Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-74826

Backport the xstream 1.4.21 upgrade to Jenkins 2.479.2

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • core
    • 2.485 (upcoming), 2.479.2

      The XStream library has reported CVE-2024-47072, a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.

      Let's backport the change from PR-9954 to the stable-2.479 line so that it can be part of Jenkins 2.479.2

          [JENKINS-74826] Backport the xstream 1.4.21 upgrade to Jenkins 2.479.2

          Mark Waite created issue -
          Mark Waite made changes -
          Description Original: The XStream library has reported [CVE-2024-47072|https://x-stream.github.io/CVE-2024-47072.html], a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.

          Let's backport change from [PR-9954|https://github.com/jenkinsci/jenkins/pull/9954] to the stable-2.479 line so that it can be part of Jenkins 2.479.2
          New: The XStream library has reported [CVE-2024-47072|https://x-stream.github.io/CVE-2024-47072.html], a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.

          Let's backport the change from [PR-9954|https://github.com/jenkinsci/jenkins/pull/9954] to the stable-2.479 line so that it can be part of Jenkins 2.479.2
          Mark Waite made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Kris Stern made changes -
          Labels Original: lts-candidate New: 2.479.2-fixed
          Mark Waite made changes -
          Status Original: Resolved [ 5 ] New: Closed [ 6 ]
          Kris Stern made changes -
          Released As Original: 2.485 (upcoming) New: 2.485 (upcoming), 2.479.2

            Unassigned Unassigned
            markewaite Mark Waite
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: