Red Hat SummitEste contenido no está disponible en el idioma seleccionado.
Chapter 4. RHSA-2015:1844 - OpenShift Enterprise 2.2.7 Security, Bug Fix, and Enhancement Update
OpenShift Enterprise 2.2.7 is now available with updates to packages that fix security issues, fix several bugs, and introduce feature enhancements. See the errata advisory at https://rhn.redhat.com/errata/RHSA-2015-1844.html for more information.
Important
See the OpenShift Enterprise 2.2 Release Notes for instructions on how to apply this asynchronous errata update.
This update addresses the following bug fixes and enhancements:
Command Line Interface
- BZ#1216206
When running `rhc setup` for the first time, rhc must contact the OpenShift server. If the `always_auth` option must be set to something other than the default to connect to the OpenShift server, a ~/.openshift/express.conf file had to be manually created with the `always_auth` option set. This enhancement allows users to now pass the `--always_auth` global option to `rhc setup` so that a configuration file does not have to be manually created beforehand. Users can also use this option on any rhc command to overwrite the value in the rhc's configuration.
When running `rhc setup` for the first time, rhc must contact the OpenShift server. If the `always_auth` option must be set to something other than the default to connect to the OpenShift server, a ~/.openshift/express.conf file had to be manually created with the `always_auth` option set. This enhancement allows users to now pass the `--always_auth` global option to `rhc setup` so that a configuration file does not have to be manually created beforehand. Users can also use this option on any rhc command to overwrite the value in the rhc's configuration.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1130028
In the output of `rhc app-show <app> --gears`, cartridges for a scalable gear were previously listed by the endpoints they exposed. If a cartridge exposed multiple endpoints, it was listed multiple times in the output of `rhc app-show <app> --gears`. This bug fix updates rhc so that only unique values in the list of cartridges with exposed endpoints are considered, and as a result cartridges with multiple exposed endpoints are only listed once per gear.
In the output of `rhc app-show <app> --gears`, cartridges for a scalable gear were previously listed by the endpoints they exposed. If a cartridge exposed multiple endpoints, it was listed multiple times in the output of `rhc app-show <app> --gears`. This bug fix updates rhc so that only unique values in the list of cartridges with exposed endpoints are considered, and as a result cartridges with multiple exposed endpoints are only listed once per gear.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1160699
When creating an application from an existing application, details regarding the HA configuration of the original application were not available. As a result, applications created from an existing HA application would not themselves be HA as one would expect. This bug fix extends the REST API to provide HA application configuration details. The `rhc app-create --from-app` command now clones HA status from the original application.
When creating an application from an existing application, details regarding the HA configuration of the original application were not available. As a result, applications created from an existing HA application would not themselves be HA as one would expect. This bug fix extends the REST API to provide HA application configuration details. The `rhc app-create --from-app` command now clones HA status from the original application.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1229300
Previously, when moving a non-scaled application across node profiles, the proper quota for the new profile was not applied to the gear. The gear still used the quota from its previous gear size. Additionally, any additional gear storage was not added to the quota of the new gear. This bug fix ensures the new node profile's quota limits are used, taking into account additional storage the gear may have. As a result, gears moved across node profiles have the proper quota applied, and additional gear storage still exists after the move.
Previously, when moving a non-scaled application across node profiles, the proper quota for the new profile was not applied to the gear. The gear still used the quota from its previous gear size. Additionally, any additional gear storage was not added to the quota of the new gear. This bug fix ensures the new node profile's quota limits are used, taking into account additional storage the gear may have. As a result, gears moved across node profiles have the proper quota applied, and additional gear storage still exists after the move.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1128567
Previously, only cartridges that exposed endpoints were listed in the output of `rhc app show <app> --gears` for scalable applications. However, the jenkins-client cartridge does not expose any endpoints, and as a result for scalable applications with a jenkins-client cartridge, `rhc app show <app> --gears` would not show the jenkins-client cartridge on any gear. This bug fix updates rhc so that all cartridges are listed and those with endpoints are highlighted in green. The jenkins-client cartridge is now listed for a scaled application alongside other cartridges that do expose endpoints.
