Pavel Roskin

**Nome do software vulnerável e versões afetadas** Plugin Jenkins Stash Branch Parameter, versões 0.3.0 e anteriores **Descrição** O problema diz respeito à transmissão de senhas configuradas em texto simples como parte do formulário de configuração global do Jenkins, o que pode resultar na exposição dessas senhas. Isso ocorre porque o Stash Branch Parameter Plugin armazena senhas da API do Stash em seu arquivo de configuração global `org.jenkinsci.plugins.StashBranchParameter.StashBranchParameterDefinition.xml` no controlador do Jenkins. Embora a senha seja armazenada criptografada no disco, ela é transmitida em texto simples como parte do formulário de configuração. Isso pode levar à exposição da senha por meio de extensões de navegador, vulnerabilidades de cross-site scripting e situações semelhantes. O problema afeta versões do Jenkins anteriores à 2.236, incluindo a 2.235.x LTS, devido à falta de criptografia e descriptografia transparentes dos dados usados para um campo de formulário de senha do Jenkins, recurso introduzido no Jenkins 2.236. **Recomendações** Para as versões 0.3.0 e anteriores do Jenkins Stash Branch Parameter Plugin, considere desativar o plugin até que um patch esteja disponível para impedir a transmissão de senhas configuradas em texto simples. Para versões do Jenkins anteriores à 2.236, incluindo a 2.235.x LTS, atualize para o Jenkins 2.236 ou posterior para se beneficiar do reforço de segurança que criptografa e descriptografa de forma transparente os dados usados no campo de senha do formulário do Jenkins.

**Name of the Vulnerable Software and Affected Versions** Debian GNU/Linux kernel versions prior to 2.6.13 SUSE Linux Enterprise kernel (affected versions not specified) **Description** The issue is related to multiple vulnerabilities in the kernel of Debian GNU/Linux and SUSE Linux Enterprise operating systems. These vulnerabilities can be exploited remotely, leading to a breach of confidentiality, integrity, and availability of protected information. The Orinoco driver in Linux kernel 2.6.13 and earlier does not properly clear memory from a previously used packet whose length is increased, allowing remote attackers to obtain sensitive information. **Recommendations** For Debian GNU/Linux kernel versions prior to 2.6.13, update to a version 2.6.13 or later to resolve the issue. For SUSE Linux Enterprise, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** linux-image-2.6.26-1-parisc-smp version 2.6.26-1 linux-image-2.6.26-1-486 version 2.6.26-1 linux-image-2.6.26-1-alpha-smp version 2.6.26-1 linux-headers-2.6.26-1-486 version 2.6.26-1 linux-headers-2.6.26-1-common-vserver version 2.6.26-1 linux-image-2.6.26-1-iop32x version 2.6.26-1 linux-headers-2.6.26-1-s390x version 2.6.26-1 linux-headers-2.6.26-1-all version 2.6.26-1 linux-headers-2.6.26-1-sparc64-smp version 2.6.26-1 linux-image-2.6.26-1-vserver-powerpc version 2.6.26-1 linux-headers-2.6.26-1-sparc64 version 2.6.26-1 linux-headers-2.6.26-1-r5k-cobalt version 2.6.26-1 linux-image-2.6.26-1-xen-amd64 version 2.6.26-1 linux-image-2.6.26-1-r5k-ip32 version 2.6.26-1 linux-image-2.6.26-1-5kc-malta version 2.6.26-1 linux-headers-2.6.26-1-parisc64-smp version 2.6.26-1 linux-image-2.6.26-1-vserver-686 version 2.6.26-1 linux-image-2.6.26-1-vserver-powerpc64 version 2.6.26-1 linux-image-2.6.26-1-vserver-itanium version 2.6.26-1 linux-image-2.6.26-1-alpha-generic version 2.6.26-1 linux-headers-2.6.26-1-powerpc version 2.6.26-1 linux-image-2.6.26-1-r4k-ip22 version 2.6.26-1 linux-headers-2.6.26-1-alpha-generic version 2.6.26-1 linux-image-2.6.26-1-vserver-mckinley version 2.6.26-1 linux-image-2.6.26-1-vserver-amd64 version 2.6.26-1 linux-headers-2.6.26-1-vserver-itanium version 2.6.26-1 linux-image-2.6.26-1-powerpc version 2.6.26-1 linux-headers-2.6.26-1-r5k-ip32 version 2.6.26-1 linux-headers-2.6.26-1-itanium version 2.6.26-1 linux-image-2.6.26-1-sb1-bcm91250a version 2.6.26-1 linux-headers-2.6.26-1-vserver-mckinley version 2.6.26-1 linux-headers-2.6.26-1-all-ia64 version 2.6.26-1 linux-headers-2.6.26-1-all-i386 version 2.6.26-1 linux-image-2.6.26-1-mckinley version 2.6.26-1 linux-headers-2.6.26-1-all-powerpc version 2.6.26-1 linux-image-2.6.26-1-vserver-686-bigmem version 2.6.26-1 linux-image-2.6.26-1-sparc64-smp version 2.6.26-1 linux-image-2.6.26-1-versatile version 2.6.26-1 linux-image-2.6.26-1-vserver-sparc64 version 2.6.26-1 linux-headers-2.6.26-1-vserver-686-bigmem version 2.6.26-1 linux-headers-2.6.26-1-all-hppa version 2.6.26-1 linux-image-2.6.26-1-parisc64-smp version 2.6.26-1 linux-headers-2.6.26-1-all-arm version 2.6.26-1 linux-headers-2.6.26-1-686-bigmem version 2.6.26-1 linux-headers-2.6.26-1-vserver-amd64 version 2.6.26-1 linux-image-2.6.26-1-amd64 version 2.6.26-1 linux-image-2.6.26-1-s390-tape version 2.6.26-1 linux-headers-2.6.26-1-all-mipsel version 2.6.26-1 linux-headers-2.6.26-1-xen-amd64 version 2.6.26-1 linux-headers-2.6.26-1-4kc-malta version 2.6.26-1 linux-headers-2.6.26-1-footbridge version 2.6.26-1 linux-headers-2.6.26-1-amd64 version 2.6.26-1 linux-headers-2.6.26-1-vserver-s390x version 2.6.26-1 linux-headers-2.6.26-1-parisc-smp version 2.6.26-1 linux-headers-2.6.26-1-iop32x version 2.6.26-1 linux-image-2.6.26-1-686 version 2.6.26-1 linux-support-2.6.26-1 version 2.6.26-1 linux-headers-2.6.26-1-xen-686 version 2.6.26-1 linux-image-2.6.26-1-powerpc-smp version 2.6.26-1 linux-headers-2.6.26-1-all-amd64 version 2.6.26-1 linux-headers-2.6.26-1-parisc version 2.6.26-1 linux-modules-2.6.26-1-xen-amd64 version 2.6.26-1 linux-image-2.6.26-1-sb1a-bcm91480b version 2.6.26-1 linux-image-2.6.26-1-r5k-cobalt version 2.6.26-1 linux-headers-2.6.26-1-vserver-sparc64 version 2.6.26-1 linux-headers-2.6.26-1-common-openvz version 2.6.26-1 linux-headers-2.6.26-1-openvz-amd64 version 2.6.26-1 linux-image-2.6.26-1-alpha-legacy version 2.6.26-1 linux-image-2.6.26-1-openvz-686 version 2.6.26-1 linux-headers-2.6.26-1-s390 version 2.6.26-1 linux-headers-2.6.26-1-vserver-powerpc version 2.6.26-1 linux-image-2.6.26-1-vserver-s390x version 2.6.26-1 linux-image-2.6.26-1-xen-686 version 2.6.26-1 linux-headers-2.6.26-1-versatile version 2.6.26-1 linux-headers-2.6.26-1-vserver-powerpc64 version 2.6.26-1 linux-headers-2.6.26-1-common version 2.6.26-1 linux-image-2.6.26-1-footbridge version 2.6.26-1 linux-image-2.6.26-1-parisc64 version 2.6.26-1 linux-headers-2.6.26-1-alpha-legacy version 2.6.26-1 linux-image-2.6.26-1-686-bigmem version 2.6.26-1 linux-headers-2.6.26-1-all-armel version 2.6.26-1 linux-headers-2.6.26-1-all-alpha version 2.6.26-1 linux-headers-2.6.26-1-r4k-ip22 version 2.6.26-1 linux-headers-2.6.26-1-sb1a-bcm91480b version 2.6.26-1 linux-headers-2.6.26-1-common-xen version 2.6.26-1 linux-image-2.6.26-1-s390x version 2.6.26-1 linux-headers-2.6.26-1-mckinley version 2.6.26-1 linux-image-2.6.26-1-parisc version 2.6.26-1 linux-headers-2.6.26-1-orion5x version 2.6.26-1 linux-headers-2.6.26-1-openvz-686 version 2.6.26-1 linux-headers-2.6.26-1-vserver-686 version 2.6.26-1 linux-image-2.6.26-1-sparc64 version 2.6.26-1 linux-headers-2.6.26-1-powerpc64 version 2.6.26-1 linux-image-2.6.26-1-itanium version 2.6.26-1 linux-image-2.6.26-1-orion5x version 2.6.26-1 linux-headers-2.6.26-1-ixp4xx version 2.6.26-1 linux-headers-2.6.26-1-all-sparc version 2.6.26-1 linux-image-2.6.26-1-openvz-amd64 version 2.6.26-1 linux-image-2.6.26-1-ixp4xx version 2.6.26-1 linux-headers-2.6.26-1-parisc64 version 2.6.26-1 linux-headers-2.6.26-1-powerpc-smp version 2.6.26-1 linux-headers-2.6.26-1-all-s390 version 2.6.26-1 linux-headers-2.6.26-1-5kc-malta version 2.6.26-1 linux-image-2.6.26-1-powerpc64 version 2.6.26-1 linux-modules-2.6.26-1-xen-686 version 2.6.26-1 linux-headers-2.6.26-1-sb1-bcm91250a version 2.6.26-1 linux-image-2.6.26-1-s390 version 2.6.26-1 linux-image-2.6.26-1-4kc-malta version 2.6.26-1 linux-headers-2.6.26-1-686 version 2.6.26-1 linux-headers-2.6.26-1-all-mips version 2.6.26-1 **Description** The issue affects the Linux kernel, allowing local users to cause a denial of service (system crash) via a read system call that specifies zero bytes from the `image type` or `packet size` file in `/sys/devices/platform/dell rbu/`. The vulnerability can be exploited remotely. It may lead to a violation of confidentiality, integrity, and availability of protected information. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.