Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <54348CE5.3060007@kohsuke.org>
Date: Tue, 07 Oct 2014 18:01:25 -0700
From: Kohsuke Kawaguchi <kk@...suke.org>
To: Bryan Drewery <bdrewery@...eBSD.org>
CC: oss-security@...ts.openwall.com
Subject: Re: Security advisory in Jenkins

On 10/07/2014 11:45 AM, Bryan Drewery wrote:
> On 10/3/2014 4:44 PM, Kohsuke Kawaguchi wrote:
>> We are still learning how we should handle vulnerabilities, so I'm sure
>> there's room for improvements.
>>
>> We have multiple release lines to which the fixes have to be released
>> simultaneously, and overall this overhead is significant. That's why we did
>> one massive release that contains all the fixes.
>>
>> Wrt CVE-2013-2186, a week ago we got a report from somebody that he did a
>> security scan and found that we are still using a vulnerable version of the
>> library to which CVE-2013-2186 is assigned. In this release we use a newer
>> version of the library that addresses the problem, and I thought it'd be
>> appropriate to raise a flag to the users that if they continue to use older
>> versions, they'd remain vulnerable to CVE-2013-2186. That's why it's in the
>> advisory. It is not because we sat on a report for more than a year.
>>
>> When you say the timeframe is especially concerning, perhaps you mean you
>> are concerned that we fail to notice this vulnerability in our library for
>> more than a year, and if so, you are of course right. Jenkins project has
>> gotten a long list of library dependencies, and I haven't found any
>> practical means to get notified when vulnerabilities are found in any one
>> of them.
>>
>
> I understand. Is there any practical way you could not bundle
> dependencies? Then it would not be a problem. I don't know enough about
> Java's build system to know if this is possible.

A part of the problem is that Jenkins core is too big a piece that can 
be decomposed further down into smaller plugins. We've been doing that 
to chip away some of the dependencies, and plugins are somewhat easier 
to update than the core. So that's a progress.

But beyond that, the packaging and distribution model in Java is that 
each application brings the complete dependencies with it. Some other 
platforms do not do that (say Linux C ecosystem), but many others do 
(.NET, Ruby, Node.js, ...) This is not so much a problem of a build tool 
but more due to the user expectation (and perhaps lack of runtime 
package managers and stronger coupling between libraries?).

As such, I don't think this is changing any time soon, for better or worse.



-- 
Kohsuke Kawaguchi                          http://kohsuke.org/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.