Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-31598

Bump commons-collections lib from 3.2.1 to 3.2.2

    XMLWordPrintable

    Details

    • Type: Improvement
    • Status: Resolved (View Workflow)
    • Priority: Minor
    • Resolution: Fixed
    • Component/s: core
    • Labels:
      None
    • Similar Issues:

      Description

      JENKINS-31496 mentioned a security issue related to the library commons-collections:

      Security problem
      http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/

      Fixed
      http://svn.apache.org/viewvc/commons/proper/collections/branches/COLLECTIONS_3_2_X/src/java/org/apache/commons/collections/functors/InvokerTransformer.java?view=log

      Which has lead to [SECURITY-218] and Jenkins is no more vulnerable since 1.638 and 1.625.2.

      It would be nice to bump the embedded library nonetheless. The 3.2.1 version being reported as facing a security risks by audit tools.

        Attachments

          Activity

          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: PJ Fanning
          Path:
          core/pom.xml
          test/src/test/java/jenkins/security/Security218CliTest.java
          http://jenkins-ci.org/commit/jenkins/46d3f2e1d0bee7098e630d9c6913fe25bb2b3753
          Log:
          JENKINS-31598 upgrade commons-collections due to CVE against v3.2.1 (#2761)

          • JENKINS-31598 upgrade commons-collections due to CVE against v3.2.1
          • Fix broken tests
          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: PJ Fanning Path: core/pom.xml test/src/test/java/jenkins/security/Security218CliTest.java http://jenkins-ci.org/commit/jenkins/46d3f2e1d0bee7098e630d9c6913fe25bb2b3753 Log: JENKINS-31598 upgrade commons-collections due to CVE against v3.2.1 (#2761) JENKINS-31598 upgrade commons-collections due to CVE against v3.2.1 Fix broken tests
          Show
          oleg_nenashev Oleg Nenashev added a comment - Fixed in 2.48: https://github.com/jenkinsci/jenkins/commit/46d3f2e1d0bee7098e630d9c6913fe25bb2b3753
          Hide
          scm_issue_link SCM/JIRA link daemon added a comment -

          Code changed in jenkins
          User: Jesse Glick
          Path:
          test/src/test/java/jenkins/security/Security218CliTest.java
          http://jenkins-ci.org/commit/jenkins/0c3d2ac5bc0c934468cbe264601b6c2f2ae479ca
          Log:
          Seems that #2761 (JENKINS-31598) blocks the attack with or without SignedObject.

          Show
          scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: test/src/test/java/jenkins/security/Security218CliTest.java http://jenkins-ci.org/commit/jenkins/0c3d2ac5bc0c934468cbe264601b6c2f2ae479ca Log: Seems that #2761 ( JENKINS-31598 ) blocks the attack with or without SignedObject.

            People

            • Assignee:
              Unassigned
              Reporter:
              hashar Antoine Musso
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: