Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2044941: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612 #1369

Merged
merged 2 commits into from Jan 28, 2022
Merged

Bug 2044941: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612 #1369

merged 2 commits into from Jan 28, 2022

Conversation

adambkaplan
Copy link
Contributor

@adambkaplan adambkaplan commented Jan 26, 2022
edited

Upgrade core Jenkins and plugins to address some of the vulnerabilities in the 2022-01 Jenkins security advisory:

  • CVE-2022-20617: Update docker-commons to 1.18 to mitigate a vulnerability with unsanitized image names/tags.
  • CVE-2022-20612: Upgrade core Jenkins to the current LTS release (2.319.2). This includes a fix for a CSRF vulnerability impacting 2.319.1 and lower.

Related Bugzilla bugs:

@adambkaplan
CVE-2022-20617: Update docker-commons to 1.18
75d30b1 
Upgrade docker-commons plugin to 1.18 to mitigate a vulnerability with
unsanitized image names/tags.
@adambkaplan
CVE-2022-20612: Upgrade core Jenkins to 2.319.2
94d4bc3 
Upgrade core Jenkins to the current LTS (2.319.2). This includes a fix
for a CSRF vulnerability in 2.319.1 and lower.
@openshift-ci openshift-ci bot added the bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. label Jan 26, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 26, 2022

@adambkaplan: This pull request references Bugzilla bug 2044941, which is invalid:

  • expected Bugzilla bug 2044941 to depend on a bug targeting a release in 4.10.0 and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2044941: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Jan 26, 2022
@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 26, 2022
@adambkaplan
Copy link
Contributor Author

/assign @coreydaley

For backport risk assessment

@coreydaley
Copy link
Member

/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jan 26, 2022
@adambkaplan
Copy link
Contributor Author

/bugzilla refresh

@openshift-ci openshift-ci bot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jan 27, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 27, 2022

@adambkaplan: This pull request references Bugzilla bug 2044941, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.9.z) matches configured target release for branch (4.9.z)
  • bug is in the state NEW, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 2044942 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
  • dependent Bugzilla bug 2044942 targets the "4.10.0" release, which is one of the valid target releases: 4.10.0
  • bug has dependents

Requesting review from QA contact:
/cc @jitendar-singh

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Jan 27, 2022
@adambkaplan
Copy link
Contributor Author

/retest

@adambkaplan
Copy link
Contributor Author

/assign @jitendar-singh @prietyc123

For cherrypick approval

@jitendar-singh
Copy link
Contributor

/cherry-pick-approved

@jitendar-singh
Copy link
Contributor

have tested the PR using cluster-bot, it has all the fixes needed

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 27, 2022

@adambkaplan: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@prietyc123
Copy link
Contributor

as @jitendar-singh has already tested the fix pre-merge I will add qe-approved label as well.

/label qe-approved
/label cherry-pick-approved

@openshift-ci openshift-ci bot added qe-approved Signifies that QE has signed off on this PR cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. labels Jan 28, 2022
@adambkaplan
Copy link
Contributor Author

/label qe-approved cancel

We can't verify Jenkins updates pre-merge because of how we package Jenkins (core and plugins). This needs to be done after ART builds the new image.

@gabemontero
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 28, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 28, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, gabemontero

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [adambkaplan,gabemontero]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-robot openshift-merge-robot merged commit a71a115 into openshift:release-4.9 Jan 28, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 28, 2022

@adambkaplan: All pull requests linked via external trackers have merged:

Bugzilla bug 2044941 has been moved to the MODIFIED state.

In response to this:

Bug 2044941: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan
Copy link
Contributor Author

adambkaplan commented Jan 28, 2022
edited 

Installed plugins:
ace-editor:1.1
ant:1.11
apache-httpcomponents-client-4-api:4.5.10-2.0
authentication-tokens:1.4
blueocean-autofavorite:1.2.3
blueocean-bitbucket-pipeline:1.24.4
blueocean-commons:1.24.4
blueocean-config:1.24.4
blueocean-core-js:1.24.4
blueocean-dashboard:1.24.4
blueocean-display-url:2.2.0
blueocean-events:1.24.4
blueocean-github-pipeline:1.24.4
blueocean-git-pipeline:1.24.4
blueocean-i18n:1.24.4
blueocean:1.24.4
blueocean-jwt:1.24.4
blueocean-personalization:1.24.4
blueocean-pipeline-api-impl:1.24.4
blueocean-pipeline-editor:1.24.4
blueocean-pipeline-scm-api:1.24.4
blueocean-rest-impl:1.24.4
blueocean-rest:1.24.4
blueocean-web:1.24.4
bouncycastle-api:2.18
branch-api:2.5.6
cloudbees-bitbucket-branch-source:2.4.4
cloudbees-folder:6.15
conditional-buildstep:1.3.1
config-file-provider:3.7.1
configuration-as-code-groovy:1.1
configuration-as-code:1.47
credentials-binding:1.23
credentials:2.3.15
display-url-api:2.3.4
docker-commons:1.18
docker-workflow:1.23
durable-task:1.35
echarts-api:4.7.0-4
favorite:2.3.1
git-client:3.5.1
github-api:1.114.2
github-branch-source:2.6.0
github:1.33.0
git:4.5.2
git-server:1.7
google-oauth-plugin:1.0.0
groovy:2.2
handlebars:1.1
handy-uri-templates-2-api:2.1.6-1.0
htmlpublisher:1.21
jackson2-api:2.12.1
jenkins-design-language:1.24.4
jira:3.0.17
job-dsl:1.77
jquery3-api:3.5.1-1
jquery-detached:1.2.1
jsch:0.1.55.2
junit:1.30
kubernetes-client-api:4.13.2-1
kubernetes-credentials:0.7.0
kubernetes:1.29.0
lockable-resources:2.10
mailer:1.32.1
mapdb-api:1.0.9.0
matrix-auth:2.6.2
matrix-project:1.18
mercurial:2.12
metrics:4.0.2.6
momentjs:1.1
oauth-credentials:0.3
okhttp-api:3.12.12.2
openshift-client:1.0.34
openshift-login:1.0.26
openshift-sync:1.0.46
pam-auth:1.6
parameterized-trigger:2.36
pipeline-build-step:2.12
pipeline-github-lib:1.0
pipeline-graph-analysis:1.10
pipeline-input-step:2.11
pipeline-milestone-step:1.3.1
pipeline-model-api:1.7.2
pipeline-model-declarative-agent:1.1.1
pipeline-model-definition:1.6.0
pipeline-model-extensions:1.7.2
pipeline-rest-api:2.10
pipeline-stage-step:2.3
pipeline-stage-tags-metadata:1.6.0
pipeline-stage-view:2.10
pipeline-utility-steps:2.5.0
plain-credentials:1.7
plugin-util-api:1.2.2
prometheus:2.0.0
pubsub-light:1.13
run-condition:0.10
scm-api:2.6.4
script-security:1.75
snakeyaml-api:1.27.0
sse-gateway:1.24
ssh-credentials:1.18.1
structs:1.20
subversion:2.15.1
token-macro:2.13
trilead-api:1.0.8
variant:1.4
workflow-aggregator:2.6
workflow-api:2.40
workflow-basic-steps:2.18
workflow-cps-global-lib:2.15
workflow-cps:2.87
workflow-durable-task-step:2.31
workflow-job:2.39
workflow-multibranch:2.22
workflow-remote-loader:1.5
workflow-scm-step:2.11
workflow-step-api:2.23
workflow-support:3.6

@adambkaplan
Copy link
Contributor Author

ART requests:

  1. Plugins - https://issues.redhat.com/browse/ART-3713
  2. Core Jenkins - https://issues.redhat.com/browse/ART-3714

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 28, 2022

@adambkaplan: Bugzilla bug 2044941 is in an unrecognized state (ON_QA) and will not be moved to the MODIFIED state.

In response to this:

Bug 2044941: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jkhelil jkhelil Awaiting requested review from jkhelil

@otaviof otaviof Awaiting requested review from otaviof

@jitendar-singh jitendar-singh Awaiting requested review from jitendar-singh

Assignees

@gabemontero gabemontero

@coreydaley coreydaley

@jitendar-singh jitendar-singh

@prietyc123 prietyc123

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged. qe-approved Signifies that QE has signed off on this PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@adambkaplan @coreydaley @jitendar-singh @prietyc123 @gabemontero @openshift-merge-robot