Multiple vulnerabilities in Jenkins plugins

[Daniel Beck <ml () beckweb net>]

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software. The following
releases contain fixes for security vulnerabilities:

* Credentials 2.1.19
* PAM Authentication 1.5.1

Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://jenkins.io/security/advisory/2019-05-21/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-1316 / CVE-2019-10319
A missing permission check in PAM Authentication Plugin allowed users with 
Overall/Read permission to invoke a form validation method to obtain 
limited information about the file /etc/shadow on systems with that file 
present, as well as the system user the Jenkins process is running as.


SECURITY-1322 / CVE-2019-10320
Credentials Plugin allowed the creation of Certificate credentials from a 
PKCS#12 file on the Jenkins master. Users with permission to create or 
update credentials could use the associated form validation to confirm the 
existence of files with an attacker-specified path.

Additionally, they could create credentials from any valid PKCS#12 file on 
the Jenkins master. With the ability to configure jobs to access these 
credentials, they could obtain the certificate content.