You are here
Home > Preporuke > Sigurnosni nedostaci programskog paketa jenkins-2-plugins

Sigurnosni nedostaci programskog paketa jenkins-2-plugins

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Important: Red Hat OpenShift Container Platform 3.11 jenkins-2-plugins security update
Advisory ID: RHSA-2019:2651-01
Product: Red Hat OpenShift Enterprise
Advisory URL: https://access.redhat.com/errata/RHSA-2019:2651
Issue date: 2019-09-04
CVE Names: CVE-2019-10355 CVE-2019-10356 CVE-2019-10357
=====================================================================

1. Summary:

An update for jenkins-2-plugins is now available for Red Hat OpenShift
Container Platform 3.11.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat OpenShift Container Platform 3.11 – noarch

3. Description:

Jenkins is a continuous integration server that monitors executions of
repeated jobs, such as building a software project or jobs run by cron.

Security Fix(es):

* jenkins-plugin-script-security: Sandbox bypass through type casts in
Script Security Plugin (CVE-2019-10355)

* jenkins-plugin-script-security: Sandbox bypass through method pointer
expressions in Script Security Plugin (CVE-2019-10356)

* jenkins-plugin-workflow-cps-global-lib: Missing permission check in
Pipeline: Shared Groovy Libraries Plugin (CVE-2019-10357)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

See the following documentation, which will be updated shortly for release
3.11.141, for important instructions on how to upgrade your cluster and
fully
apply this asynchronous errata update:

https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_r
elease_notes.html

5. Bugs fixed (https://bugzilla.redhat.com/):

1735515 – CVE-2019-10355 jenkins-plugin-script-security: Sandbox bypass through type casts in Script Security Plugin
1735518 – CVE-2019-10356 jenkins-plugin-script-security: Sandbox bypass through method pointer expressions in Script Security Plugin
1735521 – CVE-2019-10357 jenkins-plugin-workflow-cps-global-lib: Missing permission check in Pipeline: Shared Groovy Libraries Plugin

6. Package List:

Red Hat OpenShift Container Platform 3.11:

Source:
jenkins-2-plugins-3.11.1566492396-1.el7.src.rpm

noarch:
jenkins-2-plugins-3.11.1566492396-1.el7.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2019-10355
https://access.redhat.com/security/cve/CVE-2019-10356
https://access.redhat.com/security/cve/CVE-2019-10357
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2019 Red Hat, Inc.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQIVAwUBXW9kudzjgjWX9erEAQgjyg/9FG1KT3I5X6pmR9VXz8k/2bi8MgM9X3fE
PTADvnT3nj2+YoMjSREL8HopXrALbGh7Q62j7yJv9IE9nly9IdDrlZAzVj6oVioO
2Mz1QEUm2MfKbHHEsUK+N3ypWeKltIqr+bwzMf+trqQkjgTwxHLNP8tQBYluZ5eY
KLhImZz33tjEjzndB6pDgRa3ErPgOMCA/5/ldVIQUOxwhrYU69B3bR7LdWd4rMs/
msrUq08c9JqFXZ89ytnKMTj59o0+qt4KVam3SfcnVcAzUnbG587qX9un4OQklyIJ
lY/A27WcI1W+dMVba1i8gOOiIBgEn0seiVJZvDSnUa8TeIUPkzTDOSGKug04LOUb
cGPdE18xv8jQDv+pOBmPTNWUmjjqXW9jAZbzIUN734IdXuYNdIoPIIXsKpdbrzgs
NsCw2LXPGmoizrj80bxa+EfM9Cdlme3oQ7cP1kBYQSuNgB2nZBN6E6vMqNFQEsgr
vzPJivxWViTzBnUoG4PUM2MxvCS7GBk3zfodD9aLJcI1yI/yVI41gL/aiegTii3N
c0NBrpbLSSOzTRrIBdQ3xubHt4ZEYuaSYXtxSiplLWHtDrrdbR8xlN5gpnOu3S3Z
RgpQvvFqS9DWxEcTKzc+LF2PcE3hdK21tSLfc1V/DzHwu9MReFKMRoOlG4tbyWtf
M4vSv1lVINQ=
=aak3
—–END PGP SIGNATURE—–


RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce

Top
More in Preporuke
Sigurnosni nedostaci jezgre operacijskog sustava

Otkriveni su sigurnosni nedostaci jezgre operacijskog sustava Fedora. Otkriveni nedostaci potencijalnim napadačima omogućuju izazivanje DoS stanja, izvršavanje proizvoljnog programskog koda...

Close