user data security issues in Jenkins

Already fixed in quantal (1.466.2).

I've contact upstream for guidance on resolving this issue in the version for oneiric and precise; prior security issues have been easy to cherry pick but these two are not obvious.

Update for precise; same set of upstream commits as in 1.466.2 but rebased against 1.424.6 codebase.

Thanks for the debdiff! I don't seem to be able to verify the upstream patch, but in general, it looks ok (there was a typo in the patch metadata, but I fixed that).

In terms of testing, the testsuite passes with no added failures, errors or skipped tests. James, is the testsuite good enough for publishing to the archive or would you like me to make these packages available to you?

Jamie - I'll give them a sniff if thats OK with you.

Ok, uploaded to https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/+packages. Please test and give feedback here.

Hi Jamie

I gave the package in the PPA a good test this evening - all looks OK to me.

Thanks!

This bug was fixed in the package jenkins - 1.424.6+dfsg-1ubuntu0.1

---------------
jenkins (1.424.6+dfsg-1ubuntu0.1) precise-security; urgency=low

  * SECURITY UPDATE: Remote code execution and XSS vulnerabilities
    in Jenkins core (LP: #1055416):
    - d/p/security/CVE-2012-4438_CVE-2012-4439.patch: Cherry picked
      fixes from 1.466.2 release to resolve remote code execution
      and XSS security vulnerabilities.
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-09-17.cb
    - CVE-2012-4438
    - CVE-2012-4439
 -- James Page <email address hidden> Tue, 25 Sep 2012 13:32:05 +0100

Thank you for reporting this bug to Ubuntu. oneiric has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against oneiric is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.