Bug#772132: unblock: jenkins/1.565.3-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package jenkins. This version addresses the RC bugs (#767541
and #769594), backports a cookie security hardening modification (#769682),
adds a missing runtime dependency and improves the documentation (#726489).
Thank you
unblock jenkins/1.565.3-3
diff -Nru jenkins-1.565.3/debian/changelog jenkins-1.565.3/debian/changelog
--- jenkins-1.565.3/debian/changelog 2014-10-25 00:40:19.000000000 +0200
+++ jenkins-1.565.3/debian/changelog 2014-12-05 12:28:04.000000000 +0100
@@ -1,3 +1,23 @@
+jenkins (1.565.3-3) unstable; urgency=medium
+
+ * Team upload.
+
+ [ Yann Rouillard ]
+ * Added dependency on libcglib3-java to fix NoClassDefFoundError at runtime.
+ * Removed Context Resource symlinks directives as they don't work anymore in
+ Tomcat 8 and are not required for Jenkins (Closes: #769594)
+ * Removed useless properties Debug and AllowLinking in Context definition
+ to suppress warnings in Tomcat logs.
+ * Backported upstream patch to ensure HttpOnly cookie flag is properly set
+ and avoid warning messages about Security cookie flag (Closes: #769682)
+
+ [ Emmanuel Bourg ]
+ * Documented the security issue with master/slave setups (CVE-2014-3665)
+ * Documented in /etc/default/jenkins how to run Jenkins
+ on non local addresses (Closes: #726489)
+
+ -- Emmanuel Bourg <ebourg@apache.org> Fri, 05 Dec 2014 12:27:57 +0100
+
jenkins (1.565.3-2) unstable; urgency=medium
* Team upload.
diff -Nru jenkins-1.565.3/debian/control jenkins-1.565.3/debian/control
--- jenkins-1.565.3/debian/control 2014-10-21 23:08:25.000000000 +0200
+++ jenkins-1.565.3/debian/control 2014-11-15 15:47:21.000000000 +0100
@@ -40,6 +40,7 @@
libasm4-java,
libbridge-method-injector-java (>= 1.9),
libbytecode-compatibility-transformer-java,
+ libcglib3-java,
libclassworlds-java,
libcommons-beanutils-java,
libcommons-codec-java,
diff -Nru jenkins-1.565.3/debian/jenkins.default jenkins-1.565.3/debian/jenkins.default
--- jenkins-1.565.3/debian/jenkins.default 2014-10-16 16:51:16.000000000 +0200
+++ jenkins-1.565.3/debian/jenkins.default 2014-12-05 12:25:57.000000000 +0100
@@ -47,7 +47,7 @@
# port for AJP connector (disabled by default)
AJP_PORT=-1
-# Listen address for HTTP connector
+# Listen address for HTTP connector (use 0.0.0.0 to listen on all IPv4/IPv6 interfaces)
HTTP_HOST=127.0.0.1
# Listen address for AJP connector
diff -Nru jenkins-1.565.3/debian/jenkins.README.Debian jenkins-1.565.3/debian/jenkins.README.Debian
--- jenkins-1.565.3/debian/jenkins.README.Debian 2014-10-16 16:51:16.000000000 +0200
+++ jenkins-1.565.3/debian/jenkins.README.Debian 2014-12-05 12:13:51.000000000 +0100
@@ -37,5 +37,13 @@
+ see man jenkins-monitor-job for more details.
- Jenkins CLI: jenkins-cli
+ see man jenkins-cli for more details.
-
- -- James Page <james.page@ubuntu.com> Wed, 20 Jul 2011 11:34:02 +0100
+
+
+Master/Slave Security Considerations
+------------------------------------
+
+Jenkins master and slaves behave as if they altogether form a single
+distributed process. This means a slave can ask a master to do just about
+anything within the confinement of the operating system, such as accessing
+files on the master or trigger other jobs on Jenkins. Therefore adding
+untrusted slaves to the cluster is not recommended.
diff -Nru jenkins-1.565.3/debian/jenkins-tomcat.xml jenkins-1.565.3/debian/jenkins-tomcat.xml
--- jenkins-1.565.3/debian/jenkins-tomcat.xml 2014-10-16 16:51:16.000000000 +0200
+++ jenkins-1.565.3/debian/jenkins-tomcat.xml 2014-11-15 15:47:21.000000000 +0100
@@ -2,9 +2,7 @@
Context configuration file for the Jenkins Web App
-->
<Context path="/jenkins" docBase="/usr/share/jenkins/jenkins.war"
- debug="0" privileged="true" allowLinking="true" crossContext="true">
- <!-- make symlinks work in Tomcat -->
- <Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true" />
+ privileged="true" crossContext="true">
<Environment name="JENKINS_HOME" type="java.lang.String" value="/var/lib/jenkins" override="true" />
</Context>
diff -Nru jenkins-1.565.3/debian/maven.rules jenkins-1.565.3/debian/maven.rules
--- jenkins-1.565.3/debian/maven.rules 2014-10-22 00:18:22.000000000 +0200
+++ jenkins-1.565.3/debian/maven.rules 2014-12-05 12:14:05.000000000 +0100
@@ -69,6 +69,8 @@
org.springframework s/spring-webmvc/spring-web/ * s/.*/3.x/ * *
com.google.inject guice * s/.*/debian/ s/no_aop// *
+cglib cglib * s/.*/3.x/ * *
+
s/com.google.code.findbugs/org.jsr-305/ jsr305 * s/.*/0.x/ * *
org.jsr-305 jsr305 * 0.x * *
s/org.jvnet.hudson/org.jenkins-ci/ test-annotations * s/.*/debian/ * *
diff -Nru jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch
--- jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch 1970-01-01 01:00:00.000000000 +0100
+++ jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch 2014-11-15 15:47:21.000000000 +0100
@@ -0,0 +1,23 @@
+Description: Add dependency on cglib as we don't use guice-noaop library,
+ and the one we use depends on cglib.
+ Note that the library cglib is required at runtime and not only at the
+ compilation step.
+Author: Yann Rouillard <yann@pleiades.fr.org>, François-Xavier Vende <francois.vende@gmail.com>
+Forwarded: not-needed
+Index: jenkins-1.565.3/core/pom.xml
+===================================================================
+--- jenkins-1.565.3.orig/core/pom.xml
++++ jenkins-1.565.3/core/pom.xml
+@@ -100,6 +100,12 @@ THE SOFTWARE.
+ <classifier>no_aop</classifier>
+ </dependency>
+
++ <dependency>
++ <groupId>cglib</groupId>
++ <artifactId>cglib</artifactId>
++ <version>3.x</version>
++ </dependency>
++
+ <dependency> <!-- for compatibility only; all new code should use JNR -->
+ <groupId>org.jruby.ext.posix</groupId>
+ <artifactId>jna-posix</artifactId>
diff -Nru jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch
--- jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch 1970-01-01 01:00:00.000000000 +0100
+++ jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch 2014-12-05 10:43:11.000000000 +0100
@@ -0,0 +1,109 @@
+Description: This patch fixes 2 issues. It set the HttpOnly flag
+ at an ealier stage so that the setting is properly taken into
+ account by Tomcat.
+ It suppress the warning about the secure flag that only happens
+ in Tomcat as it should be configured in Tomcat configuration and
+ not set by Jenkins in that case.
+Origin: backport,https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
+From 582128b9ac179a788d43c1478be8a5224dc19710 Mon Sep 17 00:00:00 2001
+From: Kohsuke Kawaguchi <kk@kohsuke.org>
+Date: Thu, 16 Oct 2014 19:15:56 -0700
+Subject: [PATCH] [FIXED JENKINS-25019]
+
+A truly conforming servlet 3.0 container does not allow us to set "secure cookie" flag beyond ServletContextListener.onInitialized().
+If we see that, don't scare the users.
+---
+ core/src/main/java/hudson/WebAppMain.java | 29 +++++++++++++++++++++++
+ .../model/JenkinsLocationConfiguration.java | 16 ++++++++-----
+ 2 files changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/main/java/hudson/WebAppMain.java b/core/src/main/java/hudson/WebAppMain.java
+index 1f332e9..11d438d 100644
+--- a/core/src/main/java/hudson/WebAppMain.java
++++ b/core/src/main/java/hudson/WebAppMain.java
+@@ -56,6 +56,7 @@
+ import java.io.File;
+ import java.io.FileOutputStream;
+ import java.io.IOException;
++import java.lang.reflect.Method;
+ import java.net.URL;
+ import java.net.URLClassLoader;
+ import java.util.Date;
+@@ -116,6 +117,9 @@ public Locale get() {
+
+ installLogger();
+
++ System.out.println("I am here");
++ markCookieAsHttpOnly(context);
++
+ final FileAndDescription describedHomeDir = getHomeDir(event);
+ home = describedHomeDir.file.getAbsoluteFile();
+ home.mkdirs();
+@@ -251,6 +254,31 @@ public void run() {
+ }
+ }
+
++ /**
++ * Set the session cookie as HTTP only.
