[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] Terrapin vulnerability in Jenkins CLI client
From: Daniel Beck <ml () beckweb ! net>
Date: 2024-04-17 16:35:21
Message-ID: 30959175-87A8-4BE7-B7A8-15B8FFEB48AB () beckweb ! net
[Download RAW message or body]
Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.
The following releases contain fixes for security vulnerabilities:
* Jenkins 2.452
* Jenkins LTS 2.440.3
Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2024-04-17/
We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories
If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities
---
SECURITY-3386 / CVE-2023-48795
The CLI client (`jenkins-cli.jar`) in Jenkins 2.451 and earlier, LTS
2.440.2 and earlier bundles versions of the Apache MINA SSHD library that
are susceptible to CVE-2023-48795 (Terrapin attack). This vulnerability
allows a machine-in-the-middle attacker to reduce the security of an SSH
connection.
NOTE: This only affects the Jenkins CLI client when using the `-ssh`
connection mode, which is not the default.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic