[Box-Admins] Jenkins vulnerability

Frank Shearar frank.shearar at gmail.com
Wed Jan 9 08:56:44 UTC 2013


On 8 January 2013 22:17, Frank Shearar <frank.shearar at gmail.com> wrote:
> On 08 Jan 2013, at 21:46, Chris Cunnington <smalltalktelevision at gmail.com> wrote:
>
>> On 2013-01-08 4:42 PM, Frank Shearar wrote:
>>> On 8 January 2013 21:09, Chris Cunnington <smalltalktelevision at gmail.com> wrote:
>>>> On 2013-01-08 4:00 PM, Frank Shearar wrote:
>>>>> On 8 January 2013 20:48, Chris Cunnington <smalltalktelevision at gmail.com>
>>>>> wrote:
>>>>>> On 2013-01-08 3:44 PM, Frank Shearar wrote:
>>>>>>>
>>>>>>>
>>>>>>> https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-01-04
>>>>>>>
>>>>>>> There's an action-to-be-taken message in the management console for
>>>>>>> Jenkins. I haven't pushed the button for it yet (mainly because I'm
>>>>>>> not sure it's me who should be deciding this).
>>>>>>>
>>>>>>> frank
>>>>>> Can you initiate an update to Jenkins 1.498? That might be the easiest
>>>>>> thing.
>>>>> We're already on 1.498, according to the About Jenkins page.
>>>>>
>>>>> frank
>>>>>
>>>>>> Chris
>>>> OK, the encryption data is being re-keyed in the background now.
>>>>
>>>> Chris
>>> Cool. Wonder just how much longer it's going to take :/.
>>>
>>> frank
>> I looked at the log and it seemed already to be over. Is there a sign that it's still doing it?
>> Ah, you have a queue. I'm not sure why it's doing that, as I'm confident the process is over.
>>
>> Chris
>
> I'll have to look at it tomorrow. My build slaves are being challenged and they weren't before: they're getting 403s to the slave-agent jar they need.

OK, it's because we've (pretty reasonably) stopped anonymous reads, so
build slaves must now authenticate through magic like

java -classpath commons-codec-1.7.jar -jar slave.jar -jnlpUrl
http://squeakci.org/computer/angband/slave-agent.jnlp -jnlpCredentials
username:password

The codec jar comes from here:
http://mirrors.enquira.co.uk/apache//commons/codec/binaries/commons-codec-1.7-bin.tar.gz

But now I'm getting weirder errors:

SEVERE: I/O error in channel channel
java.io.IOException: Unexpected termination of the channel
        at hudson.remoting.SynchronousCommandTransport$ReaderThread.run(SynchronousCommandTransport.java:50)

Sigh.

frank


More information about the Box-Admins mailing list