Eric Fetzer
2018-11-26 14:43:15 UTC
Our systems group removed some packages from our RHEL 6.10 server in order
to remove the TSM Client. It has caused our AD integration to quit
working. Which of the following dependencies are required for Jenkins
version 2.138.2:
TIVsm-BA-6.4.2-3
TIVsm-filepath-6.4.2-0
TIVsm-API64-6.4.2-3
gskssl64-8.0-14.43
gskcrypt64-8.0-14.43
We're also getting all kinds of warnings in "Manage Jenkins" which I don't
recall before the removal of these packages. Could this be related?
You have data stored in an older format and/or unreadable data.
More InfoDismiss
It appears that your reverse proxy set up is broken.
New version of Jenkins (2.138.3) is available for download
<http://updates.jenkins-ci.org/download/war/2.138.3/jenkins.war> (changelog
<https://jenkins.io/changelog-stable>).
Disable CLI over RemotingDismiss
Allowing Jenkins CLI to work in -remoting mode is considered dangerous and
usually unnecessary. You are advised to disable this mode. Please refer to
the CLI documentation <https://jenkins.io/doc/book/managing/cli/> for
details.
Go to plugin managerConfigure which of these warnings are shown
Warnings have been published for the following currently installed
components.Pipeline: Groovy 2.11
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Groovy+Plugin>Arbitrary
code execution due to incomplete sandbox protection
<https://jenkins.io/security/advisory/2017-07-10/>Script Security sandbox
bypass <https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186>JUnit
Plugin 1.18 <http://wiki.jenkins-ci.org/display/JENKINS/JUnit+Plugin>XML
External Entity (XXE) processing vulnerability
<https://jenkins.io/security/advisory/2018-02-05/>CSRF vulnerability
<https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101>GitHub
Branch Source Plugin 1.8.1
<https://wiki.jenkins-ci.org/display/JENKINS/GitHub+Branch+Source+Plugin>CSRF
vulnerability and insufficient permission checks allow capturing credentials
<https://jenkins.io/security/advisory/2017-07-10/>Users with Overall/Read
access can enumerate credential IDs
<https://jenkins.io/security/advisory/2017-07-10/>Server-side request
forgery <https://jenkins.io/security/advisory/2018-06-04/#SECURITY-806>Rebuilder
1.25 <http://wiki.jenkins-ci.org/display/JENKINS/Rebuild+Plugin>Cross Site
Scripting vulnerability
<https://jenkins.io/security/advisory/2018-09-25/#SECURITY-130>Pipeline:
Input Step 2.1
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Input+Step+Plugin>Users
with read access could interact with input step by default
<https://jenkins.io/security/advisory/2017-08-07/>Pipeline: Nodes and
Processes 2.4
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Nodes+and+Processes+Plugin>Incorrect
permission checks allow executing builds on agents without Computer/Build
permission <https://jenkins.io/security/advisory/2018-01-22/>Groovy 1.29
<http://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin>Arbitrary code
execution vulnerability <https://jenkins.io/security/advisory/2017-04-10/>Pipeline:
Build Step 2.2
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Build+Step+Plugin>Missing
permission check allows building all jobs
<https://jenkins.io/security/advisory/2017-07-10/>Pipeline: Supporting APIs
2.2
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Supporting+APIs+Plugin>Arbitrary
code execution due to incomplete sandbox protection
<https://jenkins.io/security/advisory/2018-02-05/>Git client plugin 1.19.7
<http://wiki.jenkins-ci.org/display/JENKINS/Git+Client+Plugin>Creation of
temporary file with insecure permissions
<https://jenkins.io/security/advisory/2017-04-27/>Git plugin 2.5.3
<http://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin>Server-side request
forgery <https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810>Users
without Overall/Read are able to access lists of user names and node names
<https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723>CSRF
vulnerability in Git plugin allows capturing credentials
<https://jenkins.io/security/advisory/2017-07-10/>SSH Credentials Plugin
1.12 <http://wiki.jenkins-ci.org/display/JENKINS/SSH+Credentials+Plugin>Arbitrary
file read vulnerability with Credentials Binding Plugin 1.13 or newer
<https://jenkins.io/security/advisory/2018-06-25/#SECURITY-440>Script
Security Plugin 1.21
<https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin>Unsafe
entries in default whitelist
<https://jenkins.io/security/advisory/2017-07-10/>Multiple sandbox bypasses
<https://jenkins.io/security/advisory/2017-08-07/>Script Security sandbox
bypass <https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186>Arbitrary
file read vulnerability <https://jenkins.io/security/advisory/2017-12-11/>Matrix
Authorization Strategy Plugin 1.4
<http://wiki.jenkins-ci.org/display/JENKINS/Matrix+Authorization+Strategy+Plugin>Dangerous
permissions can be configured independently of Administer permission
<https://jenkins.io/security/advisory/2017-04-10/>GitHub plugin 1.20.0
<http://wiki.jenkins-ci.org/display/JENKINS/Github+Plugin>Server-side
request forgery
<https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799>CSRF
vulnerability and insufficient permission checks allow capturing credentials
<https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915>CSRF
vulnerability and lack of permission checks allows capturing credentials
<https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804>Mailer
Plugin 1.20 <https://wiki.jenkins-ci.org/display/JENKINS/Mailer>Unauthorized
users able to send test emails
<https://jenkins.io/security/advisory/2018-03-26/#SECURITY-774>SSH Slaves
plugin 1.11 <http://wiki.jenkins-ci.org/display/JENKINS/SSH+Slaves+plugin>Man-in-the-middle
vulnerability due to missing host key verification
<https://jenkins.io/security/advisory/2017-03-20/>Subversion Plug-in 2.6
<http://wiki.jenkins-ci.org/display/JENKINS/Subversion+Plugin>CSRF
vulnerability and insufficient permission checks allow capturing credentials
<https://jenkins.io/security/advisory/2017-07-10/>Users without
Overall/Read are able to access lists of user names and node names
<https://jenkins.io/security/advisory/2018-02-26/#SECURITY-724>Parameterized
Trigger plugin 2.32
<http://wiki.jenkins-ci.org/display/JENKINS/Parameterized+Trigger+Plugin>Missing
permission check allows building all jobs
<https://jenkins.io/security/advisory/2017-07-10/>Translation Assistance
plugin 1.15
<https://wiki.jenkins-ci.org/display/JENKINS/Translation+Assistance+Plugin>Cross-site
request forgery (CSRF) vulnerability
<https://jenkins.io/security/advisory/2018-01-22/>Groovy Postbuild 2.3.1
<http://wiki.jenkins-ci.org/display/JENKINS/Groovy+Postbuild+Plugin>Persisted
cross-site scripting vulnerability in build badges
<https://jenkins.io/security/advisory/2018-05-09/#SECURITY-821>Credentials
Binding Plugin 1.8
<http://wiki.jenkins-ci.org/display/JENKINS/Credentials+Binding+Plugin>Improper
masking of secrets in rare circumstances
<https://jenkins.io/security/advisory/2018-02-05/>Environment Injector
Plugin 1.92.1 <https://wiki.jenkins-ci.org/display/JENKINS/EnvInject+Plugin>Arbitrary
code execution vulnerability
<https://jenkins.io/security/advisory/2017-04-10/>Low privilege users are
able to read parts of some files on master
<https://jenkins.io/security/advisory/2017-04-10/>Exposure of sensitive
build variables stored by EnvInject 1.90 and earlier
<https://jenkins.io/security/advisory/2018-02-26/#SECURITY-248>PAM
Authentication plugin 1.3
<http://wiki.jenkins-ci.org/display/JENKINS/PAM+Authentication+Plugin>Improper
user account validation
<https://jenkins.io/security/advisory/2018-09-25/#SECURITY-813>Email
Extension Plugin 2.47
<http://wiki.jenkins-ci.org/display/JENKINS/Email-ext+plugin>Arbitrary code
execution vulnerability <https://jenkins.io/security/advisory/2017-04-10/>Email
notifications could be sent to people who are not users of Jenkins
<https://jenkins.io/security/advisory/2017-03-20/>SMTP password gets
transmitted in unencrypted form
<https://jenkins.io/security/advisory/2018-04-16/#SECURITY-729>Active
Directory plugin 1.47
<http://wiki.jenkins-ci.org/display/JENKINS/Active+Directory+Plugin>Man-in-the-middle
vulnerability due to missing certificate check
<https://jenkins.io/security/advisory/2017-03-20/>
There are users who are still using a legacy API token. That system is not
as secure as the new one because it stores the token in a recoverable
manner on the disk.
See list of impacted users
<http://nd201bd001.fireness.gov:8080/administrativeMonitor/legacyApiToken/manage>
.
ExamineDismiss
Agent to master security subsystem is currently off. Please read the
documentation <https://jenkins.io/redirect/security-144> and consider
turning it on.
Thanks,
Eric
to remove the TSM Client. It has caused our AD integration to quit
working. Which of the following dependencies are required for Jenkins
version 2.138.2:
TIVsm-BA-6.4.2-3
TIVsm-filepath-6.4.2-0
TIVsm-API64-6.4.2-3
gskssl64-8.0-14.43
gskcrypt64-8.0-14.43
We're also getting all kinds of warnings in "Manage Jenkins" which I don't
recall before the removal of these packages. Could this be related?
