Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25169

Winstone potentially vulnerable to POODLE (CVE-2014-3566)

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      $ JENKINS_HOME=/tmp/POODLE java -jar .../war/target/jenkins.war --httpsPort=4430 &
      # wait until started...
      $ if echo Q | openssl s_client -connect localhost:4430 -ssl3 2>&1 | grep -q "Cipher.*0000"; then echo "SSLv3 disabled"; else echo "SSLv3 enabled"; fi
      SSLv3 enabled
      

      It ought to be blocked by default.

        Attachments

          Issue Links

            Activity

            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #3787
            JENKINS-25169 integrated the fix for POODLE (Revision 94590fdd69debdfe8469a074b3358f08f6ff0779)

            Result = SUCCESS
            jesse glick : 94590fdd69debdfe8469a074b3358f08f6ff0779
            Files :

            • war/pom.xml
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #3787 JENKINS-25169 integrated the fix for POODLE (Revision 94590fdd69debdfe8469a074b3358f08f6ff0779) Result = SUCCESS jesse glick : 94590fdd69debdfe8469a074b3358f08f6ff0779 Files : war/pom.xml
            Hide
            leo_ Leo Leung added a comment - - edited

            Since Jenkins ver. 1.586, the method to trigger builds remotely using TOKEN authentication URLs with wget described in https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients no longer work due to SSLv1 and SSLv2 is now disabled because of the POODLE vulnerability fix.

            The following error will appear:

            Resolving jenkins... 10.0.0.1
            Connecting to jenkins|10.0.0.1|:443... connected.
            Unable to establish SSL connection.
            The command for wget 1.11.x needs to include the --secure-protocol=TLSv1 option.
            wget --auth-no-challenge --http-user=user --http-password=apiToken --secure-protocol=TLSv1 http://jenkins.yourcompany.com/job/your_job/build?token=TOKEN
            
            Show
            leo_ Leo Leung added a comment - - edited Since Jenkins ver. 1.586, the method to trigger builds remotely using TOKEN authentication URLs with wget described in https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients no longer work due to SSLv1 and SSLv2 is now disabled because of the POODLE vulnerability fix. The following error will appear: Resolving jenkins... 10.0.0.1 Connecting to jenkins|10.0.0.1|:443... connected. Unable to establish SSL connection. The command for wget 1.11.x needs to include the --secure-protocol=TLSv1 option. wget --auth-no-challenge --http-user=user --http-password=apiToken --secure-protocol=TLSv1 http://jenkins.yourcompany.com/job/your_job/build?token=TOKEN
            Hide
            jglick Jesse Glick added a comment -

            Leo Leung just add a note to the wiki.

            Show
            jglick Jesse Glick added a comment - Leo Leung just add a note to the wiki.
            Hide
            leo_ Leo Leung added a comment -

            I've also edited and updated that wiki page so others can find the information easier.
            https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients

            Show
            leo_ Leo Leung added a comment - I've also edited and updated that wiki page so others can find the information easier. https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients
            Hide
            dogfood dogfood added a comment -

            Integrated in jenkins_main_trunk #4292
            JENKINS-25169 integrated the fix for POODLE (Revision 1351b18e42b1677ee9bb14255583f5b3624d530a)

            Result = UNSTABLE
            kohsuke : 1351b18e42b1677ee9bb14255583f5b3624d530a
            Files :

            • war/pom.xml
            Show
            dogfood dogfood added a comment - Integrated in jenkins_main_trunk #4292 JENKINS-25169 integrated the fix for POODLE (Revision 1351b18e42b1677ee9bb14255583f5b3624d530a) Result = UNSTABLE kohsuke : 1351b18e42b1677ee9bb14255583f5b3624d530a Files : war/pom.xml

              People

              • Assignee:
                kohsuke Kohsuke Kawaguchi
                Reporter:
                jglick Jesse Glick
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: