Bug#772132: marked as done (unblock: jenkins/1.565.3-3)

To: Ivo De Decker <ivodd@debian.org>
Subject: Bug#772132: marked as done (unblock: jenkins/1.565.3-3)
From: owner@bugs.debian.org (Debian Bug Tracking System)
Date: Fri, 05 Dec 2014 12:33:14 +0000
Message-id: <[🔎] handler.772132.D772132.141778258816634.ackdone@bugs.debian.org>
References: <20141205122938.GC14303@ugent.be> <[🔎] 20141205115309.10118.7899.reportbug@icare.ariane-software.com>

Your message dated Fri, 5 Dec 2014 13:29:38 +0100
with message-id <20141205122938.GC14303@ugent.be>
and subject line Re: Bug#772132: unblock: jenkins/1.565.3-3
has caused the Debian Bug report #772132,
regarding unblock: jenkins/1.565.3-3
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
772132: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772132
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: jenkins/1.565.3-3
From: Emmanuel Bourg <ebourg@apache.org>
Date: Fri, 05 Dec 2014 12:53:09 +0100
Message-id: <[🔎] 20141205115309.10118.7899.reportbug@icare.ariane-software.com>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package jenkins. This version addresses the RC bugs (#767541
and #769594), backports a cookie security hardening modification (#769682),
adds a missing runtime dependency and improves the documentation (#726489).

Thank you

unblock jenkins/1.565.3-3


diff -Nru jenkins-1.565.3/debian/changelog jenkins-1.565.3/debian/changelog
--- jenkins-1.565.3/debian/changelog    2014-10-25 00:40:19.000000000 +0200
+++ jenkins-1.565.3/debian/changelog    2014-12-05 12:28:04.000000000 +0100
@@ -1,3 +1,23 @@
+jenkins (1.565.3-3) unstable; urgency=medium
+
+  * Team upload.
+
+  [ Yann Rouillard ]
+  * Added dependency on libcglib3-java to fix NoClassDefFoundError at runtime.
+  * Removed Context Resource symlinks directives as they don't work anymore in
+    Tomcat 8 and are not required for Jenkins (Closes: #769594)
+  * Removed useless properties Debug and AllowLinking in Context definition
+    to suppress warnings in Tomcat logs.
+  * Backported upstream patch to ensure HttpOnly cookie flag is properly set
+    and avoid warning messages about Security cookie flag (Closes: #769682)
+
+  [ Emmanuel Bourg ]
+  * Documented the security issue with master/slave setups (CVE-2014-3665)
+  * Documented in /etc/default/jenkins how to run Jenkins
+    on non local addresses (Closes: #726489)
+
+ -- Emmanuel Bourg <ebourg@apache.org>  Fri, 05 Dec 2014 12:27:57 +0100
+
 jenkins (1.565.3-2) unstable; urgency=medium

   * Team upload.
diff -Nru jenkins-1.565.3/debian/control jenkins-1.565.3/debian/control
--- jenkins-1.565.3/debian/control      2014-10-21 23:08:25.000000000 +0200
+++ jenkins-1.565.3/debian/control      2014-11-15 15:47:21.000000000 +0100
@@ -40,6 +40,7 @@
  libasm4-java,
  libbridge-method-injector-java (>= 1.9),
  libbytecode-compatibility-transformer-java,
+ libcglib3-java,
  libclassworlds-java,
  libcommons-beanutils-java,
  libcommons-codec-java,
diff -Nru jenkins-1.565.3/debian/jenkins.default jenkins-1.565.3/debian/jenkins.default
--- jenkins-1.565.3/debian/jenkins.default      2014-10-16 16:51:16.000000000 +0200
+++ jenkins-1.565.3/debian/jenkins.default      2014-12-05 12:25:57.000000000 +0100
@@ -47,7 +47,7 @@
 # port for AJP connector (disabled by default)
 AJP_PORT=-1

-# Listen address for HTTP connector
+# Listen address for HTTP connector (use 0.0.0.0 to listen on all IPv4/IPv6 interfaces)
 HTTP_HOST=127.0.0.1

 # Listen address for AJP connector
diff -Nru jenkins-1.565.3/debian/jenkins.README.Debian jenkins-1.565.3/debian/jenkins.README.Debian
--- jenkins-1.565.3/debian/jenkins.README.Debian        2014-10-16 16:51:16.000000000 +0200
+++ jenkins-1.565.3/debian/jenkins.README.Debian        2014-12-05 12:13:51.000000000 +0100
@@ -37,5 +37,13 @@
          + see man jenkins-monitor-job for more details.
     - Jenkins CLI: jenkins-cli
       + see man jenkins-cli for more details.
-
- -- James Page <james.page@ubuntu.com>  Wed, 20 Jul 2011 11:34:02 +0100
+
+
+Master/Slave Security Considerations
+------------------------------------
+
+Jenkins master and slaves behave as if they altogether form a single
+distributed process. This means a slave can ask a master to do just about
+anything within the confinement of the operating system, such as accessing
+files on the master or trigger other jobs on Jenkins. Therefore adding
+untrusted slaves to the cluster is not recommended.
diff -Nru jenkins-1.565.3/debian/jenkins-tomcat.xml jenkins-1.565.3/debian/jenkins-tomcat.xml
--- jenkins-1.565.3/debian/jenkins-tomcat.xml   2014-10-16 16:51:16.000000000 +0200
+++ jenkins-1.565.3/debian/jenkins-tomcat.xml   2014-11-15 15:47:21.000000000 +0100
@@ -2,9 +2,7 @@
     Context configuration file for the Jenkins Web App
 -->
 <Context path="/jenkins" docBase="/usr/share/jenkins/jenkins.war"
-   debug="0" privileged="true" allowLinking="true" crossContext="true">
-  <!-- make symlinks work in Tomcat -->
-  <Resources className="org.apache.naming.resources.FileDirContext" allowLinking="true" />
+   privileged="true" crossContext="true">

   <Environment name="JENKINS_HOME" type="java.lang.String" value="/var/lib/jenkins" override="true" />
 </Context>
diff -Nru jenkins-1.565.3/debian/maven.rules jenkins-1.565.3/debian/maven.rules
--- jenkins-1.565.3/debian/maven.rules  2014-10-22 00:18:22.000000000 +0200
+++ jenkins-1.565.3/debian/maven.rules  2014-12-05 12:14:05.000000000 +0100
@@ -69,6 +69,8 @@
 org.springframework s/spring-webmvc/spring-web/ * s/.*/3.x/ * *

 com.google.inject guice * s/.*/debian/ s/no_aop// *
+cglib cglib * s/.*/3.x/ * *
+
 s/com.google.code.findbugs/org.jsr-305/ jsr305 * s/.*/0.x/ * *
 org.jsr-305 jsr305 * 0.x * *
 s/org.jvnet.hudson/org.jenkins-ci/ test-annotations * s/.*/debian/ * *
diff -Nru jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch
--- jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch      1970-01-01 01:00:00.000000000 +0100
+++ jenkins-1.565.3/debian/patches/0027-add-cglib-dependency.patch      2014-11-15 15:47:21.000000000 +0100
@@ -0,0 +1,23 @@
+Description: Add dependency on cglib as we don't use guice-noaop library,
+ and the one we use depends on cglib.
+ Note that the library cglib is required at runtime and not only at the
+ compilation step.
+Author: Yann Rouillard <yann@pleiades.fr.org>, François-Xavier Vende <francois.vende@gmail.com>
+Forwarded: not-needed
+Index: jenkins-1.565.3/core/pom.xml
+===================================================================
+--- jenkins-1.565.3.orig/core/pom.xml
++++ jenkins-1.565.3/core/pom.xml
+@@ -100,6 +100,12 @@ THE SOFTWARE.
+       <classifier>no_aop</classifier>
+     </dependency>
+
++    <dependency>
++      <groupId>cglib</groupId>
++      <artifactId>cglib</artifactId>
++      <version>3.x</version>
++    </dependency>
++
+     <dependency> <!-- for compatibility only; all new code should use JNR -->
+       <groupId>org.jruby.ext.posix</groupId>
+       <artifactId>jna-posix</artifactId>
diff -Nru jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch
--- jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch     1970-01-01 01:00:00.000000000 +0100
+++ jenkins-1.565.3/debian/patches/0028-properly-set-httponly-flag-for-tomcat.patch     2014-12-05 10:43:11.000000000 +0100
@@ -0,0 +1,109 @@
+Description: This patch fixes 2 issues. It set the HttpOnly flag
+ at an ealier stage so that the setting is properly taken into
+ account by Tomcat.
+ It suppress the warning about the secure flag that only happens
+ in Tomcat as it should be configured in Tomcat configuration and
+ not set by Jenkins in that case.
+Origin: backport,https://github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
+From 582128b9ac179a788d43c1478be8a5224dc19710 Mon Sep 17 00:00:00 2001
+From: Kohsuke Kawaguchi <kk@kohsuke.org>
+Date: Thu, 16 Oct 2014 19:15:56 -0700
+Subject: [PATCH] [FIXED JENKINS-25019]
+
+A truly conforming servlet 3.0 container does not allow us to set "secure cookie" flag beyond ServletContextListener.onInitialized().
+If we see that, don't scare the users.
+---
+ core/src/main/java/hudson/WebAppMain.java          | 29 +++++++++++++++++++++++
+ .../model/JenkinsLocationConfiguration.java        | 16 ++++++++-----
+ 2 files changed, 39 insertions(+), 6 deletions(-)
+
+diff --git a/core/src/main/java/hudson/WebAppMain.java b/core/src/main/java/hudson/WebAppMain.java
+index 1f332e9..11d438d 100644
+--- a/core/src/main/java/hudson/WebAppMain.java
++++ b/core/src/main/java/hudson/WebAppMain.java
+@@ -56,6 +56,7 @@
+ import java.io.File;
+ import java.io.FileOutputStream;
+ import java.io.IOException;
++import java.lang.reflect.Method;
+ import java.net.URL;
+ import java.net.URLClassLoader;
+ import java.util.Date;
+@@ -116,6 +117,9 @@ public Locale get() {
+
+             installLogger();
+
++            System.out.println("I am here");
++            markCookieAsHttpOnly(context);
++
+             final FileAndDescription describedHomeDir = getHomeDir(event);
+             home = describedHomeDir.file.getAbsoluteFile();
+             home.mkdirs();
+@@ -251,6 +254,31 @@ public void run() {
+         }
+     }
+
++    /**
++     * Set the session cookie as HTTP only.
++     *
++     * @see <a href="https://www.owasp.org/index.php/HttpOnly";>discussion of this topic in OWASP</a>
++     */
++    private void markCookieAsHttpOnly(ServletContext context) {
++        try {
++            Method m;
++            try {
++                m = context.getClass().getMethod("getSessionCookieConfig");
++            } catch (NoSuchMethodException x) { // 3.0+
++                LOGGER.log(Level.FINE, "Failed to set secure cookie flag", x);
++                return;
++            }
++            Object sessionCookieConfig = m.invoke(context);
++
++            // not exposing session cookie to JavaScript to mitigate damage caused by XSS
++            Class scc = Class.forName("javax.servlet.SessionCookieConfig");
++            Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
++            setHttpOnly.invoke(sessionCookieConfig,true);
++        } catch (Exception e) {
++            LOGGER.log(Level.WARNING, "Failed to set HTTP-only cookie flag", e);
++        }
++    }
++
+     public void joinInit() throws InterruptedException {
+         initThread.join();
+     }
+diff --git a/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java b/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
+index 6836467..c10e51d 100644
+--- a/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
++++ b/core/src/main/java/jenkins/model/JenkinsLocationConfiguration.java
+@@ -14,6 +14,7 @@
+ import javax.servlet.ServletContext;
+ import java.io.File;
+ import java.io.IOException;
++import java.lang.reflect.InvocationTargetException;
+ import java.lang.reflect.Method;
+ import java.util.logging.Level;
+ import java.util.logging.Logger;
+@@ -117,14 +118,17 @@ private void updateSecureSessionFlag() {
+             }
+             Object sessionCookieConfig = m.invoke(context);
+
+-            // not exposing session cookie to JavaScript to mitigate damage caused by XSS
+             Class scc = Class.forName("javax.servlet.SessionCookieConfig");
+-            Method setHttpOnly = scc.getMethod("setHttpOnly",boolean.class);
+-            setHttpOnly.invoke(sessionCookieConfig,true);
+-
+-            Method setSecure = scc.getMethod("setSecure",boolean.class);
++            Method setSecure = scc.getMethod("setSecure", boolean.class);
+             boolean v = fixNull(jenkinsUrl).startsWith("https");
+-            setSecure.invoke(sessionCookieConfig,v);
++            setSecure.invoke(sessionCookieConfig, v);
++        } catch (InvocationTargetException e) {
++            if (e.getTargetException() instanceof IllegalStateException) {
++                // servlet 3.0 spec seems to prohibit this from getting set at runtime,
++                // though Winstone is happy to accept i. see JENKINS-25019
++                return;
++            }
++            LOGGER.log(Level.WARNING, "Failed to set secure cookie flag ici", e);
+         } catch (Exception e) {
+             LOGGER.log(Level.WARNING, "Failed to set secure cookie flag", e);
+         }
diff -Nru jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch
--- jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch     1970-01-01 01:00:00.000000000 +0100
+++ jenkins-1.565.3/debian/patches/0029-master-slave-security-warning.patch     2014-12-05 11:33:41.000000000 +0100
@@ -0,0 +1,17 @@
+Description: Warn about the security issue with master/slave setups in the UI
+Author: Emmanuel Bourg <ebourg@apache.org>
+Forwarded: not-needed
+--- a/core/src/main/resources/hudson/model/ComputerSet/new.jelly
++++ b/core/src/main/resources/hudson/model/ComputerSet/new.jelly
+@@ -35,6 +35,11 @@
+   <l:layout norefresh="true" permission="${createPermission}">
+     <st:include page="sidepanel.jelly" />
+     <l:main-panel>
++
++      <p class="warning">WARNING: Do not add untrusted slaves to your configuration as they could run any command on the master node.<br/>
++      See the <a href="https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30";>Jenkins Security Advisory 2014-10-30</a>
++      for more information.</p>
++
+       <j:invokeStatic var="slaves" className="hudson.slaves.NodeDescriptor" method="allInstantiable" />
+       <n:form nameTitle="${%Node name}" copyTitle="${%Copy Existing Node}" copyNames="${it._slaveNames}"
+               descriptors="${slaves}" checkUrl="checkName" xmlns:n="/lib/hudson/newFromList" />
diff -Nru jenkins-1.565.3/debian/patches/series jenkins-1.565.3/debian/patches/series
--- jenkins-1.565.3/debian/patches/series       2014-10-16 16:51:16.000000000 +0200
+++ jenkins-1.565.3/debian/patches/series       2014-12-05 10:44:39.000000000 +0100
@@ -21,3 +21,6 @@
 0024-args4j-compatibility.patch
 0025-specify-plugins-versions.patch
 0026-add-jsr305-dependency.patch
+0027-add-cglib-dependency.patch
+0028-properly-set-httponly-flag-for-tomcat.patch
+0029-master-slave-security-warning.patch

--- End Message ---

--- Begin Message ---

To: Emmanuel Bourg <ebourg@apache.org>, 772132-done@bugs.debian.org

Subject: Re: Bug#772132: unblock: jenkins/1.565.3-3

From: Ivo De Decker <ivodd@debian.org>

Date: Fri, 5 Dec 2014 13:29:38 +0100

Message-id: <20141205122938.GC14303@ugent.be>

In-reply-to: <[🔎] 20141205115309.10118.7899.reportbug@icare.ariane-software.com>

References: <[🔎] 20141205115309.10118.7899.reportbug@icare.ariane-software.com>
Hi,

On Fri, Dec 05, 2014 at 12:53:09PM +0100, Emmanuel Bourg wrote:
> unblock jenkins/1.565.3-3

Unblocked.

Cheers,

Ivo
--- End Message ---

Reply to:

References:
- Bug#772132: unblock: jenkins/1.565.3-3
  - From: Emmanuel Bourg <ebourg@apache.org>

Prev by Date: Bug#772124: marked as done (unblock: simplesamlphp/1.13.1-2)
Next by Date: Bug#771741: marked as done (unblock: ltsp/5.5.4-2)
Previous by thread: Bug#772132: unblock: jenkins/1.565.3-3
Next by thread: Processed: tagging 772035
Index(es):
- Date
- Thread