-
Bug
-
Resolution: Fixed
-
Minor
-
-
2.485 (upcoming), 2.479.2
The XStream library has reported CVE-2024-47072, a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.
Let's backport the change from PR-9954 to the stable-2.479 line so that it can be part of Jenkins 2.479.2
[JENKINS-74826] Backport the xstream 1.4.21 upgrade to Jenkins 2.479.2
Description |
Original:
The XStream library has reported [CVE-2024-47072|https://x-stream.github.io/CVE-2024-47072.html], a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.
Let's backport change from [PR-9954|https://github.com/jenkinsci/jenkins/pull/9954] to the stable-2.479 line so that it can be part of Jenkins 2.479.2 |
New:
The XStream library has reported [CVE-2024-47072|https://x-stream.github.io/CVE-2024-47072.html], a vulnerability when XStream uses the BinaryStreamDriver. I see no references to BinaryStreamDriver in any of the active Jenkins source code, but software composition analysis tools will report it as a vulnerability and we'll spend time explaining that Jenkins is not vulnerable.
Let's backport the change from [PR-9954|https://github.com/jenkinsci/jenkins/pull/9954] to the stable-2.479 line so that it can be part of Jenkins 2.479.2 |
Resolution | New: Fixed [ 1 ] | |
Status | Original: Open [ 1 ] | New: Resolved [ 5 ] |
Labels | Original: lts-candidate | New: 2.479.2-fixed |
Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
Released As | Original: 2.485 (upcoming) | New: 2.485 (upcoming), 2.479.2 |