Jenkins Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

This advisory announces vulnerabilities in the following Jenkins deliverables:

*   android-lint Plugin
*   Blue Ocean Plugin
*   chosen-views-tabbar Plugin
*   ClearCase Release Plugin
*   computer-queue-plugin Plugin
*   Copy data to workspace Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Custom Job Icon Plugin
*   Description Column Plugin
*   ElasTest Plugin
*   Email Extension Plugin
*   Health Advisor by CloudBees Plugin
*   Locked Files Report Plugin
*   Mailer Plugin
*   MongoDB Plugin
*   Perfecto Plugin
*   Pipeline Maven Integration Plugin
*   Radiator View Plugin
*   Selection tasks Plugin
*   Storable Configs Plugin
*   Validating String Parameter Plugin

**Descriptions****Missing hostname validation in Mailer Plugin**

**SECURITY-1813 / CVE-2020-2252**  
**Severity (CVSS):** Medium  
**Affected plugin: mailer**  
**Description:**

Mailer Plugin 1.32 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Mailer Plugin 1.32.1 validates the SMTP hostname when connecting via TLS by default. In Mailer Plugin 1.32 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection.

In case of problems, this protection can be disabled again by setting the Java system property mail.smtp.ssl.checkserveridentity to false on startup.

**Missing hostname validation in Email Extension Plugin**

**SECURITY-1851 / CVE-2020-2253**  
**Severity (CVSS):** Medium  
**Affected plugin: email-ext**  
**Description:**

Email Extension Plugin 2.75 and earlier does not perform hostname validation when connecting to the configured SMTP server. This lack of validation could be abused using a man-in-the-middle attack to intercept these connections.

Email Extension Plugin 2.76 validates the SMTP hostname when connecting via TLS by default. In Email Extension Plugin 2.75 and earlier, administrators can set the Java system property mail.smtp.ssl.checkserveridentity to true on startup to enable this protection. Alternatively, this protection can be enabled (or disabled in the new version) via the 'Advanced Email Properties' field in the plugin’s configuration in Configure System.

In case of problems, this protection can be disabled again by setting mail.smtp.ssl.checkserveridentity to false using either method.

**Path traversal vulnerability in Blue Ocean Plugin**

**SECURITY-1956 / CVE-2020-2254**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

Blue Ocean Plugin 1.23.2 and earlier provides an undocumented feature flag, blueocean.features.GIT_READ_SAVE_TYPE, that when set to the value clone allows an attacker with Item/Configure or Item/Create permission to read arbitrary files on the Jenkins controller file system.

Blue Ocean Plugin 1.23.3 no longer includes this feature and redirects existing usage to a safer alternative.

**Missing permission check in Blue Ocean Plugin**

**SECURITY-1961 / CVE-2020-2255**  
**Severity (CVSS):** Medium  
**Affected plugin: blueocean**  
**Description:**

**Updated 2020-09-16:** _This entry previously misidentified the problematic behavior. The HTTP request itself is legitimate, but only authorized users should be able to perform it._

Blue Ocean Plugin 1.23.2 and earlier does not perform permission checks in several HTTP endpoints implementing connection tests.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL.

Blue Ocean Plugin 1.23.3 requires Item/Create permission to perform these connection tests.

**Stored XSS vulnerability in upstream cause in Pipeline Maven Integration Plugin**

**SECURITY-1976 / CVE-2020-2256**  
**Severity (CVSS):** High  
**Affected plugin: pipeline-maven**  
**Description:**

Pipeline Maven Integration Plugin 3.9.2 and earlier does not escape the upstream job’s display name shown as part of a build cause.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Pipeline Maven Integration Plugin 3.9.3 escapes upstream job names in build causes.

**Stored XSS vulnerability in Validating String Parameter Plugin**

**SECURITY-1935 / CVE-2020-2257**  
**Severity (CVSS):** High  
**Affected plugin: validating-string-parameter**  
**Description:**

Validating String Parameter Plugin 2.4 and earlier does not escape regular expressions in tooltips. Additionally, Validating String Parameter Plugin 2.4 does not escape parameter names and parameter descriptions.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

Validating String Parameter Plugin 2.5 escapes regular expressions in tooltips and parameter names. Parameter descriptions are rendered using the configured markup formatter.

**Incorrect permission check in Health Advisor by CloudBees Plugin**

**SECURITY-1998 / CVE-2020-2258**  
**Severity (CVSS):** Medium  
**Affected plugin: cloudbees-jenkins-advisor**  
**Description:**

Health Advisor by CloudBees Plugin 3.2.0 and earlier does not correctly perform a permission check in an HTTP endpoint.

This allows attackers with Overall/Read permission to view an administrative configuration page.

Health Advisor by CloudBees Plugin 3.2.1 requires Overall/Administer to view its administrative configuration page.