Previously, only cartridges that exposed endpoints were listed in the output of `rhc app show <app> --gears` for scalable applications. However, the jenkins-client cartridge does not expose any endpoints, and as a result for scalable applications with a jenkins-client cartridge, `rhc app show <app> --gears` would not show the jenkins-client cartridge on any gear. This bug fix updates rhc so that all cartridges are listed and those with endpoints are highlighted in green. The jenkins-client cartridge is now listed for a scaled application alongside other cartridges that do expose endpoints.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1232921
If environment variables are specified with rhc, but no environment variables were able to be parsed, the environment variables were previously ignored and errors were not reported when syntactically incorrect environment variables were provided. This led users to believe their environment variables were added when the application was created. This bug fixes updates rhc so that when the environment variable flag is specified, but no environment variables can be parsed, an error is reported.
If environment variables are specified with rhc, but no environment variables were able to be parsed, the environment variables were previously ignored and errors were not reported when syntactically incorrect environment variables were provided. This led users to believe their environment variables were added when the application was created. This bug fixes updates rhc so that when the environment variable flag is specified, but no environment variables can be parsed, an error is reported.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Cartridge
- BZ#1138522
The values for `MacClients` and `ServerLimit` were hard-coded into the httpd_nolog.conf file for the PHP cartridge. The load order specified to load httpd_nolog.conf last, so specifying a custom `MaxClients` or `ServerLimit` variable was not possible as these configurations would always be overwritten by httpd_nolog.conf. This bug fix updates the PHP cartridge to change how configuration files are passed to httpd from using `-C` (load before reading configuration files) to `-c` (load after reading configuration files). As a result, custom `MaxClients` and `ServerLimit` variables can now be defined in PHP cartridges.
The values for `MacClients` and `ServerLimit` were hard-coded into the httpd_nolog.conf file for the PHP cartridge. The load order specified to load httpd_nolog.conf last, so specifying a custom `MaxClients` or `ServerLimit` variable was not possible as these configurations would always be overwritten by httpd_nolog.conf. This bug fix updates the PHP cartridge to change how configuration files are passed to httpd from using `-C` (load before reading configuration files) to `-c` (load after reading configuration files). As a result, custom `MaxClients` and `ServerLimit` variables can now be defined in PHP cartridges.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1264210
Previously, a Node.js cartridge with hot_deploy disabled would not wait until the application is actually available when starting the application. On scaled Node.js applications where 20 to 30 seconds is required for the application to start, an outage was seen during the push while the Node.js applications started. For other cartridges (such as JBoss EAP), each start is blocked until the application is available so that gear rotation ensures no downtime is experienced. This bug fix updates the Node.js cartridge to now block until the HTTP port is available, with a maximum wait time of 60 seconds. As a result, scaled Node.js cartridges with hot_deploy disabled will properly update and start gears in rotation when pushing a new version of the application. This ensures no downtime is seen while pushing a new version.
Previously, a Node.js cartridge with hot_deploy disabled would not wait until the application is actually available when starting the application. On scaled Node.js applications where 20 to 30 seconds is required for the application to start, an outage was seen during the push while the Node.js applications started. For other cartridges (such as JBoss EAP), each start is blocked until the application is available so that gear rotation ensures no downtime is experienced. This bug fix updates the Node.js cartridge to now block until the HTTP port is available, with a maximum wait time of 60 seconds. As a result, scaled Node.js cartridges with hot_deploy disabled will properly update and start gears in rotation when pushing a new version of the application. This ensures no downtime is seen while pushing a new version.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1197576
Certain Jenkins plug-ins insist on a specific minimum version of Jenkins. As time passes, more and more Jenkins plug-ins will be unable to be upgraded or installed because the minimum version of Jenkins required is later than that provided by OpenShift. This enhancement upgrades the Jenkins cartridge to jenkins-1.609.1.
Certain Jenkins plug-ins insist on a specific minimum version of Jenkins. As time passes, more and more Jenkins plug-ins will be unable to be upgraded or installed because the minimum version of Jenkins required is later than that provided by OpenShift. This enhancement upgrades the Jenkins cartridge to jenkins-1.609.1.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Logging
- BZ#1264039
When reading configuration files, logshifter previously read each line using a newline as the separator. When no newline character or EOL character existed at the end of a configuration file whose last line was not empty, the last line of the configuration would be ignored. This bug fix updates logshifter to catch an EOF and ensure that if the EOF is on a non-empty line, the line is read into the configuration. As a result, all lines in the logshifter configuration file are read, whether they end with a newline or EOL character or not.