You have data stored in an older format and/or unreadable data.
More InfoDismiss
It appears that your reverse proxy set up is broken.
New version of Jenkins (2.138.3) is available for download
<http://updates.jenkins-ci.org/download/war/2.138.3/jenkins.war> (changelog
<https://jenkins.io/changelog-stable>).
Disable CLI over RemotingDismiss
Allowing Jenkins CLI to work in -remoting mode is considered dangerous and
usually unnecessary. You are advised to disable this mode. Please refer to
the CLI documentation <https://jenkins.io/doc/book/managing/cli/> for
details.
Go to plugin managerConfigure which of these warnings are shown
Warnings have been published for the following currently installed
components.Pipeline: Groovy 2.11
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Groovy+Plugin>Arbitrary
code execution due to incomplete sandbox protection
<https://jenkins.io/security/advisory/2017-07-10/>Script Security sandbox
bypass <https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186>JUnit
Plugin 1.18 <http://wiki.jenkins-ci.org/display/JENKINS/JUnit+Plugin>XML
External Entity (XXE) processing vulnerability
<https://jenkins.io/security/advisory/2018-02-05/>CSRF vulnerability
<https://jenkins.io/security/advisory/2018-09-25/#SECURITY-1101>GitHub
Branch Source Plugin 1.8.1
<https://wiki.jenkins-ci.org/display/JENKINS/GitHub+Branch+Source+Plugin>CSRF
vulnerability and insufficient permission checks allow capturing credentials
<https://jenkins.io/security/advisory/2017-07-10/>Users with Overall/Read
access can enumerate credential IDs
<https://jenkins.io/security/advisory/2017-07-10/>Server-side request
forgery <https://jenkins.io/security/advisory/2018-06-04/#SECURITY-806>Rebuilder
1.25 <http://wiki.jenkins-ci.org/display/JENKINS/Rebuild+Plugin>Cross Site
Scripting vulnerability
<https://jenkins.io/security/advisory/2018-09-25/#SECURITY-130>Pipeline:
Input Step 2.1
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Input+Step+Plugin>Users
with read access could interact with input step by default
<https://jenkins.io/security/advisory/2017-08-07/>Pipeline: Nodes and
Processes 2.4
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Nodes+and+Processes+Plugin>Incorrect
permission checks allow executing builds on agents without Computer/Build
permission <https://jenkins.io/security/advisory/2018-01-22/>Groovy 1.29
<http://wiki.jenkins-ci.org/display/JENKINS/Groovy+plugin>Arbitrary code
execution vulnerability <https://jenkins.io/security/advisory/2017-04-10/>Pipeline:
Build Step 2.2
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Build+Step+Plugin>Missing
permission check allows building all jobs
<https://jenkins.io/security/advisory/2017-07-10/>Pipeline: Supporting APIs
2.2
<https://wiki.jenkins-ci.org/display/JENKINS/Pipeline+Supporting+APIs+Plugin>Arbitrary
code execution due to incomplete sandbox protection
<https://jenkins.io/security/advisory/2018-02-05/>Git client plugin 1.19.7
<http://wiki.jenkins-ci.org/display/JENKINS/Git+Client+Plugin>Creation of
temporary file with insecure permissions
<https://jenkins.io/security/advisory/2017-04-27/>Git plugin 2.5.3
<http://wiki.jenkins-ci.org/display/JENKINS/Git+Plugin>Server-side request
forgery <https://jenkins.io/security/advisory/2018-06-04/#SECURITY-810>Users
without Overall/Read are able to access lists of user names and node names
<https://jenkins.io/security/advisory/2018-02-26/#SECURITY-723>CSRF
vulnerability in Git plugin allows capturing credentials
<https://jenkins.io/security/advisory/2017-07-10/>SSH Credentials Plugin
1.12 <http://wiki.jenkins-ci.org/display/JENKINS/SSH+Credentials+Plugin>Arbitrary
file read vulnerability with Credentials Binding Plugin 1.13 or newer
<https://jenkins.io/security/advisory/2018-06-25/#SECURITY-440>Script
Security Plugin 1.21
<https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin>Unsafe
entries in default whitelist
<https://jenkins.io/security/advisory/2017-07-10/>Multiple sandbox bypasses
<https://jenkins.io/security/advisory/2017-08-07/>Script Security sandbox
bypass <https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186>Arbitrary
file read vulnerability <https://jenkins.io/security/advisory/2017-12-11/>Matrix
Authorization Strategy Plugin 1.4
<http://wiki.jenkins-ci.org/display/JENKINS/Matrix+Authorization+Strategy+Plugin>Dangerous
permissions can be configured independently of Administer permission
<https://jenkins.io/security/advisory/2017-04-10/>GitHub plugin 1.20.0
<http://wiki.jenkins-ci.org/display/JENKINS/Github+Plugin>Server-side
request forgery
<https://jenkins.io/security/advisory/2018-06-04/#SECURITY-799>CSRF
vulnerability and insufficient permission checks allow capturing credentials
<https://jenkins.io/security/advisory/2018-06-25/#SECURITY-915>CSRF
vulnerability and lack of permission checks allows capturing credentials
<https://jenkins.io/security/advisory/2018-06-04/#SECURITY-804>Mailer
Plugin 1.20 <https://wiki.jenkins-ci.org/display/JENKINS/Mailer>Unauthorized
users able to send test emails
<https://jenkins.io/security/advisory/2018-03-26/#SECURITY-774>SSH Slaves
plugin 1.11 <http://wiki.jenkins-ci.org/display/JENKINS/SSH+Slaves+plugin>Man-in-the-middle
vulnerability due to missing host key verification
<https://jenkins.io/security/advisory/2017-03-20/>Subversion Plug-in 2.6
<http://wiki.jenkins-ci.org/display/JENKINS/Subversion+Plugin>CSRF
vulnerability and insufficient permission checks allow capturing credentials
<https://jenkins.io/security/advisory/2017-07-10/>Users without
Overall/Read are able to access lists of user names and node names
<https://jenkins.io/security/advisory/2018-02-26/#SECURITY-724>Parameterized
Trigger plugin 2.32
<http://wiki.jenkins-ci.org/display/JENKINS/Parameterized+Trigger+Plugin>Missing
permission check allows building all jobs
<https://jenkins.io/security/advisory/2017-07-10/>Translation Assistance
plugin 1.15
<https://wiki.jenkins-ci.org/display/JENKINS/Translation+Assistance+Plugin>Cross-site
request forgery (CSRF) vulnerability
<https://jenkins.io/security/advisory/2018-01-22/>Groovy Postbuild 2.3.1
<http://wiki.jenkins-ci.org/display/JENKINS/Groovy+Postbuild+Plugin>Persisted
cross-site scripting vulnerability in build badges
<https://jenkins.io/security/advisory/2018-05-09/#SECURITY-821>Credentials
Binding Plugin 1.8
<http://wiki.jenkins-ci.org/display/JENKINS/Credentials+Binding+Plugin>Improper
masking of secrets in rare circumstances
<https://jenkins.io/security/advisory/2018-02-05/>Environment Injector
Plugin 1.92.1 <https://wiki.jenkins-ci.org/display/JENKINS/EnvInject+Plugin>Arbitrary
code execution vulnerability
<https://jenkins.io/security/advisory/2017-04-10/>Low privilege users are
able to read parts of some files on master
<https://jenkins.io/security/advisory/2017-04-10/>Exposure of sensitive
build variables stored by EnvInject 1.90 and earlier
<https://jenkins.io/security/advisory/2018-02-26/#SECURITY-248>PAM
Authentication plugin 1.3
<http://wiki.jenkins-ci.org/display/JENKINS/PAM+Authentication+Plugin>Improper
user account validation
<https://jenkins.io/security/advisory/2018-09-25/#SECURITY-813>Email
Extension Plugin 2.47
<http://wiki.jenkins-ci.org/display/JENKINS/Email-ext+plugin>Arbitrary code
execution vulnerability <https://jenkins.io/security/advisory/2017-04-10/>Email
notifications could be sent to people who are not users of Jenkins
<https://jenkins.io/security/advisory/2017-03-20/>SMTP password gets
transmitted in unencrypted form
<https://jenkins.io/security/advisory/2018-04-16/#SECURITY-729>Active
Directory plugin 1.47
<http://wiki.jenkins-ci.org/display/JENKINS/Active+Directory+Plugin>Man-in-the-middle
vulnerability due to missing certificate check
<https://jenkins.io/security/advisory/2017-03-20/>
There are users who are still using a legacy API token. That system is not
as secure as the new one because it stores the token in a recoverable
manner on the disk.
See list of impacted users
<http://nd201bd001.fireness.gov:8080/administrativeMonitor/legacyApiToken/manage>
.
ExamineDismiss
Agent to master security subsystem is currently off. Please read the
documentation <https://jenkins.io/redirect/security-144> and consider
turning it on.
Thanks,
Eric
--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/434e8af1-aec6-4026-880a-39dbd13b54b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-users+***@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/434e8af1-aec6-4026-880a-39dbd13b54b2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.