Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock
Please unblock package jenkins. This version addresses the RC bugs (#767541 and #769594), backports a cookie security hardening modification (#769682), adds a missing runtime dependency and improves the documentation (#726489). Thank you unblock jenkins/1.565.3-3 diff -Nru jenkins-1.565.3/debian/changelog jenkins-1.565.3/debian/changelog --- jenkins-1.565.3/debian/changelog 2014-10-25 00:40:19.000000000 +0200 +++ jenkins-1.565.3/debian/changelog 2014-12-05 12:28:04.000000000 +0100 @@ -1,3 +1,23 @@ +jenkins (1.565.3-3) unstable; urgency=medium + + * Team upload. + + [ Yann Rouillard ] + * Added dependency on libcglib3-java to fix NoClassDefFoundError at runtime. + * Removed Context Resource symlinks directives as they don't work anymore in + Tomcat 8 and are not required for Jenkins (Closes: #769594) + * Removed useless properties Debug and AllowLinking in Context definition + to suppress warnings in Tomcat logs. + * Backported upstream patch to ensure HttpOnly cookie flag is properly set + and avoid warning messages about Security cookie flag (Closes: #769682) + + [ Emmanuel Bourg ] + * Documented the security issue with master/slave setups (CVE-2014-3665) + * Documented in /etc/default/jenkins how to run Jenkins + on non local addresses (Closes: #726489) + + -- Emmanuel Bourg <ebo...@apache.org> Fri, 05 Dec 2014 12:27:57 +0100 + jenkins (1.565.3-2) unstable; urgency=medium * Team upload. diff -Nru jenkins-1.565.3/debian/control jenkins-1.565.3/debian/control --- jenkins-1.565.3/debian/control 2014-10-21 23:08:25.000000000 +0200 +++ jenkins-1.565.3/debian/control 2014-11-15 15:47:21.000000000 +0100 @@ -40,6 +40,7 @@ libasm4-java, libbridge-method-injector-java (>= 1.9), libbytecode-compatibility-transformer-java, + libcglib3-java, libclassworlds-java, libcommons-beanutils-java, libcommons-codec-java, diff -Nru jenkins-1.565.3/debian/jenkins.default jenkins-1.565.3/debian/jenkins.default --- jenkins-1.565.3/debian/jenkins.default 2014-10-16 16:51:16.000000000 +0200 +++ jenkins-1.565.3/debian/jenkins.default 2014-12-05 12:25:57.000000000 +0100 @@ -47,7 +47,7 @@ # port for AJP connector (disabled by default) AJP_PORT=-1 -# Listen address for HTTP connector +# Listen address for HTTP connector (use 0.0.0.0 to listen on all IPv4/IPv6 interfaces) HTTP_HOST=127.0.0.1 # Listen address for AJP connector diff -Nru jenkins-1.565.3/debian/jenkins.README.Debian jenkins-1.565.3/debian/jenkins.README.Debian --- jenkins-1.565.3/debian/jenkins.README.Debian 2014-10-16 16:51:16.000000000 +0200 +++ jenkins-1.565.3/debian/jenkins.README.Debian 2014-12-05 12:13:51.000000000 +0100 @@ -37,5 +37,13 @@ + see man jenkins-monitor-job for more details. - Jenkins CLI: jenkins-cli + see man jenkins-cli for more details. - - -- James Page <james.p...@ubuntu.com> Wed, 20 Jul 2011 11:34:02 +0100 + + +Master/Slave Security Considerations +------------------------------------ + +Jenkins master and slaves behave as if they altogether form a single +distributed process. This means a slave can ask a master to do just about +anything within the confinement of the operating system, such as accessing +files on the master or trigger other jobs on Jenkins. Therefore adding +untrusted slaves to the cluster is not recommended. diff -Nru jenkins-1.565.3/debian/jenkins-tomcat.xml jenkins-1.565.3/debian/jenkins-tomcat.xml --- jenkins-1.565.3/debian/jenkins-tomcat.xml 2014-10-16 16:51:16.000000000 +0200 +++ jenkins-1.565.3/debian/jenkins-tomcat.xml 2014-11-15 15:47:21.000000000 +0100 @@ -2,9 +2,7 @@ Context configuration file for the Jenkins Web App --> <Context path="/jenkins" docBase="/usr/share/jenkins/jenkins.war" - debug="0" privileged="true" allowLinking="true" crossContext="true"> - <!-- make symlinks work in Tomcat --> - <Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true" /> + privileged="true" crossContext="true"> <Environment name="JENKINS_HOME" type="java.lang.String" value="/var/lib/jenkins" override="true" /> </Context> diff -Nru jenkins-1.565.3/debian/maven.rules jenkins-1.565.3/debian/maven.rules --- jenkins-1.565.3/debian/maven.rules 2014-10-22 00:18:22.000000000 +0200 +++ jenkins-1.565.3/debian/maven.rules 2014-12-05 12:14:05.000000000 +0100 @@ -69,6 +69,8 @@ org.springframework s/spring-webmvc/spring-web/ * s/.*/3.x/ * * com.google.inject guice * s/.*/debian/ s/no_aop// * +cglib cglib * s/.*/3.x/ * * + s/com.google.code.findbugs/org.jsr-305/ jsr305 * s/.*/0.x/ * * org.jsr-305 jsr305 * 0.x * * s/org.jvnet.hudson/org.jenkins-ci/ test-annotations * s/.*/debian/ * * diff -Nru jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch --- jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch 1970-01-01 01:00:00.000000000 +0100 +++ jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch 2014-11-15 15:47:21.000000000 +0100 @@ -0,0 +1,23 @@ +Description: Add dependency on cglib as we don't use guice-noaop library, + and the one we use depends on cglib. + Note that the library cglib is required at runtime and not only at the + compilation step. +Author: Yann Rouillard <y...@pleiades.fr.org>, François-Xavier Vende <francois.ve...@gmail.com> +Forwarded: not-needed +Index: jenkins-1.565.3/core/pom.xml +=================================================================== +--- jenkins-1.565.3.orig/core/pom.xml ++++ jenkins-1.565.3/core/pom.xml +@@ -100,6 +100,12 @@ THE SOFTWARE. + <classifier>no_aop</classifier> + </dependency> + ++ <dependency> ++ <groupId>cglib</groupId> ++ <artifactId>cglib</artifactId> ++ <version>3.x</version> ++ </dependency> ++ + <dependency> <!-- for compatibility only; all new code should use JNR --> + <groupId>org.jruby.ext.posix</groupId> + <artifactId>jna-posix</artifactId> diff -Nru jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch --- jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch 1970-01-01 01:00:00.000000000 +0100 +++ jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch 2014-12-05 10:43:11.000000000 +0100 @@ -0,0 +1,109 @@ +Description: This patch fixes 2 issues. It set the HttpOnly flag + at an ealier stage so that the setting is properly taken into + account by Tomcat. + It suppress the warning about the secure flag that only happens + in Tomcat as it should be configured in Tomcat configuration and + not set by Jenkins in that case. +Origin: backport,https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710 +From 582128b9ac179a788d43c1478be8a5224dc19710 Mon Sep 17 00:00:00 2001 +From: Kohsuke Kawaguchi <k...@kohsuke.org> +Date: Thu, 16 Oct 2014 19:15:56 -0700 +Subject: [PATCH] [FIXED JENKINS-25019] + +A truly conforming servlet 3.0 container does not allow us to set "secure cookie" flag beyond ServletContextListener.onInitialized(). +If we see that, don't scare the users. +--- + core/src/main/java/hudson/WebAppMain.java | 29 +++++++++++++++++++++++ + .../model/JenkinsLocationConfiguration.java | 16 ++++++++----- + 2 files changed, 39 insertions(+), 6 deletions(-) + +diff --git a/core/src/main/java/hudson/WebAppMain.java b/core/src/main/java/hudson/WebAppMain.java +index 1f332e9..11d438d 100644 +--- a/core/src/main/java/hudson/WebAppMain.java ++++ b/core/src/main/java/hudson/WebAppMain.java +@@ -56,6 +56,7 @@ + import java.io.File; + import java.io.FileOutputStream; + import java.io.IOException; ++import java.lang.reflect.Method; + import java.net.URL; + import java.net.URLClassLoader; + import java.util.Date; +@@ -116,6 +117,9 @@ public Locale get() { + + installLogger(); + ++ System.out.println("I am here"); ++ markCookieAsHttpOnly(context); ++ + final FileAndDescription describedHomeDir = getHomeDir(event); + home = describedHomeDir.file.getAbsoluteFile(); + home.mkdirs(); +@@ -251,6 +254,31 @@ public void run() { + } + } + ++ /** ++ * Set the session cookie as HTTP only. ++ * ++ * @see <a href="https://www.owasp.org/index.php/HttpOnly">discussion of this topic in OWASP</a> ++ */ ++ private void markCookieAsHttpOnly(ServletContext context) { ++ try { ++ Method m; ++ try { ++ m = context.getClass().getMethod("getSessionCookieConfig"); ++ } catch (NoSuchMethodException x) { // 3.0+ ++ LOGGER.log(Level.FINE, "Failed to set secure cookie flag", x); ++ return; ++ } ++ Object sessionCookieConfig = m.invoke(context); ++ ++ // not exposing session cookie to JavaScript to mitigate damage caused by XSS ++ Class scc = Class.forName("javax.servlet.SessionCookieConfig"); ++ Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class); ++ setHttpOnly.invoke(sessionCookieConfig,true); ++ } catch (Exception e) { ++ LOGGER.log(Level.WARNING, "Failed to set HTTP-only cookie flag", e); ++ } ++ } ++ + public void joinInit() throws InterruptedException { + initThread.join(); + } +diff --git a/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java b/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java +index 6836467..c10e51d 100644 +--- a/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java ++++ b/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java +@@ -14,6 +14,7 @@ + import javax.servlet.ServletContext; + import java.io.File; + import java.io.IOException; ++import java.lang.reflect.InvocationTargetException; + import java.lang.reflect.Method; + import java.util.logging.Level; + import java.util.logging.Logger; +@@ -117,14 +118,17 @@ private void updateSecureSessionFlag() { + } + Object sessionCookieConfig = m.invoke(context); + +- // not exposing session cookie to JavaScript to mitigate damage caused by XSS + Class scc = Class.forName("javax.servlet.SessionCookieConfig"); +- Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class); +- setHttpOnly.invoke(sessionCookieConfig,true); +- +- Method setSecure = scc.getMethod("setSecure",boolean.class); ++ Method setSecure = scc.getMethod("setSecure", boolean.class); + boolean v = fixNull(jenkinsUrl).startsWith("https"); +- setSecure.invoke(sessionCookieConfig,v); ++ setSecure.invoke(sessionCookieConfig, v); ++ } catch (InvocationTargetException e) { ++ if (e.getTargetException() instanceof IllegalStateException) { ++ // servlet 3.0 spec seems to prohibit this from getting set at runtime, ++ // though Winstone is happy to accept i. see JENKINS-25019 ++ return; ++ } ++ LOGGER.log(Level.WARNING, "Failed to set secure cookie flag ici", e); + } catch (Exception e) { + LOGGER.log(Level.WARNING, "Failed to set secure cookie flag", e); + } diff -Nru jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch --- jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch 1970-01-01 01:00:00.000000000 +0100 +++ jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch 2014-12-05 11:33:41.000000000 +0100 @@ -0,0 +1,17 @@ +Description: Warn about the security issue with master/slave setups in the UI +Author: Emmanuel Bourg <ebo...@apache.org> +Forwarded: not-needed +--- a/core/src/main/resources/hudson/model/ComputerSet/new.jelly ++++ b/core/src/main/resources/hudson/model/ComputerSet/new.jelly +@@ -35,6 +35,11 @@ + <l:layout norefresh="true" permission="${createPermission}"> + <st:include page="sidepanel.jelly" /> + <l:main-panel> ++ ++ <p class="warning">WARNING: Do not add untrusted slaves to your configuration as they could run any command on the master node.<br/> ++ See the <a href="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30">Jenkins Security Advisory 2014-10-30</a> ++ for more information.</p> ++ + <j:invokeStatic var="slaves" className="hudson.slaves.NodeDescriptor" method="allInstantiable" /> + <n:form nameTitle="${%Node name}" copyTitle="${%Copy Existing Node}" copyNames="${it._slaveNames}" + descriptors="${slaves}" checkUrl="checkName" xmlns:n="/lib/hudson/newFromList" /> diff -Nru jenkins-1.565.3/debian/patches/series jenkins-1.565.3/debian/patches/series --- jenkins-1.565.3/debian/patches/series 2014-10-16 16:51:16.000000000 +0200 +++ jenkins-1.565.3/debian/patches/series 2014-12-05 10:44:39.000000000 +0100 @@ -21,3 +21,6 @@ 0024-args4j-compatibility.patch 0025-specify-plugins-versions.patch 0026-add-jsr305-dependency.patch +0027-add-cglib-dependency.patch +0028-properly-set-httponly-flag-for-tomcat.patch +0029-master-slave-security-warning.patch -- To UNSUBSCRIBE, email to debian-release-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/20141205115309.10118.7899.report...@icare.ariane-software.com