-
Bug
-
Resolution: Fixed
-
Minor
-
-
2.285
The xstream 1.4.16 release resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16. It would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.
See https://github.com/jenkinsci/jenkins/pull/5360 for the delivery of that change into Jenkins 2.285
[JENKINS-65281] Update to xstream 1.4.16 to avoid security scanner complaints
Description |
Original:
Jetty 9.4.39 includes important bugfixes, and it would be great to consider backporting to the 2.277.x release line. Changelog: [https://github.com/eclipse/jetty.project/releases/tag/jetty-9.4.39.v20210325]
PR to the weekly baseline: [https://github.com/jenkinsci/jenkins/pull/5380] |
New: The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16, but it would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier. |
Reporter | Original: Oleg Nenashev [ oleg_nenashev ] | New: Mark Waite [ markewaite ] |
Component/s | Original: winstone-jetty [ 20645 ] |
Labels | Original: jetty lts-candidate | New: lts-candidate |
Description | Original: The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16, but it would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier. |
New:
The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16, but it would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.
See https://github.com/jenkinsci/jenkins/pull/5360 for the delivery of that change into [Jenkins 2.285|https://www.jenkins.io/changelog/#v2.285] |
Description |
Original:
The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16, but it would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.
See https://github.com/jenkinsci/jenkins/pull/5360 for the delivery of that change into [Jenkins 2.285|https://www.jenkins.io/changelog/#v2.285] |
New:
The [xstream 1.4.16 release|https://x-stream.github.io/changes.html#1.4.16] resolves security vulnerabilities when unmarshalling with an XStream instance using an uninitialized security framework. As far as I can tell, Jenkins is not susceptible to the vulnerabilities being fixed in xstream 1.4.16. It would be good to include the xstream 1.4.16 in the Jenkins 2.277.x line (like 2.277.3 being released in May) so that security scanners do not need to be taught that Jenkins is not susceptible to the issue in xstream 1.4.15 and earlier.
See https://github.com/jenkinsci/jenkins/pull/5360 for the delivery of that change into [Jenkins 2.285|https://www.jenkins.io/changelog/#v2.285] |
Remote Link | New: This issue links to "PR 5360 - xstream 1.4.16 pull request (Web Link)" [ 26598 ] |
Resolution | New: Fixed [ 1 ] | |
Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
The filter needs issues to be resolved.