Upgrade Jenkins to 2.73.2 (security release)
Closed, ResolvedPublic

Description

We've released new versions of Jenkins and Swarm Plugin today to fix several security vulnerabilities.

These vulnerabilities affect all previous releases:

  • weekly releases up to and including 2.83
  • LTS releases up to and including 2.73.1
  • Swarm Plugin (client) up to and including 3.4

    We recommend updating to the new releases:
  • Jenkins weekly 2.84
    • Jenkins LTS 2.73.2**
  • Swarm Plugin (client) 3.5

    Additionally, the recently released Maven Plugin 3.0 fixes a vulnerability, and distribution of Speaks! Plugin has been suspended due to a vulnerability for which there is no fix available.

    Please see the advisory for more details: https://jenkins.io/security/advisory/2017-10-11/
  • Maven Plugin up to and including 2.17
  • some arbitrary execution command on the master (we are not affected)
  • Update to commons-httpclient which is bundled in several plugins
hashar created this task.Oct 11 2017, 4:09 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptOct 11 2017, 4:09 PM
hashar updated the task description. (Show Details)Oct 11 2017, 4:10 PM

Mentioned in SAL (#wikimedia-operations) [2017-10-11T16:12:07Z] <hasharAway> Upgrading Jenkins CI T177962

Installed on contint1001/contint2001 from http://pkg.jenkins-ci.org/debian-stable/binary/jenkins_2.73.2_all.deb

@MoritzMuehlenhoff could you upload it to apt.wikimedia.org please? reprepro should be able to handle all the magic.

Then we would want an apt-get upgrade on releases1001.eqiad.wmnet and releases2001.codfw.wmnet

Mentioned in SAL (#wikimedia-operations) [2017-10-11T16:24:41Z] <hasharAway> Upgrade jenkins Maven integration plugin to 3.0 - T177962

hashar triaged this task as High priority.

I've uploaded 2.73.2 to apt.wikimedia.org

hashar closed this task as Resolved.Oct 11 2017, 7:28 PM
hashar added a subscriber: Dzahn.

21:27:51 <@Dzahn> !log releases2001 - upgraded jenkins to 2.73.2, kept existing config (vs overwriting with package config)

:)

Mentioned in SAL (#wikimedia-operations) [2017-10-11T19:29:24Z] <mutante> releases1001 - same as 2001, upgraded jenkins to 2.73.2, kept existing config (T177962)

Dzahn added a comment.Oct 11 2017, 8:09 PM

19:20 mutante: apt: reprepro copy stretch-wikimedia jessie-wikimedia jenkins