+ https://en.wikipedia.org/wiki/Poodle[image:https://upload.wikimedia.org/wikipedia/commons/thumb/0/02/Freddie_%288467901543%29.jpg/160px-Freddie_%288467901543%29.jpg[image]] +
+ +
+ Another day, another SSL vulnerability! Google has https://poodle.io/[announced a vulnerability in SSL v3], and if you are using the "Winstone" servlet container built into Jenkins, and if you are using the HTTPS connector with the `+--httpsPort+` option (it is off by default), then you are vulnerable to this problem. + +
+ I've just issued link:/security/advisory/2014-10-15/[a security advisory] on this. If you haven't already subscribed to https://wiki.jenkins.io/display/JENKINS/Security+Advisories[the Jenkins security advisory mailing list], this is a great opportunity to do so. + + +
+ The advisory includes the target delivery vehicles for the fix and how you can address the problem in the mean time. Inside corporate intranet, where Jenkins is typically used, I suppose there's a degree of trust among participants to make this less of a problem. But if you run an internet facing Jenkins, be sure to deploy the fix. + + +
+ (And as I write this, I've fixed all the `+https://*.jenkins-ci.org+` servers to disable SSLv3, so we are covered there)
|
Kohsuke Kawaguchi
Kohsuke is the creator of Jenkins. |