oss-sec mailing list archives

Re: Security advisory in Jenkins

From: Kohsuke Kawaguchi <kk () kohsuke org>
Date: Tue, 07 Oct 2014 18:01:25 -0700

On 10/07/2014 11:45 AM, Bryan Drewery wrote:

On 10/3/2014 4:44 PM, Kohsuke Kawaguchi wrote:

We are still learning how we should handle vulnerabilities, so I'm sure
there's room for improvements.

We have multiple release lines to which the fixes have to be released
simultaneously, and overall this overhead is significant. That's why we did
one massive release that contains all the fixes.

Wrt CVE-2013-2186, a week ago we got a report from somebody that he did a
security scan and found that we are still using a vulnerable version of the
library to which CVE-2013-2186 is assigned. In this release we use a newer
version of the library that addresses the problem, and I thought it'd be
appropriate to raise a flag to the users that if they continue to use older
versions, they'd remain vulnerable to CVE-2013-2186. That's why it's in the
advisory. It is not because we sat on a report for more than a year.

When you say the timeframe is especially concerning, perhaps you mean you
are concerned that we fail to notice this vulnerability in our library for
more than a year, and if so, you are of course right. Jenkins project has
gotten a long list of library dependencies, and I haven't found any
practical means to get notified when vulnerabilities are found in any one
of them.


I understand. Is there any practical way you could not bundle
dependencies? Then it would not be a problem. I don't know enough about
Java's build system to know if this is possible.

A part of the problem is that Jenkins core is too big a piece that canbe decomposed further down into smaller plugins. We've been doing thatto chip away some of the dependencies, and plugins are somewhat easierto update than the core. So that's a progress.

But beyond that, the packaging and distribution model in Java is thateach application brings the complete dependencies with it. Some otherplatforms do not do that (say Linux C ecosystem), but many others do(.NET, Ruby, Node.js, ...) This is not so much a problem of a build toolbut more due to the user expectation (and perhaps lack of runtimepackage managers and stronger coupling between libraries?).


As such, I don't think this is changing any time soon, for better or worse.



--
Kohsuke Kawaguchi                          http://kohsuke.org/

Current thread:

Security advisory in Jenkins Kohsuke Kawaguchi (Oct 01)
- Re: Security advisory in Jenkins Solar Designer (Oct 01)
- Re: Security advisory in Jenkins Bryan Drewery (Oct 01)
  - Re: Security advisory in Jenkins Solar Designer (Oct 01)
    - Re: Security advisory in Jenkins Solar Designer (Oct 01)
    - Re: Security advisory in Jenkins Kohsuke Kawaguchi (Oct 03)
    - Re: Security advisory in Jenkins Luca Carettoni (Oct 03)
    - Re: Security advisory in Jenkins Bryan Drewery (Oct 07)
    - Re: Security advisory in Jenkins Kohsuke Kawaguchi (Oct 07)
- Re: Security advisory in Jenkins Kohsuke Kawaguchi (Oct 06)
  - Re: Re: Security advisory in Jenkins Reed Loden (Oct 06)
    - Re: Re: Security advisory in Jenkins Kurt Seifried (Oct 06)