Jenkins Dependencies
22 views
Skip to first unread message
Eric Fetzer
Nov 26, 2018, 9:43:15 AM11/26/18
to Jenkins Users
Our systems group removed some packages from our RHEL 6.10 server in order to remove the TSM Client. It has caused our AD integration to quit working. Which of the following dependencies are required for Jenkins version 2.138.2:
TIVsm-BA-6.4.2-3
TIVsm-filepath-6.4.2-0
TIVsm-API64-6.4.2-3
gskssl64-8.0-14.43
gskcrypt64-8.0-14.43
We're also getting all kinds of warnings in "Manage Jenkins" which I don't recall before the removal of these packages. Could this be related?
You have data stored in an older format and/or unreadable data.
It appears that your reverse proxy set up is broken.
Allowing Jenkins CLI to work in
-remoting mode is considered dangerous and usually unnecessary. You are advised to disable this mode. Please refer to the CLI documentation for details.Warnings have been published for the following currently installed components.
- Pipeline: Groovy 2.11
- Arbitrary code execution due to incomplete sandbox protection
- Script Security sandbox bypass
- JUnit Plugin 1.18
- XML External Entity (XXE) processing vulnerability
- CSRF vulnerability
- GitHub Branch Source Plugin 1.8.1
- CSRF vulnerability and insufficient permission checks allow capturing credentials
- Users with Overall/Read access can enumerate credential IDs
- Server-side request forgery
- Rebuilder 1.25
- Cross Site Scripting vulnerability
- Pipeline: Input Step 2.1
- Users with read access could interact with input step by default
- Pipeline: Nodes and Processes 2.4
- Incorrect permission checks allow executing builds on agents without Computer/Build permission
- Groovy 1.29
- Arbitrary code execution vulnerability
- Pipeline: Build Step 2.2
- Missing permission check allows building all jobs
- Pipeline: Supporting APIs 2.2
- Arbitrary code execution due to incomplete sandbox protection
- Git client plugin 1.19.7
- Creation of temporary file with insecure permissions
- Git plugin 2.5.3
- Server-side request forgery
- Users without Overall/Read are able to access lists of user names and node names
- CSRF vulnerability in Git plugin allows capturing credentials
- SSH Credentials Plugin 1.12
- Arbitrary file read vulnerability with Credentials Binding Plugin 1.13 or newer
- Script Security Plugin 1.21
- Unsafe entries in default whitelist
- Multiple sandbox bypasses
- Script Security sandbox bypass
- Arbitrary file read vulnerability
- Matrix Authorization Strategy Plugin 1.4
- Dangerous permissions can be configured independently of Administer permission
- GitHub plugin 1.20.0
- Server-side request forgery
- CSRF vulnerability and insufficient permission checks allow capturing credentials
- CSRF vulnerability and lack of permission checks allows capturing credentials
- Mailer Plugin 1.20
- Unauthorized users able to send test emails
- SSH Slaves plugin 1.11
- Man-in-the-middle vulnerability due to missing host key verification
- Subversion Plug-in 2.6
- CSRF vulnerability and insufficient permission checks allow capturing credentials
- Users without Overall/Read are able to access lists of user names and node names
- Parameterized Trigger plugin 2.32
- Missing permission check allows building all jobs
- Translation Assistance plugin 1.15
- Cross-site request forgery (CSRF) vulnerability
- Groovy Postbuild 2.3.1
- Persisted cross-site scripting vulnerability in build badges
- Credentials Binding Plugin 1.8
- Improper masking of secrets in rare circumstances
- Environment Injector Plugin 1.92.1
- Arbitrary code execution vulnerability
- Low privilege users are able to read parts of some files on master
- Exposure of sensitive build variables stored by EnvInject 1.90 and earlier
- PAM Authentication plugin 1.3
- Improper user account validation
- Email Extension Plugin 2.47
- Arbitrary code execution vulnerability
- Email notifications could be sent to people who are not users of Jenkins
- SMTP password gets transmitted in unencrypted form
- Active Directory plugin 1.47
- Man-in-the-middle vulnerability due to missing certificate check
There are users who are still using a legacy API token. That system is not as secure as the new one because it stores the token in a recoverable manner on the disk.
See list of impacted users.
See list of impacted users.
Agent to master security subsystem is currently off. Please read the documentation and consider turning it on.
Thanks,
Eric
Reply all
Reply to author
Forward
0 new messages