When reading configuration files, logshifter previously read each line using a newline as the separator. When no newline character or EOL character existed at the end of a configuration file whose last line was not empty, the last line of the configuration would be ignored. This bug fix updates logshifter to catch an EOF and ensure that if the EOF is on a non-empty line, the line is read into the configuration. As a result, all lines in the logshifter configuration file are read, whether they end with a newline or EOL character or not.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Broker
- BZ#1171815
It is possible that when a Jenkins application fails to create and is rolled back, its domain environment variables still exist. These map to a non-existing gear component, and any new Jenkins applications cannot be created since the environment variables already exist. This bug fix updates the `oo-admin-repair` command to add the ability to clean up domains that have Jenkins environment variables with missing components. An administrator can use the `--orphaned-envs` switch with `oo-admin-repair` to clean environment variables from domains that do not have a related component. An administrator can also use `--domain <domain>` to specify a specific domain to repair.
It is possible that when a Jenkins application fails to create and is rolled back, its domain environment variables still exist. These map to a non-existing gear component, and any new Jenkins applications cannot be created since the environment variables already exist. This bug fix updates the `oo-admin-repair` command to add the ability to clean up domains that have Jenkins environment variables with missing components. An administrator can use the `--orphaned-envs` switch with `oo-admin-repair` to clean environment variables from domains that do not have a related component. An administrator can also use `--domain <domain>` to specify a specific domain to repair.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1191283
When a cartridge was imported into the broker's database from two separate nodes within the same second, the second cartridge failed activation because the time stamp of the first cartridge was seen as the same as the current time. Instead of comparing the time stamps through the moped database query, which only compares seconds, this bug fix updates the logic to compare the Time objects with Ruby. As a result, the priority time stamps are compared to the milliseconds, allowing multiple cartridges from different nodes to be imported and activated within the same second.
When a cartridge was imported into the broker's database from two separate nodes within the same second, the second cartridge failed activation because the time stamp of the first cartridge was seen as the same as the current time. Instead of comparing the time stamps through the moped database query, which only compares seconds, this bug fix updates the logic to compare the Time objects with Ruby. As a result, the priority time stamps are compared to the milliseconds, allowing multiple cartridges from different nodes to be imported and activated within the same second.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1197123
When the base gear file storage limits (quota_blocks) were less than 1048576, converting this value to gigabytes previously returned 0. Calculating the total file limit from every gear in the application included dividing by the base gear file storage limits in GB, which when 0 caused a "divide by 0" error to be returned. This bug fix updates the behavior to round up all base gear file storage (quota_blocks) values to 1GB if they are less than 1GB. As a result, the base total file storage limit for an application can now be reported without error when storage limits are less than 1048576. Note that because we round up when the quota_blocks value is less than 1048576, storage values may be inaccurate for some applications.
When the base gear file storage limits (quota_blocks) were less than 1048576, converting this value to gigabytes previously returned 0. Calculating the total file limit from every gear in the application included dividing by the base gear file storage limits in GB, which when 0 caused a "divide by 0" error to be returned. This bug fix updates the behavior to round up all base gear file storage (quota_blocks) values to 1GB if they are less than 1GB. As a result, the base total file storage limit for an application can now be reported without error when storage limits are less than 1048576. Note that because we round up when the quota_blocks value is less than 1048576, storage values may be inaccurate for some applications.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1241750
The pin-php-to-host gear placement plug-in example configuration contained a typo where a configuration directive was named incorrectly, which caused the `slow_hosts` configuration directive to not be used. This bug fix renames the `SLOW_HOST` directive to `SLOW_HOSTS`, and as a result the `slow_hosts` configuration directive is parsed properly and used in the pin-php-to-host gear placement plug-in example.
The pin-php-to-host gear placement plug-in example configuration contained a typo where a configuration directive was named incorrectly, which caused the `slow_hosts` configuration directive to not be used. This bug fix renames the `SLOW_HOST` directive to `SLOW_HOSTS`, and as a result the `slow_hosts` configuration directive is parsed properly and used in the pin-php-to-host gear placement plug-in example.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1221931
When the `oo-admin-move` command failed to move a scalable application across districts, previously the exit code returned was 0, as if there was no failure. This bug fix updates the command to properly exit with a non-zero exit code upon failure.
When the `oo-admin-move` command failed to move a scalable application across districts, previously the exit code returned was 0, as if there was no failure. This bug fix updates the command to properly exit with a non-zero exit code upon failure.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1226061
The routing daemon previously did not check the exit status of `ssh` and `scp` commands for copying certificates and keys to and deleting the same from the F5 BIG-IP host. This caused some errors in copying keys to F5 BIG-IP to be ignored. This bug fix updates the routing daemon, and the F5 iControl REST API model now checks the exit status of `ssh` and `scp` commands and raises an exception if the exit status is not 0. As a result, the routing daemon now logs errors from the `ssh` and `scp` commands.
The routing daemon previously did not check the exit status of `ssh` and `scp` commands for copying certificates and keys to and deleting the same from the F5 BIG-IP host. This caused some errors in copying keys to F5 BIG-IP to be ignored. This bug fix updates the routing daemon, and the F5 iControl REST API model now checks the exit status of `ssh` and `scp` commands and raises an exception if the exit status is not 0. As a result, the routing daemon now logs errors from the `ssh` and `scp` commands.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1228373
When determining which servers are available for gear placement, the least_preferred_servers variable could include all available servers. Additionally, the nodes only update their facts at a one minute interval. If all available nodes for a gear were passed in least_preferred_servers, the last server in the list would be chosen every time. Additionally, gears created for the same application within the same minute (such as through scaling a cartridge up numerous gears at a time) did not consider the placement of gears created within the same minute. These issues combined resulted in very uneven gear spreading for scaled applications. This bug fix updates OpenShift Enterprise so that if all available gears are passed into least_preferred_servers, least_preferred_servers is essentially ignored because all servers are least preferred. Gears now also will take into consideration the placement of the other gears in the application. As a result, spreading across nodes in districts and zones for scaled applications is now even. Scaling an application up multiple gears will result in the gears being spread evenly.
When determining which servers are available for gear placement, the least_preferred_servers variable could include all available servers. Additionally, the nodes only update their facts at a one minute interval. If all available nodes for a gear were passed in least_preferred_servers, the last server in the list would be chosen every time. Additionally, gears created for the same application within the same minute (such as through scaling a cartridge up numerous gears at a time) did not consider the placement of gears created within the same minute. These issues combined resulted in very uneven gear spreading for scaled applications. This bug fix updates OpenShift Enterprise so that if all available gears are passed into least_preferred_servers, least_preferred_servers is essentially ignored because all servers are least preferred. Gears now also will take into consideration the placement of the other gears in the application. As a result, spreading across nodes in districts and zones for scaled applications is now even. Scaling an application up multiple gears will result in the gears being spread evenly.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1152524
Previously, the `oo-accept-broker` command would hang indefinitely or timeout with unhelpful errors if it was unable to load the broker's Rails environment due to database connectivity issues. This enhancement updates the `oo-accept-broker` to now check for connectivity with the MongoDB database before attempting other functions that rely on the database. As a result, `oo-accept-broker` now catches DNS issues as well as MongoDB database connectivity issues and provides a useful error message when the database is unavailable.
Previously, the `oo-accept-broker` command would hang indefinitely or timeout with unhelpful errors if it was unable to load the broker's Rails environment due to database connectivity issues. This enhancement updates the `oo-accept-broker` to now check for connectivity with the MongoDB database before attempting other functions that rely on the database. As a result, `oo-accept-broker` now catches DNS issues as well as MongoDB database connectivity issues and provides a useful error message when the database is unavailable.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Node
- BZ#1232827
This enhancement updates the JBoss EAP cartridge to allow the usage of Java 8, which can be used by adding the "java8" marker.
