[SCM] jenkins packaging branch, master, updated. debian/1.466.2+dfsg-1-13-gf2fe1f8

James Page james.page at ubuntu.com
Thu Jan 10 10:11:55 UTC 2013 

The following commit has been merged in the master branch:
commit f2fe1f8c034c522c8701462c4b7af5334210b9aa
Author: James Page <james.page at ubuntu.com>
Date:   Thu Jan 10 10:10:21 2013 +0000

    New upstream release, fixing a critical security vulnerability:
    
    * New upstream release, fixing a critical security vulnerability:
      - d/control: Versioned BD jenkins-trilead-ssh2 >= 214-jenkins-1.
    * Tidied lintian warnings.
    * Bumped Standards-Version: 3.9.4, no changes.

diff --git a/debian/NEWS b/debian/NEWS
index ffadf95..fa014fb 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,37 @@
+jenkins (1.480.2+dfsg-1~exp1) experimental; urgency=low
+
+  This new version of Jenkins will generate a new set of different
+  cryptographic keys to protect sensitive data, authenticate slaves,
+  and so on.
+
+  Because of this, administrators of Jenkins need to be aware of
+  the following implications of the upgrade:
+
+   API tokens of many users will likely change as a result, and
+   therefore if you have scripts and external programs that rely
+   on these tokens, some of them will fail. Please retrieve the
+   updated API tokens from the UI.
+
+   Slaves that are started via Java Web Start will fail to reconnect
+   if the *.jnlp file is locally stored. This is because the
+   authentication tokens change. An administrator would have to
+   login to the UI, retrieve the *.jnlp file and overwrite what's
+   already on the slave. A slave that was launched via Java Web Start
+   and then turned into a service through its menu falls into this
+   category.
+
+   Once the new version is started, the administrator needs to run
+   the Re-keying process to update the on-disk configuration files
+   to use the newer encryption key. Go to "Manage Jenkins" page and
+   follow the instruction at the top of the page. Please also read
+   https://wiki.jenkins-ci.org/display/SECURITY/Re-keying before
+   running this process.
+
+  See https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04 
+  for more details of the security vulnerability.
+
+ -- James Page <james.page at ubuntu.com>  Wed, 09 Jan 2013 17:56:51 +0000
+
 jenkins (1.447.1+dfsg-1) unstable; urgency=low
 
   This new upstream release of Jenkins does not currently include
diff --git a/debian/changelog b/debian/changelog
index 95e425d..2051812 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,10 +1,13 @@
-jenkins (1.480.2+dfsg-1~exp1) UNRELEASED; urgency=low
+jenkins (1.480.2+dfsg-1~exp1) experimental; urgency=low
 
-  * New upstream release:
+  * New upstream release, fixing a critical security vulnerability:
     - d/control: Added new BD on libjbcrypt-java.
     - d/control: Versioned BD jenkins-winstone >= 0.9.10-jenkins-40.
+    - d/control: Versioned BD jenkins-trilead-ssh2 >= 214-jenkins-1.
+  * Tidied lintian warnings.
+  * Bumped Standards-Version: 3.9.4, no changes.
 
- -- James Page <james.page at ubuntu.com>  Wed, 05 Dec 2012 21:56:17 +0000
+ -- James Page <james.page at ubuntu.com>  Thu, 10 Jan 2013 09:50:50 +0000
 
 jenkins (1.466.2+dfsg-1) experimental; urgency=low
 
diff --git a/debian/control b/debian/control
index a373809..950e546 100644
--- a/debian/control
+++ b/debian/control
@@ -54,7 +54,7 @@ Build-Depends-Indep:
  libjenkins-htmlunit-java,
  libjenkins-json-java (>= 2.1-rev7),
  libjenkins-remoting-java (>= 2.16),
- libjenkins-trilead-ssh2-java,
+ libjenkins-trilead-ssh2-java (>= 214-jenkins-1),
  libjenkins-winstone-java (>= 0.9.10-jenkins-40),
  libjenkins-xstream-java,
  libjetty-java,
@@ -97,11 +97,10 @@ Build-Depends-Indep:
  libtxw2-java,
  libxpp3-java,
  ttf-dejavu-core
-Standards-Version: 3.9.3
+Standards-Version: 3.9.4
 Homepage: http://jenkins-ci.org/
-Vcs-Git: git://git.debian.org/git/pkg-java/jenkins.git
-Vcs-Browser: http://git.debian.org/?p=pkg-java/jenkins.git
-DM-Upload-Allowed: yes
+Vcs-Git: git://anonscm.debian.org/pkg-java/jenkins.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/jenkins.git
 
 Package: libjenkins-java
 Architecture: all
diff --git a/debian/patches/build/use-debian-jbcrypt.patch b/debian/patches/build/use-debian-jbcrypt.patch
index 21bf2f0..9b34a9b 100644
--- a/debian/patches/build/use-debian-jbcrypt.patch
+++ b/debian/patches/build/use-debian-jbcrypt.patch
@@ -1,3 +1,10 @@
+Description: Alter package name for Debian
+ The debian JBCrypt package has a difference package name to
+ the one present in the central maven repository; this updates
+ jenkins to use the one in Debian.
+Author: James Page <james.page at ubuntu.com>
+Forwarded: not-needed
+
 --- a/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
 +++ b/core/src/main/java/hudson/security/HudsonPrivateSecurityRealm.java
 @@ -59,7 +59,7 @@ import org.kohsuke.stapler.HttpResponses
diff --git a/debian/source/lintian-overrides b/debian/source/lintian-overrides
new file mode 100644
index 0000000..5b60099
--- /dev/null
+++ b/debian/source/lintian-overrides
@@ -0,0 +1,2 @@
+# trilead-ssh2 upstream version is actually 214-jenkins-1 so this is a false positive
+jenkins source: build-depends-on-1-revision build-depends-indep: libjenkins-trilead-ssh2-java (>= 214-jenkins-1)

-- 
jenkins packaging

More information about the pkg-java-commits mailing list