how to run Jenkins on non local addresses (Closes: #726489) Checksums-Sha1: 99b07e79094bd6a64deb9160e873c5bc82ee76d7 4857 jenkins_1.565.3-3.dsc 4d996a6049b22f6d53acec6bc8825363ebc6d3a4 45048 jenkins_1.565.3-3.debian.tar.xz 789063e36113218ad106553f1c6db8b2a3bd3181 6459440 libjenkins-java_1.565.3-3_all.deb 7f6275dc8a94f361d5180a1e3515707e5b9c10f2 17118 libjenkins-plugin-parent-java_1.565.3-3_all.deb 0f93987dae4934d3f9f9bf306dfaa9e00501b4ad 39293706 jenkins-common_1.565.3-3_all.deb e08712c110b2c84942708cb87cc7cc3b5215130d 21578 jenkins_1.565.3-3_all.deb 69634fcfe7e1f10c93b529c6cd6e8b32c4124ae6 20320 jenkins-slave_1.565.3-3_all.deb dd0306e96a9dcb33370f68ea97406df58ef1a714 17148 jenkins-external-job-monitor_1.565.3-3_all.deb e2d3afd5ff8f0f57450a777de7d6156bbe0e0957 863332 jenkins-cli_1.565.3-3_all.deb ca2b2d1802d506c3d06b9d3e0d3ea3f5aa924043 17120 jenkins-tomcat_1.565.3-3_all.deb Checksums-Sha256: 353e90e12f57fefade71528ded5ebd5e4e58c275fdeb75d19a6913fd4a6c20c5 4857 jenkins_1.565.3-3.dsc a044d1940be12a128258e6b89fafacf27e05fb2f61dafa84579e0c98e1f88878 45048 jenkins_1.565.3-3.debian.tar.xz 510c9736a583f86b368e7fe3aca7b58cc656b128d9231fbbb51aa62accbdce4e 6459440 libjenkins-java_1.565.3-3_all.deb e2fc7459c33088e5ce2386a8b4dd1310b45bef33c92ce86750def50c9259a7b1 17118 libjenkins-plugin-parent-java_1.565.3-3_all.deb d5f574619431c53b6e64dea5d2432afc42c2a83d802c96ceee1d38f9f52445ec 39293706 jenkins-common_1.565.3-3_all.deb 82008264dd82366bfa773be6ffc554b02e46259818c04530cbbd928811847935 21578 jenkins_1.565.3-3_all.deb 765fa076cac5d8293d48f60efdc8ed6776b8c0b613fdbdf44c177d1739bdb93f 20320 jenkins-slave_1.565.3-3_all.deb a94a0ad924550c74bf71018623a668a86f526e0806bfad8de09859df63afc3cb 17148 jenkins-external-job-monitor_1.565.3-3_all.deb e7d4005d720975f87c7ad11eeadbdd20c9ca1f71bd8d2c401c37999991cd7714 863332 jenkins-cli_1.565.3-3_all.deb c32479fc222f7f80c5e9c38ecec76c6a543630e91e73524f00cff4b2eac9ab6b 17120 jenkins-tomcat_1.565.3-3_all.deb Files: e2d1e2f9b2a52916877d92fff7ac02fa 4857 java optional jenkins_1.565.3-3.dsc fcf6e6653e1b6fdfe04c3ba582a1de46 45048 java optional jenkins_1.565.3-3.debian.tar.xz 3a7f50d82bd3d5ba4f1e38b8497f954b 6459440 java optional libjenkins-java_1.565.3-3_all.deb 9c493a76674c2af572b8423a4657a26e 17118 java optional libjenkins-plugin-parent-java_1.565.3-3_all.deb 730d8f5784ffadd2fbf2051fb5c2fbf7 39293706 java optional jenkins-common_1.565.3-3_all.deb b89dd6544d79f4c13be67772acc2abb9 21578 java optional jenkins_1.565.3-3_all.deb e8c5cdaa74b192a3a062f5a1cdac2bb0 20320 java optional jenkins-slave_1.565.3-3_all.deb 5e0925acb1b585879d373a73d38d3a04 17148 java optional jenkins-external-job-monitor_1.565.3-3_all.deb eb7222dfefdcea15abc062277375af12 863332 java optional jenkins-cli_1.565.3-3_all.deb f0255aefc8c7b89a7974c56dafb66ef6 17120 java optional jenkins-tomcat_1.565.3-3_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJUgZi/AAoJEPUTxBnkudCsXK8P/jrm2Tt3Rf0LO16hw/DVK4mu /HTsHQBm36bwQKD06NRkXwGk6fup0z961dXE35NVepWnqEmGg0P8Cxw+JM+aiArc 0xyGryvvBn6Jww0eVwjV9Qtb9uBEWdJqwDxZ/Gj67hLO+O2aBB+k9XNoJuHzLj4O 1J/9KEPu5ITy1tM5LYSjwb3orEn3vxbIoU4SL7VTXRa6aloEzIRN3F0RHj1Muv3p HVznoBocCyajXenmlc+3H/k91tMMWpe66gy7hb5sVXLwk+ntdEWLJfaXtgzgKhcm Jzy1rZMcEumYF17dF7LLoj9nK1yNlzjrEhQedxOy7uqOnA8nF02Aor/H79u5Idxe 6V/hnjpX9p7RoN4pXyOz8chMd/Ne/2Jz/KBSv2gMxmdd33HGszZ+PahbrbtZSvCT +6ms0i+bGULCRmATPaOHpMBqFRutRHSgsqm8kmkDJ7wOrRDen/C4uZlWgnRLAu03 gxpdBoEYZ8Y+9rDTUNFgEHq+i6vdUYyc/99hVQlRJQ4aDZxpxrGTbq4i1Fs+0Xhs 8MPNvYHrL/ZhtlPXKpFZZ7WkCxHJWF5G70ae89pN+IF5GzR4Putuxnmsz6158L+e 2Z76dRDz9AYhGB1u/iIN0HIzljnyFZDwmvzrY4HS8N0qv9c3Mk7kT64mSHGNaaSb WvM6pQqDOfV2YtLTXj3v =wrRi -----END PGP SIGNATURE-----
--- End Message ---
__ This is the maintainer address of Debian's Java team <http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use debian-j...@lists.debian.org for discussions and questions.
