Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-25169

Winstone potentially vulnerable to POODLE (CVE-2014-3566)

      $ JENKINS_HOME=/tmp/POODLE java -jar .../war/target/jenkins.war --httpsPort=4430 &
      # wait until started...
      $ if echo Q | openssl s_client -connect localhost:4430 -ssl3 2>&1 | grep -q "Cipher.*0000"; then echo "SSLv3 disabled"; else echo "SSLv3 enabled"; fi
      SSLv3 enabled
      

      It ought to be blocked by default.

          [JENKINS-25169] Winstone potentially vulnerable to POODLE (CVE-2014-3566)

          Jesse Glick created issue -
          Daniel Beck made changes -
          Link New: This issue is related to JENKINS-23925 [ JENKINS-23925 ]

          Code changed in jenkins
          User: christ66
          Path:
          src/java/winstone/HttpsConnectorFactory.java
          http://jenkins-ci.org/commit/winstone/503ef47e817eda69fadf3e7e82aeded43409bb7f
          Log:
          [FIXED JENKINS-25169] Because of the POODLE vulnerability, we disabled SSLv3 by default.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: christ66 Path: src/java/winstone/HttpsConnectorFactory.java http://jenkins-ci.org/commit/winstone/503ef47e817eda69fadf3e7e82aeded43409bb7f Log: [FIXED JENKINS-25169] Because of the POODLE vulnerability, we disabled SSLv3 by default.
          SCM/JIRA link daemon made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Kohsuke Kawaguchi made changes -
          Resolution Original: Fixed [ 1 ]
          Status Original: Resolved [ 5 ] New: Reopened [ 4 ]

          Code changed in jenkins
          User: christ66
          Path:
          src/java/winstone/HttpsConnectorFactory.java
          http://jenkins-ci.org/commit/winstone/b73a8cdc4b351bf764982f1909fcf3c360925053
          Log:
          JENKINS-25169 Move exclude protocol to a better location.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: christ66 Path: src/java/winstone/HttpsConnectorFactory.java http://jenkins-ci.org/commit/winstone/b73a8cdc4b351bf764982f1909fcf3c360925053 Log: JENKINS-25169 Move exclude protocol to a better location.

          Released as Winstone 2.7

          Kohsuke Kawaguchi added a comment - Released as Winstone 2.7
          Kohsuke Kawaguchi made changes -
          Assignee New: Kohsuke Kawaguchi [ kohsuke ]
          Kohsuke Kawaguchi made changes -
          Summary Original: Winstone potentially vulnerable to POODLE New: Winstone potentially vulnerable to POODLE (CVE-2014-3566)

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          changelog.html
          war/pom.xml
          http://jenkins-ci.org/commit/jenkins/7c2254fbf8d643dc58673d01c97fd855f983d4bf
          Log:
          [FIXED JENKINS-25169]

          Integrated the new winstone.jar for 1.585

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: changelog.html war/pom.xml http://jenkins-ci.org/commit/jenkins/7c2254fbf8d643dc58673d01c97fd855f983d4bf Log: [FIXED JENKINS-25169] Integrated the new winstone.jar for 1.585

            kohsuke Kohsuke Kawaguchi
            jglick Jesse Glick
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: