Bug#767541: jenkins: CVE-2014-3665
Emmanuel Bourg
ebourg at apache.org
Sun Nov 16 12:06:07 UTC 2014
Hi Sylvain,
Le 16/11/2014 11:26, beuc at debian.org a écrit :
> Hi from the Paris Bugs Squashing Party :)
Thank you for helping!
> In order to help people who participate, can you (jenkins' maintainer)
> describe what you intend to do, and if help is possible?
>
> - The security ~fix is a new slave->master access control system
> - Jenkins releases a "LTS" version every 3 months
> - Debian currently doesn't ship the current "LTS" from last month, but
> the one before, which doesn't seem supported anymore.
> - Options that I see are either pushing the current LTS in Debian,
> backporting the new access control system, or drop the package.
>
> Let us know what is your suggested course of action.
The new LTS is probably too big to be pushed to testing now. As an
alternative I'm considering either disabling the master/slave mechanism,
or adding a big red warning in the UI to inform the user about the risks.
Emmanuel Bourg
More information about the pkg-java-maintainers
mailing list