Re: Out-of-date version(YUI)
Thank you Wadeck. On Monday, May 31, 2021 at 2:50:34 AM UTC-4 wfoll...@cloudbees.com wrote: > Hello there, > > Nothing to care about at the moment for YUI as all the known > vulnerabilities are related to the presence of the Flash files ("via .swf > files"), they were removed from the library before it was included in > Jenkins. > But the out-of-date status is still valid unfortunately. > > Best regards, > > Wadeck > On Monday, May 31, 2021 at 2:33:00 AM UTC+2 s.p...@gmail.com wrote: > >> Thank you, Oleg. Thank you for sharing the link to report the >> vulnerabilities. Appreciate your help! >> >> On Sunday, May 30, 2021 at 2:46:39 PM UTC-4 o.v.ne...@gmail.com wrote: >> >>> Hello, >>> >>> Thanks for your report. I will let the Jenkins security team members to >>> comment on that. Just for your information, we have an official process for >>> reporting security vulnerabilities. I highly recommend following this >>> process. Please see >>> https://www.jenkins.io/security/#reporting-vulnerabilities >>> >>> Best regards, >>> Oleg Nenashev >>> >>> >>> >>> On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 s.p...@gmail.com wrote: >>> >>>> Our web scans shows out-of-date version(YUI) vulnerability. I'm not >>>> able to find anything on how to remediate this finding. Any help is >>>> appreciated. TIA >>>> Example : /static/01babc68/scripts/yui/yahoo/yahoo-min.js >>>> Affected versions of the package are vulnerable to Cross-site >>>> Scripting(XSS) via .swf files, allowing arbitary code injection into >>>> hosting server CVE-2012-5881 CVE-2012-5883 >>>> >>>> *Jenkins version - 2.250 , windows 2012 server.* >>>> >>> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/4291ea18-1e42-4547-9ffa-b4c0fc070220n%40googlegroups.com.
Re: Out-of-date version(YUI)
> On 30. May 2021, at 03:05, s.p...@gmail.com wrote: > > Affected versions of the package are vulnerable to Cross-site Scripting(XSS) > via .swf files, allowing arbitary code injection into hosting server > CVE-2012-5881 CVE-2012-5883 > While we include YUI, we do not include the vulnerable file. Your scanner is trash. -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/352C70D7-C6E1-4509-A543-ED44803A15D6%40beckweb.net.
Re: Out-of-date version(YUI)
Hello there, Nothing to care about at the moment for YUI as all the known vulnerabilities are related to the presence of the Flash files ("via .swf files"), they were removed from the library before it was included in Jenkins. But the out-of-date status is still valid unfortunately. Best regards, Wadeck On Monday, May 31, 2021 at 2:33:00 AM UTC+2 s.p...@gmail.com wrote: > Thank you, Oleg. Thank you for sharing the link to report the > vulnerabilities. Appreciate your help! > > On Sunday, May 30, 2021 at 2:46:39 PM UTC-4 o.v.ne...@gmail.com wrote: > >> Hello, >> >> Thanks for your report. I will let the Jenkins security team members to >> comment on that. Just for your information, we have an official process for >> reporting security vulnerabilities. I highly recommend following this >> process. Please see >> https://www.jenkins.io/security/#reporting-vulnerabilities >> >> Best regards, >> Oleg Nenashev >> >> >> >> On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 s.p...@gmail.com wrote: >> >>> Our web scans shows out-of-date version(YUI) vulnerability. I'm not able >>> to find anything on how to remediate this finding. Any help is appreciated. >>> TIA >>> Example : /static/01babc68/scripts/yui/yahoo/yahoo-min.js >>> Affected versions of the package are vulnerable to Cross-site >>> Scripting(XSS) via .swf files, allowing arbitary code injection into >>> hosting server CVE-2012-5881 CVE-2012-5883 >>> >>> *Jenkins version - 2.250 , windows 2012 server.* >>> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7ce8af98-d252-4c46-bf84-5b82294db5aen%40googlegroups.com.
Re: Out-of-date version(YUI)
Thank you, Oleg. Thank you for sharing the link to report the vulnerabilities. Appreciate your help! On Sunday, May 30, 2021 at 2:46:39 PM UTC-4 o.v.ne...@gmail.com wrote: > Hello, > > Thanks for your report. I will let the Jenkins security team members to > comment on that. Just for your information, we have an official process for > reporting security vulnerabilities. I highly recommend following this > process. Please see > https://www.jenkins.io/security/#reporting-vulnerabilities > > Best regards, > Oleg Nenashev > > > > On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 s.p...@gmail.com wrote: > >> Our web scans shows out-of-date version(YUI) vulnerability. I'm not able >> to find anything on how to remediate this finding. Any help is appreciated. >> TIA >> Example : /static/01babc68/scripts/yui/yahoo/yahoo-min.js >> Affected versions of the package are vulnerable to Cross-site >> Scripting(XSS) via .swf files, allowing arbitary code injection into >> hosting server CVE-2012-5881 CVE-2012-5883 >> >> *Jenkins version - 2.250 , windows 2012 server.* >> > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/551379fa-d0b6-401e-b369-dbc40721f587n%40googlegroups.com.
Re: Out-of-date version(YUI)
Hello, Thanks for your report. I will let the Jenkins security team members to comment on that. Just for your information, we have an official process for reporting security vulnerabilities. I highly recommend following this process. Please see https://www.jenkins.io/security/#reporting-vulnerabilities Best regards, Oleg Nenashev On Sunday, May 30, 2021 at 3:05:00 AM UTC+2 s.p...@gmail.com wrote: > Our web scans shows out-of-date version(YUI) vulnerability. I'm not able > to find anything on how to remediate this finding. Any help is appreciated. > TIA > Example : /static/01babc68/scripts/yui/yahoo/yahoo-min.js > Affected versions of the package are vulnerable to Cross-site > Scripting(XSS) via .swf files, allowing arbitary code injection into > hosting server CVE-2012-5881 CVE-2012-5883 > > *Jenkins version - 2.250 , windows 2012 server.* > -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/15aa21d3-4fa1-4ac9-8bc9-631a1a16982cn%40googlegroups.com.
Out-of-date version(YUI)
Our web scans shows out-of-date version(YUI) vulnerability. I'm not able to find anything on how to remediate this finding. Any help is appreciated. TIA Example : /static/01babc68/scripts/yui/yahoo/yahoo-min.js Affected versions of the package are vulnerable to Cross-site Scripting(XSS) via .swf files, allowing arbitary code injection into hosting server CVE-2012-5881 CVE-2012-5883 *Jenkins version - 2.250 , windows 2012 server.* -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/15ccf650-8458-468b-ae4c-f5f8d6b4cf87n%40googlegroups.com.