Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-65281

Update to xstream 1.4.16 to avoid security scanner complaints

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • 2.285

      The xstream 1.4.16 release resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16. It would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.

      See https://github.com/jenkinsci/jenkins/pull/5360 for the delivery of that change into Jenkins 2.285

          [JENKINS-65281] Update to xstream 1.4.16 to avoid security scanner complaints

          Mark Waite created issue -
          Mark Waite made changes -
          Description Original: Jetty 9.4.39 includes important bugfixes, and it would be great to consider backporting to the 2.277.x release line. Changelog: [https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325

           

          PR to the weekly baseline: [https://github.com/jenkinsci/jenkins/pull/5380]

           
          New: The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16, but it would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.
          Mark Waite made changes -
          Reporter Original: Oleg Nenashev [ oleg_nenashev ] New: Mark Waite [ markewaite ]
          Mark Waite made changes -
          Component/s Original: winstone-jetty [ 20645 ]
          Mark Waite made changes -
          Labels Original: jetty lts-candidate New: lts-candidate
          Mark Waite made changes -
          Description Original: The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16, but it would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier. New: The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16, but it would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.

          See https://github.com/jenkinsci/jenkins/pull/5360 for the delivery of that change into [Jenkins 2.285|https://www.jenkins.io/changelog/#v2.285]
          Mark Waite made changes -
          Description Original: The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16, but it would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.

          See https://github.com/jenkinsci/jenkins/pull/5360 for the delivery of that change into [Jenkins 2.285|https://www.jenkins.io/changelog/#v2.285]
          New: The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16. It would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.

          See https://github.com/jenkinsci/jenkins/pull/5360 for the delivery of that change into [Jenkins 2.285|https://www.jenkins.io/changelog/#v2.285]
          Mark Waite made changes -
          Remote Link New: This issue links to "PR 5360 - xstream 1.4.16 pull request (Web Link)" [ 26598 ]
          Daniel Beck made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Mark Waite made changes -
          Labels Original: lts-candidate New: 2.277.4-fixed lts-candidate
          Mark Waite made changes -
          Released As New: 2.285

            Unassigned Unassigned
            markewaite Mark Waite
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: