Bug#696816: jenkins: Security issues were found in Jenkins core

Nobuhiro Ban ban.nobuhiro at gmail.com
Sun Dec 30 05:10:22 UTC 2012


clone 696816 -1
reassign -1 jenkins-winstone 0.9.10-jenkins-37+dfsg-1
thanks

Dear Maintainer,

I found upstream "SECURITY-44" (aka CVE-2012-6072) was from Winstone,
and it might be fixed in 0.9.10-jenkins-40.


https://github.com/jenkinsci/jenkins/commit/ad084edb571555e7c5a9bc5b27aba09aac8da98d
>[FIXED SECURITY-44]
> Picked up a new version of Winstone

https://github.com/jenkinsci/winstone/commit/62e890b9589a844553d837d91b5f68eb3dba334e
>[FIXED SECURITY-44]
> Do not allow the webapp to split HTTP header values into multiple lines. Since there's no obvious escaping semantics here, we just drop those characters, which is what Jetty does.


Regards,
Nobuhiro



More information about the pkg-java-maintainers mailing list