Vulnerability in Jenkins

[Daniel Beck <ml () beckweb net>]

Jenkins is an open source automation server which enables developers around
the world to reliably build, test, and deploy their software.

The following releases contain fixes for security vulnerabilities:

* Jenkins 2.334
* Jenkins LTS 2.319.3


Summaries of the vulnerabilities are below. More details, severity, and
attribution can be found here:
https://www.jenkins.io/security/advisory/2022-02-09/

We provide advance notification for security updates on this mailing list:
https://groups.google.com/d/forum/jenkinsci-advisories

If you discover security vulnerabilities in Jenkins, please report them as
described here:
https://www.jenkins.io/security/#reporting-vulnerabilities

---

SECURITY-2602 / CVE-2021-43859 (upstream) & CVE-2022-0538 (Jenkins)
Jenkins 2.333 and earlier, LTS 2.319.2 and earlier is affected by the
XStream library's vulnerability CVE-2021-43859. This library is used by
Jenkins to serialize and deserialize various XML files, like global and job
`config.xml`, `build.xml`, and numerous others.

This allows attackers able to submit crafted XML files to Jenkins to be
parsed as configuration, e.g. through the `POST config.xml` API, to cause a
denial of service (DoS).