| Name | CVE-2014-3665 |
| Description | Jenkins before 1.587 and LTS before 1.580.1 do not properly ensure trust separation between a master and slaves, which might allow remote attackers to execute arbitrary code on the master by leveraging access to the slave. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 767541 |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|
| jenkins | source | (unstable) | (unfixed) | | | 767541 |
Notes
[jessie] - jenkins <no-dsa> (Backport not feasible, insecure feature is documented as such)
For jessie, the backport is too intrusive and since it's a cornercase, it's only documented,
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-30