[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Jenkins and DWF assignment



Kurt,

https://jenkins.io/security/advisory/2017-04-26/

Jenkins assigned a series of IDs using DWF-format yesterday. In the middle of them is an assignment for an issue that impacts them, but is in a third-party library.

   XStream: Java crash when trying to instantiate void/Void  
SECURITY-503
   / CVE-2017-1000355 Jenkins uses the XStream library to serialize and
   deserialize XML. Its maintainer recently published a security
   vulnerability that allows anyone able to provide XML to Jenkins for
   processing using XStream to crash the Java process. In Jenkins this
   typically applies to users with permission to create or configure 
items
   (jobs), views, or agents.  Jenkins now prohibits the attempted
   deserialization of void / Void that results in a crash.

Can you clarify if this assignment was made by DWF, with the knowledge that one of the IDs was for a third-party library, or if Jenkins requested a block and assigned it themselves?

Thanks,

Brian


Page Last Updated or Reviewed: April 28, 2017