++ *
++ * @see <a href="https://www.owasp.org/index.php/HttpOnly">discussion of this topic in OWASP</a>
++ */
++ private void markCookieAsHttpOnly(ServletContext context) {
++ try {
++ Method m;
++ try {
++ m = context.getClass().getMethod("getSessionCookieConfig");
++ } catch (NoSuchMethodException x) { // 3.0+
++ LOGGER.log(Level.FINE, "Failed to set secure cookie flag", x);
++ return;
++ }
++ Object sessionCookieConfig = m.invoke(context);
++
++ // not exposing session cookie to JavaScript to mitigate damage caused by XSS
++ Class scc = Class.forName("javax.servlet.SessionCookieConfig");
++ Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
++ setHttpOnly.invoke(sessionCookieConfig,true);
++ } catch (Exception e) {
++ LOGGER.log(Level.WARNING, "Failed to set HTTP-only cookie flag", e);
++ }
++ }
++
+ public void joinInit() throws InterruptedException {
+ initThread.join();
+ }
+diff --git a/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java b/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
+index 6836467..c10e51d 100644
+--- a/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
++++ b/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
+@@ -14,6 +14,7 @@
+ import javax.servlet.ServletContext;
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.reflect.InvocationTargetException;
+ import java.lang.reflect.Method;
+ import java.util.logging.Level;
+ import java.util.logging.Logger;
+@@ -117,14 +118,17 @@ private void updateSecureSessionFlag() {
+ }
+ Object sessionCookieConfig = m.invoke(context);
+
+- // not exposing session cookie to JavaScript to mitigate damage caused by XSS
+ Class scc = Class.forName("javax.servlet.SessionCookieConfig");
+- Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
+- setHttpOnly.invoke(sessionCookieConfig,true);
+-
+- Method setSecure = scc.getMethod("setSecure",boolean.class);
++ Method setSecure = scc.getMethod("setSecure", boolean.class);
+ boolean v = fixNull(jenkinsUrl).startsWith("https");
+- setSecure.invoke(sessionCookieConfig,v);
++ setSecure.invoke(sessionCookieConfig, v);
++ } catch (InvocationTargetException e) {
++ if (e.getTargetException() instanceof IllegalStateException) {
++ // servlet 3.0 spec seems to prohibit this from getting set at runtime,
++ // though Winstone is happy to accept i. see JENKINS-25019
++ return;
++ }
++ LOGGER.log(Level.WARNING, "Failed to set secure cookie flag ici", e);
+ } catch (Exception e) {
+ LOGGER.log(Level.WARNING, "Failed to set secure cookie flag", e);
+ }
diff -Nru jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch
--- jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch 1970-01-01 01:00:00.000000000 +0100
+++ jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch 2014-12-05 11:33:41.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Warn about the security issue with master/slave setups in the UI
+Author: Emmanuel Bourg <ebourg@apache.org>
+Forwarded: not-needed
+--- a/core/src/main/resources/hudson/model/ComputerSet/new.jelly
++++ b/core/src/main/resources/hudson/model/ComputerSet/new.jelly
+@@ -35,6 +35,11 @@
+ <l:layout norefresh="true" permission="${createPermission}">
+ <st:include page="sidepanel.jelly" />
+ <l:main-panel>
++
++ <p class="warning">WARNING: Do not add untrusted slaves to your configuration as they could run any command on the master node.<br/>
++ See the <a href="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30">Jenkins Security Advisory 2014-10-30</a>
++ for more information.</p>
++
+ <j:invokeStatic var="slaves" className="hudson.slaves.NodeDescriptor" method="allInstantiable" />
+ <n:form nameTitle="${%Node name}" copyTitle="${%Copy Existing Node}" copyNames="${it._slaveNames}"
+ descriptors="${slaves}" checkUrl="checkName" xmlns:n="/lib/hudson/newFromList" />
diff -Nru jenkins-1.565.3/debian/patches/series jenkins-1.565.3/debian/patches/series
--- jenkins-1.565.3/debian/patches/series 2014-10-16 16:51:16.000000000 +0200
+++ jenkins-1.565.3/debian/patches/series 2014-12-05 10:44:39.000000000 +0100
@@ -21,3 +21,6 @@
0024-args4j-compatibility.patch
0025-specify-plugins-versions.patch
0026-add-jsr305-dependency.patch
+0027-add-cglib-dependency.patch
+0028-properly-set-httponly-flag-for-tomcat.patch
+0029-master-slave-security-warning.patch
Reply to: