Acknowledgement sent
to yann@pleiades.fr.eu.org (root):
New Bug report received and forwarded. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
Your message did not contain a Subject field. They are recommended and
useful because the title of a Bug is determined using this field.
Please remember to include a Subject field in your messages in future.
Subject: jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat
Package: jenkins-tomcat
Version: 1.565.3-2.1
Severity: grave
Tags: security
Dear Maintainer,
The Jenkins currently shipped with Debian doesn't correctly set the HttpOnly and
Secure options on session cookies.
The first option prohibits the cookies to be read by scripts, thus preventing
XSS scripts vulnerabilities from stealing sessions.
The second option prohibits the session cookie to be sent over clear HTTP connection,
thus preventing malvolent users to steal session cookie while redirecting users to
HTTP access.
There is already an upstream bug for this problem located at this url:
https://issues.jenkins-ci.org/browse/JENKINS-25019
with a proposed fix that only adresses the HttpOnly issue for Tomcat.
The problem is reported in Tomcat log with the following lines:
WARNING: Failed to set secure cookie flag
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at jenkins.model.JenkinsLocationConfiguration.updateSecureSessionFlag(JenkinsLocationConfiguration.java:123)
at jenkins.model.JenkinsLocationConfiguration.load(JenkinsLocationConfiguration.java:71)
at jenkins.model.JenkinsLocationConfiguration.<init>(JenkinsLocationConfiguration.java:46)
at jenkins.model.JenkinsLocationConfiguration$$FastClassByGuice$$a6785528.newInstance(<generated>)
at net.sf.cglib.reflect.FastConstructor.newInstance(FastConstructor.java:40)
at com.google.inject.internal.DefaultConstructionProxyFactory$1.newInstance(DefaultConstructionProxyFactory.java:61)
at hudson.ExtensionFinder$GuiceFinder$FaultTolerantScope$1.get(ExtensionFinder.java:429)
[...]
at org.apache.coyote.http11.Http11NioProtocol$Http11ConnectionHandler.process(Http11NioProtocol.java:222)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1566)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1523)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: java.lang.IllegalStateException: Property HttpOnly can not be added to SessionCookieConfig for context /jenkins as the context has been initialised
at org.apache.catalina.core.ApplicationSessionCookieConfig.setHttpOnly(ApplicationSessionCookieConfig.java:107)
... 90 more
Thanks in advance for your help on this issue.
Yann Rouillard
-- System Information:
Debian Release: jessie/sid
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages jenkins-tomcat depends on:
ii jenkins-common 1.565.3-2
ii tomcat8 8.0.14-1
jenkins-tomcat recommends no packages.
jenkins-tomcat suggests no packages.
-- Configuration Files:
/etc/jenkins/jenkins-tomcat.xml changed [not included]
-- no debconf information
Severity set to 'important' from 'grave'
Request was from yann@pleiades.fr.eu.org (Debian)
to control@bugs.debian.org.
(Sat, 15 Nov 2014 15:51:18 GMT) (full text, mbox, link).
Changed Bug title to 'jenkins-tomcat: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat' from '(no subject)'
Request was from yann@pleiades.fr.eu.org (Debian)
to control@bugs.debian.org.
(Sat, 15 Nov 2014 15:54:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>: Bug#769682; Package jenkins-tomcat.
(Sat, 15 Nov 2014 17:24:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Sat, 15 Nov 2014 17:24:08 GMT) (full text, mbox, link).
Subject: Re: Bug#769682: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat
Date: Sat, 15 Nov 2014 18:21:16 +0100
> There is already an upstream bug for this problem located at this url:
> https://issues.jenkins-ci.org/browse/JENKINS-25019
> with a proposed fix that only adresses the HttpOnly issue for Tomcat.
Why isn't the missing “secure” flag a Tomcat configuration issue?
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>: Bug#769682; Package jenkins-tomcat.
(Mon, 17 Nov 2014 21:24:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Yann Rouillard <yann@pleiades.fr.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 17 Nov 2014 21:24:04 GMT) (full text, mbox, link).
Hi Florian,
Yes it could be seen that way, as we discussed with Emmanuel during the
Paris BSP today, but in fact it's even better, I checked and there is no
problem with Tomcat as the Secure flag as it already automatically set
with the default configuration:
- if Tomcat is accessed through the HTTPS connector, all cookies are
secure thanks to the connector Secure option which is set by default,
- if Tomcat is accessed through the AJP13 connector, Apache (or other
webserver) transfers through the AJP protocol the information wether the
connexion was through SSL or not, Tomcat uses it to set the Secure flag
accordingly.
So the upstream patch perfectly solves the issue and I was able to apply it
successfully on the current package source:
https://github.com/yannrouillard/pkg-jenkins
Yann
2014-11-15 18:21 GMT+01:00 Florian Weimer <fw@deneb.enyo.de>:
> > There is already an upstream bug for this problem located at this url:
> > https://issues.jenkins-ci.org/browse/JENKINS-25019
> > with a proposed fix that only adresses the HttpOnly issue for Tomcat.
>
> Why isn't the missing “secure” flag a Tomcat configuration issue?
>
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>: Bug#769682; Package jenkins-tomcat.
(Mon, 17 Nov 2014 21:27:21 GMT) (full text, mbox, link).
Acknowledgement sent
to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 17 Nov 2014 21:27:21 GMT) (full text, mbox, link).
Subject: Re: Bug#769682: Secure and HttpOnly flags are not set for cookies with Jenkins on Tomcat
Date: Mon, 17 Nov 2014 22:24:25 +0100
* Yann Rouillard:
> Yes it could be seen that way, as we discussed with Emmanuel during the
> Paris BSP today, but in fact it's even better, I checked and there is no
> problem with Tomcat as the Secure flag as it already automatically set
> with the default configuration:
>
> - if Tomcat is accessed through the HTTPS connector, all cookies are
> secure thanks to the connector Secure option which is set by default,
> - if Tomcat is accessed through the AJP13 connector, Apache (or other
> webserver) transfers through the AJP protocol the information wether the
> connexion was through SSL or not, Tomcat uses it to set the Secure flag
> accordingly.
Can you check that it's possible to force the secure flag with an HTTP
connector? Some load-balancer-based setups need this (although direct
HTTP connections from a browser will not work, obviously).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>: Bug#769682; Package jenkins-tomcat.
(Mon, 17 Nov 2014 21:54:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Yann Rouillard <yann@pleiades.fr.eu.org>:
Extra info received and forwarded to list. Copy sent to Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>.
(Mon, 17 Nov 2014 21:54:09 GMT) (full text, mbox, link).
Subject: Re: Bug#769682: Secure and HttpOnly flags are not set for cookies
with Jenkins on Tomcat
Date: Mon, 17 Nov 2014 22:51:42 +0100
> Can you check that it's possible to force the secure flag with an HTTP
> connector? Some load-balancer-based setups need this (although direct
> HTTP connections from a browser will not work, obviously).
I can confirm you that is possible, you just have to add
'secure="true"' in the HTTP connector configuration.
Yann
Reply sent
to Emmanuel Bourg <ebourg@apache.org>:
You have taken responsibility.
(Fri, 05 Dec 2014 11:51:19 GMT) (full text, mbox, link).
Notification sent
to yann@pleiades.fr.eu.org (root):
Bug acknowledged by developer.
(Fri, 05 Dec 2014 11:51:19 GMT) (full text, mbox, link).
