<div dir="ltr">Hi,<div><br></div><div>Thanks! I ran the hotfix and will look into further details.</div><div><br></div><div>Mark</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Nov 10, 2015 at 7:55 AM Åke Sandgren <<a href="mailto:ake.sandgren@hpc2n.umu.se">ake.sandgren@hpc2n.umu.se</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi!<br>
<br>
In case you haven't seen this yet.<br>
<br>
==================<br>
Please assign a CVE to this issue:<br>
<br>
Remote code execution vulnerability due to unsafe deserialization in<br>
Jenkins remoting<br>
Unsafe deserialization allows unauthenticated remote attackers to run<br>
arbitrary code on the Jenkins master.<br>
This is tracked as SECURITY-218 in the Jenkins project. All current<br>
Jenkins releases are affected.<br>
<br>
Public exploit:<br>
<a href="http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#" rel="noreferrer" target="_blank">http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-<br>
jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#</a><br>
jenkins<br>
<br>
Temporary workaround:<br>
<a href="https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-execution-0-day-jenkins-cli" rel="noreferrer" target="_blank">https://jenkins-ci.org/content/mitigating-unauthenticated-remote-code-ex<br>
ecution-0-day-jenkins-cli</a><br>
<br>
A related issue is being discussed here:<br>
<a href="http://www.openwall.com/lists/oss-security/2015/11/09/1" rel="noreferrer" target="_blank">http://www.openwall.com/lists/oss-security/2015/11/09/1</a><br>
Jenkins is affected by both this and the Groovy variant in 'ysoserial'.<br>
<br>
We plan to release a fix for this as part of our planned security update<br>
on Wednesday.<br>
<br>
==================<br>
<br>
--<br>
Ake Sandgren, HPC2N, Umea University, S-90187 Umea, Sweden<br>
Internet: <a href="mailto:ake@hpc2n.umu.se" target="_blank">ake@hpc2n.umu.se</a> Phone: +46 90 7866134 Fax: +46 90-580 14<br>
Mobile: +46 70 7716134 WWW: <a href="http://www.hpc2n.umu.se" rel="noreferrer" target="_blank">http://www.hpc2n.umu.se</a><br>
--<br>
Gromacs Developers mailing list<br>
<br>
* Please search the archive at <a href="http://www.gromacs.org/Support/Mailing_Lists/GMX-developers_List" rel="noreferrer" target="_blank">http://www.gromacs.org/Support/Mailing_Lists/GMX-developers_List</a> before posting!<br>
<br>
* Can't post? Read <a href="http://www.gromacs.org/Support/Mailing_Lists" rel="noreferrer" target="_blank">http://www.gromacs.org/Support/Mailing_Lists</a><br>
<br>
* For (un)subscribe requests visit<br>
<a href="https://maillist.sys.kth.se/mailman/listinfo/gromacs.org_gmx-developers" rel="noreferrer" target="_blank">https://maillist.sys.kth.se/mailman/listinfo/gromacs.org_gmx-developers</a> or send a mail to <a href="mailto:gmx-developers-request@gromacs.org" target="_blank">gmx-developers-request@gromacs.org</a>.<br>
</blockquote></div>