This enhancement updates the JBoss EAP cartridge to allow the usage of Java 8, which can be used by adding the "java8" marker.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1257757
When a scaled application is unidled, HAProxy is started first. Previously, HAProxy then made a blocking `curl` request to every gear in its configuration to unidle it. After HAProxy was finished, the rest of the gears received a 'start' from the broker. This caused a loop to be seen when unidling a scaled application that could cause delays and timeouts to be hit: HAProxy attempted to unidle all gears while the broker was already handling the unidling process, starting another unidling process for each gear. This bug fix removes HAProxy's logic where it attempts to unidle all gears in the application, as the broker already handles this operation. As a result, HAProxy no longer attempts to unidle all gears in an application, instead deferring this process to the broker, and unidling a scaled application takes much less time.
When a scaled application is unidled, HAProxy is started first. Previously, HAProxy then made a blocking `curl` request to every gear in its configuration to unidle it. After HAProxy was finished, the rest of the gears received a 'start' from the broker. This caused a loop to be seen when unidling a scaled application that could cause delays and timeouts to be hit: HAProxy attempted to unidle all gears while the broker was already handling the unidling process, starting another unidling process for each gear. This bug fix removes HAProxy's logic where it attempts to unidle all gears in the application, as the broker already handles this operation. As a result, HAProxy no longer attempts to unidle all gears in an application, instead deferring this process to the broker, and unidling a scaled application takes much less time.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1264216
Previously, every gear on a node received an "unidle" call during a node start, which triggered an Apache reload for each gear, incurring significant overhead. This caused node start time to take longer than was necessary, and gears that started first were deprived of resources until the node settled. This bug fix ensures gears are only unidled on user start. As a result, unnecessary unidles no longer occur at node start, and node start time is reduced.
Previously, every gear on a node received an "unidle" call during a node start, which triggered an Apache reload for each gear, incurring significant overhead. This caused node start time to take longer than was necessary, and gears that started first were deprived of resources until the node settled. This bug fix ensures gears are only unidled on user start. As a result, unnecessary unidles no longer occur at node start, and node start time is reduced.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1225943
The `grep` method in which entries are pulled from the /etc/fstab file in the `oo-init-quota` command previously did not ignore commented lines. This could result in an error where the quota failed to initialize due to duplicate entries when a commented entry included the same file system mount as an un-commented entry. This bug fix updates the `grep` commands used in `oo-init-quota` to now ignore lines beginning with a '#' symbol. As a result, `oo-init-quota` now successfully initializes quotas on systems where a commented entry for the same file system where OpenShift gears will be stored exists.
The `grep` method in which entries are pulled from the /etc/fstab file in the `oo-init-quota` command previously did not ignore commented lines. This could result in an error where the quota failed to initialize due to duplicate entries when a commented entry included the same file system mount as an un-commented entry. This bug fix updates the `grep` commands used in `oo-init-quota` to now ignore lines beginning with a '#' symbol. As a result, `oo-init-quota` now successfully initializes quotas on systems where a commented entry for the same file system where OpenShift gears will be stored exists.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1062253
Previously, the java-1.6.0-openjdk package was not listed as a requirement for the JBoss EAP and JBoss EWS cartridges. This caused the 'java6' marker to not work appropriately if java-1.6.0-openjdk was not already installed on the system by other packages. This bug fix adds java-1.6.0-openjdk as a requirement to these cartridges to correct this issue.
Previously, the java-1.6.0-openjdk package was not listed as a requirement for the JBoss EAP and JBoss EWS cartridges. This caused the 'java6' marker to not work appropriately if java-1.6.0-openjdk was not already installed on the system by other packages. This bug fix adds java-1.6.0-openjdk as a requirement to these cartridges to correct this issue.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Routing
- BZ#1217572
After performing updates to F5 BIG-IP, the routing daemon should call the F5 iControl REST API to synchronize F5 BIG-IP's configuration within a preconfigured device-group. This enables a system administrator to set up an F5 BIG-IP cluster (or "device group" in F5 terminology) for high availability and have configuration automatically synchronized within the cluster. This enhancement adds a new setting BIGIP_DEVICE_GROUP, and the F5 iControl REST API model was changed to read the value for this setting and, if a value is set, update the specified device group. The routing daemon can now be configured to initiate a configuration synchronization for a configured F5 BIG-IP device group. The routing daemon will initiate this synchronization at an interval specified with the existing UPDATE_INTERVAL setting (default value 5).
After performing updates to F5 BIG-IP, the routing daemon should call the F5 iControl REST API to synchronize F5 BIG-IP's configuration within a preconfigured device-group. This enables a system administrator to set up an F5 BIG-IP cluster (or "device group" in F5 terminology) for high availability and have configuration automatically synchronized within the cluster. This enhancement adds a new setting BIGIP_DEVICE_GROUP, and the F5 iControl REST API model was changed to read the value for this setting and, if a value is set, update the specified device group. The routing daemon can now be configured to initiate a configuration synchronization for a configured F5 BIG-IP device group. The routing daemon will initiate this synchronization at an interval specified with the existing UPDATE_INTERVAL setting (default value 5).Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1227501
Although the routing daemon's F5 iControl REST API model used the value set for BIGIP_USERNAME in the routing daemon's configuration file for the `scp` command to upload temporary key and certificate files to the F5 BIG-IP host, it used the hard-coded user name "admin" for the `ssh` command to delete these temporary files. If a user name other than "admin" was configured for the F5 BIG-IP host, this caused the routing daemon to leave temporary files on the F5 BIG-IP host. This bug fix updates the F5 iControl REST API model to now consistently uses the value of the BIGIP_USERNAME setting for all `ssh` and `scp` commands. As a result, the routing daemon now deletes the temporary files that it creates on the F5 BIG-IP host.
Although the routing daemon's F5 iControl REST API model used the value set for BIGIP_USERNAME in the routing daemon's configuration file for the `scp` command to upload temporary key and certificate files to the F5 BIG-IP host, it used the hard-coded user name "admin" for the `ssh` command to delete these temporary files. If a user name other than "admin" was configured for the F5 BIG-IP host, this caused the routing daemon to leave temporary files on the F5 BIG-IP host. This bug fix updates the F5 iControl REST API model to now consistently uses the value of the BIGIP_USERNAME setting for all `ssh` and `scp` commands. As a result, the routing daemon now deletes the temporary files that it creates on the F5 BIG-IP host.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
Security
- BZ#1205616
A flaw was found in the Jenkins API token-issuing service. The service was not properly protected against anonymous users, potentially allowing remote attackers to escalate privileges.
A flaw was found in the Jenkins API token-issuing service. The service was not properly protected against anonymous users, potentially allowing remote attackers to escalate privileges.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1205620
It was found that the combination filter Groovy script could allow a remote attacker to potentially execute arbitrary code on a Jenkins master.
It was found that the combination filter Groovy script could allow a remote attacker to potentially execute arbitrary code on a Jenkins master.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1205622
It was found that when building artifacts, the Jenkins server would follow symbolic links, potentially resulting in disclosure of information on the server.
It was found that when building artifacts, the Jenkins server would follow symbolic links, potentially resulting in disclosure of information on the server.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1205623
A denial of service flaw was found in the way Jenkins handled certain update center data. An authenticated user could provide specially crafted update center data to Jenkins, causing plug-in and tool installation to not work properly.
A denial of service flaw was found in the way Jenkins handled certain update center data. An authenticated user could provide specially crafted update center data to Jenkins, causing plug-in and tool installation to not work properly.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1205615
Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins.
Two cross-site scripting (XSS) flaws were found in Jenkins. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Jenkins.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1205625
It was found that Jenkins' XPath handling allowed XML External Entity (XXE) expansion. A remote attacker with read access could use this flaw to read arbitrary XML files on the Jenkins server.
It was found that Jenkins' XPath handling allowed XML External Entity (XXE) expansion. A remote attacker with read access could use this flaw to read arbitrary XML files on the Jenkins server.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1205627
It was discovered that the internal Jenkins user database did not restrict access to reserved names, allowing users to escalate privileges.
It was discovered that the internal Jenkins user database did not restrict access to reserved names, allowing users to escalate privileges.Copy to Clipboard Copied! Toggle word wrap Toggle overflow - BZ#1205632
It was found that Jenkins' XML handling allowed XML External Entity (XXE) expansion. A remote attacker with the ability to pass XML data to Jenkins could use this flaw to read arbitrary XML files on the Jenkins server.
It was found that Jenkins' XML handling allowed XML External Entity (XXE) expansion. A remote attacker with the ability to pass XML data to Jenkins could use this flaw to read arbitrary XML files on the Jenkins server.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}