Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25169

Winstone potentially vulnerable to POODLE (CVE-2014-3566)

      $ JENKINS_HOME=/tmp/POODLE java -jar .../war/target/jenkins.war --httpsPort=4430 &
      # wait until started...
      $ if echo Q | openssl s_client -connect localhost:4430 -ssl3 2>&1 | grep -q "Cipher.*0000"; then echo "SSLv3 disabled"; else echo "SSLv3 enabled"; fi
      SSLv3 enabled
      

      It ought to be blocked by default.

          [JENKINS-25169] Winstone potentially vulnerable to POODLE (CVE-2014-3566)

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          war/pom.xml
          http://jenkins-ci.org/commit/jenkins/15fbd281b8df0a7894a0f4e6d2c65b0fbf0f8a87
          Log:
          [FIXED JENKINS-25169]

          Integrated the new winstone.jar for 1.580.1
          (cherry picked from commit 7c2254fbf8d643dc58673d01c97fd855f983d4bf)

          Conflicts:

          changelog.html
          war/pom.xml

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: war/pom.xml http://jenkins-ci.org/commit/jenkins/15fbd281b8df0a7894a0f4e6d2c65b0fbf0f8a87 Log: [FIXED JENKINS-25169] Integrated the new winstone.jar for 1.580.1 (cherry picked from commit 7c2254fbf8d643dc58673d01c97fd855f983d4bf) Conflicts: changelog.html war/pom.xml

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          war/pom.xml
          http://jenkins-ci.org/commit/jenkins/1351b18e42b1677ee9bb14255583f5b3624d530a
          Log:
          JENKINS-25169 integrated the fix for POODLE

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: war/pom.xml http://jenkins-ci.org/commit/jenkins/1351b18e42b1677ee9bb14255583f5b3624d530a Log: JENKINS-25169 integrated the fix for POODLE

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          war/pom.xml
          http://jenkins-ci.org/commit/jenkins/2820dc723cc4029e529487ec62a71ce17afe1488
          Log:
          JENKINS-25169

          Integrating 2.8 to really ensure SSLv2 is off (even when JDK supports
          that, and we haven't found any JDKs that do that)

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: war/pom.xml http://jenkins-ci.org/commit/jenkins/2820dc723cc4029e529487ec62a71ce17afe1488 Log: JENKINS-25169 Integrating 2.8 to really ensure SSLv2 is off (even when JDK supports that, and we haven't found any JDKs that do that)

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3768
          [FIXED JENKINS-25169] (Revision 7c2254fbf8d643dc58673d01c97fd855f983d4bf)
          JENKINS-25169 (Revision 2820dc723cc4029e529487ec62a71ce17afe1488)

          Result = SUCCESS
          kohsuke : 7c2254fbf8d643dc58673d01c97fd855f983d4bf
          Files :

          • war/pom.xml
          • changelog.html

          kohsuke : 2820dc723cc4029e529487ec62a71ce17afe1488
          Files :

          • war/pom.xml

          dogfood added a comment - Integrated in jenkins_main_trunk #3768 [FIXED JENKINS-25169] (Revision 7c2254fbf8d643dc58673d01c97fd855f983d4bf) JENKINS-25169 (Revision 2820dc723cc4029e529487ec62a71ce17afe1488) Result = SUCCESS kohsuke : 7c2254fbf8d643dc58673d01c97fd855f983d4bf Files : war/pom.xml changelog.html kohsuke : 2820dc723cc4029e529487ec62a71ce17afe1488 Files : war/pom.xml

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          war/pom.xml
          http://jenkins-ci.org/commit/jenkins/94590fdd69debdfe8469a074b3358f08f6ff0779
          Log:
          JENKINS-25169 integrated the fix for POODLE

          (cherry picked from commit 1351b18e42b1677ee9bb14255583f5b3624d530a)

          Conflicts:
          war/pom.xml

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: war/pom.xml http://jenkins-ci.org/commit/jenkins/94590fdd69debdfe8469a074b3358f08f6ff0779 Log: JENKINS-25169 integrated the fix for POODLE (cherry picked from commit 1351b18e42b1677ee9bb14255583f5b3624d530a) Conflicts: war/pom.xml

          dogfood added a comment -

          Integrated in jenkins_main_trunk #3787
          JENKINS-25169 integrated the fix for POODLE (Revision 94590fdd69debdfe8469a074b3358f08f6ff0779)

          Result = SUCCESS
          jesse glick : 94590fdd69debdfe8469a074b3358f08f6ff0779
          Files :

          • war/pom.xml

          dogfood added a comment - Integrated in jenkins_main_trunk #3787 JENKINS-25169 integrated the fix for POODLE (Revision 94590fdd69debdfe8469a074b3358f08f6ff0779) Result = SUCCESS jesse glick : 94590fdd69debdfe8469a074b3358f08f6ff0779 Files : war/pom.xml

          Leo Leung added a comment - - edited

          Since Jenkins ver. 1.586, the method to trigger builds remotely using TOKEN authentication URLs with wget described in https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients no longer work due to SSLv1 and SSLv2 is now disabled because of the POODLE vulnerability fix.

          The following error will appear:

          Resolving jenkins... 10.0.0.1
          Connecting to jenkins|10.0.0.1|:443... connected.
          Unable to establish SSL connection.
          The command for wget 1.11.x needs to include the --secure-protocol=TLSv1 option.
          wget --auth-no-challenge --http-user=user --http-password=apiToken --secure-protocol=TLSv1 http://jenkins.yourcompany.com/job/your_job/build?token=TOKEN
          

          Leo Leung added a comment - - edited Since Jenkins ver. 1.586, the method to trigger builds remotely using TOKEN authentication URLs with wget described in https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients no longer work due to SSLv1 and SSLv2 is now disabled because of the POODLE vulnerability fix. The following error will appear: Resolving jenkins... 10.0.0.1 Connecting to jenkins|10.0.0.1|:443... connected. Unable to establish SSL connection. The command for wget 1.11.x needs to include the --secure-protocol=TLSv1 option. wget --auth-no-challenge --http-user=user --http-password=apiToken --secure-protocol=TLSv1 http://jenkins.yourcompany.com/job/your_job/build?token=TOKEN

          Jesse Glick added a comment -

          leo_ just add a note to the wiki.

          Jesse Glick added a comment - leo_ just add a note to the wiki.

          Leo Leung added a comment -

          I've also edited and updated that wiki page so others can find the information easier.
          https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients

          Leo Leung added a comment - I've also edited and updated that wiki page so others can find the information easier. https://wiki.jenkins-ci.org/display/JENKINS/Authenticating+scripted+clients

          dogfood added a comment -

          Integrated in jenkins_main_trunk #4292
          JENKINS-25169 integrated the fix for POODLE (Revision 1351b18e42b1677ee9bb14255583f5b3624d530a)

          Result = UNSTABLE
          kohsuke : 1351b18e42b1677ee9bb14255583f5b3624d530a
          Files :

          • war/pom.xml

          dogfood added a comment - Integrated in jenkins_main_trunk #4292 JENKINS-25169 integrated the fix for POODLE (Revision 1351b18e42b1677ee9bb14255583f5b3624d530a) Result = UNSTABLE kohsuke : 1351b18e42b1677ee9bb14255583f5b3624d530a Files : war/pom.xml

            kohsuke Kohsuke Kawaguchi
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: