Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug 2044940: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612 #1370

Merged
merged 2 commits into from
Jan 31, 2022
Merged

Bug 2044940: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612 #1370

merged 2 commits into from
Jan 31, 2022

Conversation

adambkaplan
Copy link
Contributor

Upgrade core Jenkins and plugins to address some of the vulnerabilities in the 2022-01 Jenkins security advisory:

  • CVE-2022-20617: Update docker-commons to 1.18 to mitigate a vulnerability with unsanitized image names/tags.
  • CVE-2022-20612: Upgrade core Jenkins to the current LTS release (2.319.2). This includes a fix for a CSRF vulnerability impacting 2.319.1 and lower.

Related Bugzilla bugs:

@adambkaplan
CVE-2022-20617: Update docker-commons to 1.18
504fb97 
Upgrade docker-commons plugin to 1.18 to mitigate a vulnerability with
unsanitized image names/tags.
@adambkaplan
CVE-2022-20612: Upgrade core Jenkins to 2.319.2
09da4f5 
Upgrade core Jenkins to the current LTS (2.319.2). This includes a fix
for a CSRF vulnerability in 2.319.1 and lower.
@openshift-ci openshift-ci bot added bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. labels Jan 26, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 26, 2022

@adambkaplan: This pull request references Bugzilla bug 2044940, which is invalid:

  • expected Bugzilla bug 2044940 to depend on a bug targeting a release in 4.9.0, 4.9.z and in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but no dependents were found

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Bug 2044940: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 26, 2022
@adambkaplan
Copy link
Contributor Author

/assign @coreydaley

For backport risk assessment

@coreydaley
Copy link
Member

/label backport-risk-assessed

@openshift-ci openshift-ci bot added the backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. label Jan 26, 2022
@adambkaplan
Copy link
Contributor Author

/retest

Unrelated AWS error

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 27, 2022

@adambkaplan: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@gabemontero
Copy link
Contributor

/lgtm

@openshift-ci openshift-ci bot added the lgtm Indicates that a PR is ready to be merged. label Jan 28, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 28, 2022

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: adambkaplan, gabemontero

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [adambkaplan,gabemontero]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@adambkaplan
Copy link
Contributor Author

/bugzilla refresh

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 28, 2022

@adambkaplan: This pull request references Bugzilla bug 2044940, which is invalid:

  • expected dependent Bugzilla bug 2044941 to be in one of the following states: VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE), but it is ON_QA instead

Comment /bugzilla refresh to re-evaluate validity if changes to the Bugzilla bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

/bugzilla refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-bot
Copy link
Contributor

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

@openshift-ci openshift-ci bot added the bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. label Jan 29, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 29, 2022

@openshift-bot: This pull request references Bugzilla bug 2044940, which is valid. The bug has been moved to the POST state. The bug has been updated to refer to the pull request using the external bug tracker.

6 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target release (4.8.z) matches configured target release for branch (4.8.z)
  • bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, ON_DEV, POST, POST)
  • dependent bug Bugzilla bug 2044941 is in the state VERIFIED, which is one of the valid states (VERIFIED, RELEASE_PENDING, CLOSED (ERRATA), CLOSED (CURRENTRELEASE))
  • dependent Bugzilla bug 2044941 targets the "4.9.z" release, which is one of the valid target releases: 4.9.0, 4.9.z
  • bug has dependents

Requesting review from QA contact:
/cc @jitendar-singh

In response to this:

/bugzilla refresh

Recalculating validity in case the underlying Bugzilla bug has changed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@openshift-ci openshift-ci bot removed the bugzilla/invalid-bug Indicates that a referenced Bugzilla bug is invalid for the branch this PR is targeting. label Jan 29, 2022
@adambkaplan
Copy link
Contributor Author

@jitendar-singh @prietyc123 this is now ready for cherrypick approval.

@jitendar-singh
Copy link
Contributor

/label cherry-pick-approved

@openshift-ci openshift-ci bot added the cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. label Jan 31, 2022
@openshift-merge-robot openshift-merge-robot merged commit db0e672 into openshift:release-4.8 Jan 31, 2022
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 31, 2022

@adambkaplan: All pull requests linked via external trackers have merged:

Bugzilla bug 2044940 has been moved to the MODIFIED state.

In response to this:

Bug 2044940: Jenkins Fixes for CVE-2022-20617 and CVE-2022-20612

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@adambkaplan
Copy link
Contributor Author 

Installed plugins:
ace-editor:1.1
ant:1.11
apache-httpcomponents-client-4-api:4.5.13-1.0
authentication-tokens:1.4
blueocean-autofavorite:1.2.4
blueocean-bitbucket-pipeline:1.24.8
blueocean-commons:1.24.8
blueocean-config:1.24.8
blueocean-core-js:1.24.8
blueocean-dashboard:1.24.8
blueocean-display-url:2.4.1
blueocean-events:1.24.8
blueocean-github-pipeline:1.24.8
blueocean-git-pipeline:1.24.8
blueocean-i18n:1.24.8
blueocean:1.24.8
blueocean-jwt:1.24.8
blueocean-personalization:1.24.8
blueocean-pipeline-api-impl:1.24.8
blueocean-pipeline-editor:1.24.8
blueocean-pipeline-scm-api:1.24.8
blueocean-rest-impl:1.24.8
blueocean-rest:1.24.8
blueocean-web:1.24.8
bootstrap4-api:4.6.0-3
bouncycastle-api:2.25
branch-api:2.6.4
caffeine-api:2.9.2-29.v717aac953ff3
checks-api:1.7.2
cloudbees-bitbucket-branch-source:2.4.4
cloudbees-folder:6.16
config-file-provider:3.8.1
configuration-as-code-groovy:1.1
configuration-as-code:1.54
credentials-binding:1.27
credentials:2.6.1
display-url-api:2.3.5
docker-commons:1.18
durable-task:493.v195aefbb0ff2
echarts-api:5.0.2-1
favorite:2.3.1
font-awesome-api:5.15.2-2
git-client:3.10.0
github-api:1.114.2
github-branch-source:2.6.0
github:1.34.0
git:4.10.0
git-server:1.9
google-oauth-plugin:1.0.6
groovy:2.4
handy-uri-templates-2-api:2.1.6-1.0
htmlpublisher:1.25
jackson2-api:2.13.0-230.v59243c64b0a5
jenkins-design-language:1.24.8
jira:3.5
job-dsl:1.77
jquery3-api:3.6.0-1
jsch:0.1.55.2
junit:1.52
kubernetes-client-api:5.10.1-171.vaa0774fb8c20
kubernetes-credentials:0.9.0
kubernetes:1.31.0
lockable-resources:2.11
mailer:1.34
mapdb-api:1.0.9.0
matrix-auth:2.6.8
matrix-project:1.19
mercurial:2.15
metrics:4.0.2.8
oauth-credentials:0.4
okhttp-api:3.12.12.2
openshift-client:1.0.35
openshift-login:1.0.26
openshift-sync:1.0.52
pam-auth:1.6
pipeline-build-step:2.14
pipeline-graph-analysis:1.10
pipeline-input-step:2.12
pipeline-milestone-step:1.3.1
pipeline-model-api:1.9.3
pipeline-model-definition:1.8.4
pipeline-model-extensions:1.9.3
pipeline-rest-api:2.15
pipeline-stage-step:2.5
pipeline-stage-tags-metadata:1.8.4
plain-credentials:1.7
plugin-util-api:2.4.0
popper-api:1.16.1-2
prometheus:2.0.10
pubsub-light:1.13
scm-api:2.6.5
script-security:1.78
snakeyaml-api:1.29.1
sse-gateway:1.24
ssh-credentials:1.19
structs:1.23
subversion:2.15.1
token-macro:266.v44a80cf277fd
trilead-api:1.0.13
variant:1.4
workflow-api:2.47
workflow-basic-steps:2.20
workflow-cps-global-lib:2.17
workflow-cps:2.94
workflow-durable-task-step:2.35
workflow-job:2.41
workflow-multibranch:2.26
workflow-scm-step:2.13
workflow-step-api:2.24
workflow-support:3.8

@adambkaplan
Copy link
Contributor Author

ART requests:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@otaviof otaviof Awaiting requested review from otaviof

@sbose78 sbose78 Awaiting requested review from sbose78

@jitendar-singh jitendar-singh Awaiting requested review from jitendar-singh

Assignees

@gabemontero gabemontero

@coreydaley coreydaley

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. backport-risk-assessed Indicates a PR to a release branch has been evaluated and considered safe to accept. bugzilla/severity-high Referenced Bugzilla bug's severity is high for the branch this PR is targeting. bugzilla/valid-bug Indicates that a referenced Bugzilla bug is valid for the branch this PR is targeting. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm Indicates that a PR is ready to be merged.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@adambkaplan @coreydaley @gabemontero @openshift-bot @jitendar-singh @openshift-merge-robot