[OpenStack-Infra] Mitigating unauthenticated remote code execution 0-day in Jenkins CLI
Antoine Musso
hashar at free.fr
Mon Nov 9 15:07:03 UTC 2015
Le 09/11/2015 15:34, Jeremy Stanley a écrit :
> On 2015-11-09 16:30:52 +1000 (+1000), Craige McWhirter wrote:
>> Not sure whether we're on this or not but I've not seen any chatter or
>> changes to address it, so I'm dropping it here first:
> [...]
>
> Thanks for double-checking! We worked through mitigation in IRC over
> the weekend (well, my Friday night).
>
> http://eavesdrop.openstack.org/irclogs/%23openstack-infra/%23openstack-infra.2015-11-07.log.html#t2015-11-07T01:46:53
>
> Far enough back it's probably easy to miss in scrollback.
Hello,
There is a Jenkins security release on Wednesday Nov 11th during PST
day. Maybe it will include a fix for it.
You are still running the Jenkins 1.565.3. Maybe it is worth considering
an upgrade? The Gearman plugin would need to be upgraded though.
Wikimedia runs 1.625.1 as of this morning after months with 1.609.x.
--
Antoine "hashar" Musso
More information about the OpenStack-Infra
mailing list