Source: jenkins
Source-Version: 1.565.3-3
We believe that the bug you reported is fixed in the latest version of
jenkins, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 769682@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Emmanuel Bourg <ebourg@apache.org> (supplier of updated jenkins package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 05 Dec 2014 12:27:57 +0100
Source: jenkins
Binary: libjenkins-java libjenkins-plugin-parent-java jenkins-common jenkins jenkins-slave jenkins-external-job-monitor jenkins-cli jenkins-tomcat
Architecture: source all
Version: 1.565.3-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Emmanuel Bourg <ebourg@apache.org>
Description:
jenkins - Continuous Integration and Job Scheduling Server
jenkins-cli - Jenkins CI Command Line Interface
jenkins-common - Jenkins common Java components and web application
jenkins-external-job-monitor - Jenkins CI external job monitoring
jenkins-slave - Jenkins slave node helper
jenkins-tomcat - Jenkins CI on Tomcat 8
libjenkins-java - Jenkins CI core Java libraries
libjenkins-plugin-parent-java - Jenkins Plugin Parent Maven POM
Closes: 726489769594769682
Changes:
jenkins (1.565.3-3) unstable; urgency=medium
.
* Team upload.
.
[ Yann Rouillard ]
* Added dependency on libcglib3-java to fix NoClassDefFoundError at runtime.
* Removed Context Resource symlinks directives as they don't work anymore in
Tomcat 8 and are not required for Jenkins (Closes: #769594)
* Removed useless properties Debug and AllowLinking in Context definition
to suppress warnings in Tomcat logs.
* Backported upstream patch to ensure HttpOnly cookie flag is properly set
and avoid warning messages about Security cookie flag (Closes: #769682)
.
[ Emmanuel Bourg ]
* Documented the security issue with master/slave setups (CVE-2014-3665)
* Documented in /etc/default/jenkins how to run Jenkins
on non local addresses (Closes: #726489)
Checksums-Sha1:
99b07e79094bd6a64deb9160e873c5bc82ee76d7 4857 jenkins_1.565.3-3.dsc
4d996a6049b22f6d53acec6bc8825363ebc6d3a4 45048 jenkins_1.565.3-3.debian.tar.xz
789063e36113218ad106553f1c6db8b2a3bd3181 6459440 libjenkins-java_1.565.3-3_all.deb
7f6275dc8a94f361d5180a1e3515707e5b9c10f2 17118 libjenkins-plugin-parent-java_1.565.3-3_all.deb
0f93987dae4934d3f9f9bf306dfaa9e00501b4ad 39293706 jenkins-common_1.565.3-3_all.deb
e08712c110b2c84942708cb87cc7cc3b5215130d 21578 jenkins_1.565.3-3_all.deb
69634fcfe7e1f10c93b529c6cd6e8b32c4124ae6 20320 jenkins-slave_1.565.3-3_all.deb
dd0306e96a9dcb33370f68ea97406df58ef1a714 17148 jenkins-external-job-monitor_1.565.3-3_all.deb
e2d3afd5ff8f0f57450a777de7d6156bbe0e0957 863332 jenkins-cli_1.565.3-3_all.deb
ca2b2d1802d506c3d06b9d3e0d3ea3f5aa924043 17120 jenkins-tomcat_1.565.3-3_all.deb
Checksums-Sha256:
353e90e12f57fefade71528ded5ebd5e4e58c275fdeb75d19a6913fd4a6c20c5 4857 jenkins_1.565.3-3.dsc
a044d1940be12a128258e6b89fafacf27e05fb2f61dafa84579e0c98e1f88878 45048 jenkins_1.565.3-3.debian.tar.xz
510c9736a583f86b368e7fe3aca7b58cc656b128d9231fbbb51aa62accbdce4e 6459440 libjenkins-java_1.565.3-3_all.deb
e2fc7459c33088e5ce2386a8b4dd1310b45bef33c92ce86750def50c9259a7b1 17118 libjenkins-plugin-parent-java_1.565.3-3_all.deb
d5f574619431c53b6e64dea5d2432afc42c2a83d802c96ceee1d38f9f52445ec 39293706 jenkins-common_1.565.3-3_all.deb
82008264dd82366bfa773be6ffc554b02e46259818c04530cbbd928811847935 21578 jenkins_1.565.3-3_all.deb
765fa076cac5d8293d48f60efdc8ed6776b8c0b613fdbdf44c177d1739bdb93f 20320 jenkins-slave_1.565.3-3_all.deb
a94a0ad924550c74bf71018623a668a86f526e0806bfad8de09859df63afc3cb 17148 jenkins-external-job-monitor_1.565.3-3_all.deb
e7d4005d720975f87c7ad11eeadbdd20c9ca1f71bd8d2c401c37999991cd7714 863332 jenkins-cli_1.565.3-3_all.deb
c32479fc222f7f80c5e9c38ecec76c6a543630e91e73524f00cff4b2eac9ab6b 17120 jenkins-tomcat_1.565.3-3_all.deb
Files:
e2d1e2f9b2a52916877d92fff7ac02fa 4857 java optional jenkins_1.565.3-3.dsc
fcf6e6653e1b6fdfe04c3ba582a1de46 45048 java optional jenkins_1.565.3-3.debian.tar.xz
3a7f50d82bd3d5ba4f1e38b8497f954b 6459440 java optional libjenkins-java_1.565.3-3_all.deb
9c493a76674c2af572b8423a4657a26e 17118 java optional libjenkins-plugin-parent-java_1.565.3-3_all.deb
730d8f5784ffadd2fbf2051fb5c2fbf7 39293706 java optional jenkins-common_1.565.3-3_all.deb
b89dd6544d79f4c13be67772acc2abb9 21578 java optional jenkins_1.565.3-3_all.deb
e8c5cdaa74b192a3a062f5a1cdac2bb0 20320 java optional jenkins-slave_1.565.3-3_all.deb
5e0925acb1b585879d373a73d38d3a04 17148 java optional jenkins-external-job-monitor_1.565.3-3_all.deb
eb7222dfefdcea15abc062277375af12 863332 java optional jenkins-cli_1.565.3-3_all.deb
f0255aefc8c7b89a7974c56dafb66ef6 17120 java optional jenkins-tomcat_1.565.3-3_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBAgAGBQJUgZi/AAoJEPUTxBnkudCsXK8P/jrm2Tt3Rf0LO16hw/DVK4mu
/HTsHQBm36bwQKD06NRkXwGk6fup0z961dXE35NVepWnqEmGg0P8Cxw+JM+aiArc
0xyGryvvBn6Jww0eVwjV9Qtb9uBEWdJqwDxZ/Gj67hLO+O2aBB+k9XNoJuHzLj4O
1J/9KEPu5ITy1tM5LYSjwb3orEn3vxbIoU4SL7VTXRa6aloEzIRN3F0RHj1Muv3p
HVznoBocCyajXenmlc+3H/k91tMMWpe66gy7hb5sVXLwk+ntdEWLJfaXtgzgKhcm
Jzy1rZMcEumYF17dF7LLoj9nK1yNlzjrEhQedxOy7uqOnA8nF02Aor/H79u5Idxe
6V/hnjpX9p7RoN4pXyOz8chMd/Ne/2Jz/KBSv2gMxmdd33HGszZ+PahbrbtZSvCT
+6ms0i+bGULCRmATPaOHpMBqFRutRHSgsqm8kmkDJ7wOrRDen/C4uZlWgnRLAu03
gxpdBoEYZ8Y+9rDTUNFgEHq+i6vdUYyc/99hVQlRJQ4aDZxpxrGTbq4i1Fs+0Xhs
8MPNvYHrL/ZhtlPXKpFZZ7WkCxHJWF5G70ae89pN+IF5GzR4Putuxnmsz6158L+e
2Z76dRDz9AYhGB1u/iIN0HIzljnyFZDwmvzrY4HS8N0qv9c3Mk7kT64mSHGNaaSb
WvM6pQqDOfV2YtLTXj3v
=wrRi
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 03 Jan 2015 07:33:42 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.