**Stored XSS vulnerability in computer-queue-plugin Plugin**

**SECURITY-1912 / CVE-2020-2259**  
**Severity (CVSS):** High  
**Affected plugin: computer-queue-plugin**  
**Description:**

computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

computer-queue-plugin Plugin 1.6 escapes the agent name in tooltips.

**Missing permission check in Perfecto Plugin**

**SECURITY-1979 / CVE-2020-2260**  
**Severity (CVSS):** Medium  
**Affected plugin: perfecto**  
**Description:**

Perfecto Plugin 1.17 and earlier does not perform a permission check in a method implementing a connection test.

This allows attackers with Overall/Read permission to connect to an attacker-specified HTTP URL using attacker-specified username and password.

Perfecto Plugin 1.18 requires Overall/Administer permission to perform a connection test.

**OS command execution vulnerability in Perfecto Plugin**

**SECURITY-1980 / CVE-2020-2261**  
**Severity (CVSS):** High  
**Affected plugin: perfecto**  
**Description:**

Perfecto Plugin allows specifying Perfecto Connect Path and Perfecto Connect File Name in job configurations.

This command is executed on the Jenkins controller in Perfecto Plugin 1.17 and earlier, allowing attackers with Job/Configure permission to run arbitrary commands on the Jenkins controller.

Perfecto Plugin 1.18 executes the specified commands on the agent the build is running on.

**Stored XSS vulnerability in android-lint Plugin**

**SECURITY-1908 / CVE-2020-2262**  
**Severity (CVSS):** High  
**Affected plugin: android-lint**  
**Description:**

android-lint Plugin 2.6 and earlier does not escape the annotation message in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the 'Publish Android Lint results' post-build step.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Radiator View Plugin**

**SECURITY-1927 / CVE-2020-2263**  
**Severity (CVSS):** High  
**Affected plugin: radiatorviewplugin**  
**Description:**

Radiator View Plugin 1.29 and earlier does not escape the full name of the jobs in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Custom Job Icon Plugin**

**SECURITY-1914 / CVE-2020-2264**  
**Severity (CVSS):** High  
**Affected plugin: custom-job-icon**  
**Description:**

Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Coverage/Complexity Scatter Plot Plugin**

**SECURITY-1913 / CVE-2020-2265**  
**Severity (CVSS):** High  
**Affected plugin: covcomplplot**  
**Description:**

Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the 'Publish Coverage / Complexity Scatter Plot' post-build step.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Description Column Plugin**

**SECURITY-1916 / CVE-2020-2266**  
**Severity (CVSS):** High  
**Affected plugin: description-column-plugin**  
**Description:**

Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in MongoDB Plugin**

**SECURITY-1904 / CVE-2020-2267 (missing permission check), CVE-2020-2268 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: mongodb**  
**Description:**

MongoDB Plugin 1.3 and earlier does not perform permission checks in methods implementing form validation.

This allows attackers with Overall/Read permission to gain access to some metadata of any arbitrary files on the Jenkins controller.

Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in chosen-views-tabbar Plugin**

**SECURITY-1869 / CVE-2020-2269**  
**Severity (CVSS):** High  
**Affected plugin: chosen-views-tabbar**  
**Description:**

chosen-views-tabbar Plugin 1.2 and earlier does not escape view names in the dropdown to select views.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with the ability to configure views.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in ClearCase Release Plugin**

**SECURITY-1911 / CVE-2020-2270**  
**Severity (CVSS):** High  
**Affected plugin: clearcase-release**  
**Description:**

ClearCase Release Plugin 0.3 and earlier does not escape the composite baseline in badge tooltip.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**Stored XSS vulnerability in Locked Files Report Plugin**

**SECURITY-1921 / CVE-2020-2271**  
**Severity (CVSS):** High  
**Affected plugin: locked-files-report**  
**Description:**

Locked Files Report Plugin 1.6 and earlier does not escape locked files' names in tooltips.

This results in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

As of publication of this advisory, there is no fix.

**CSRF vulnerability and missing permission checks in ElasTest Plugin**

**SECURITY-1903 / CVE-2020-2272 (missing permission check), CVE-2020-2273 (CSRF)**  
**Severity (CVSS):** Medium  
**Affected plugin: elastest**  
**Description:**

ElasTest Plugin 1.2.1 and earlier does not perform a permission check in a method implementing form validation.

This allows attackers with Overall/Read permission to connect to an attacker-specified URL using attacker-specified credentials.

Additionally, this form validation method does not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability.

As of publication of this advisory, there is no fix.

**Passwords stored in plain text by ElasTest Plugin**

**SECURITY-2014 / CVE-2020-2274**  
**Severity (CVSS):** Low  
**Affected plugin: elastest**  
**Description:**

ElasTest Plugin 1.2.1 and earlier stores its server password in plain text in the global configuration file jenkins.plugins.elastest.ElasTestInstallation.xml. This password can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Copy data to workspace Plugin**

**SECURITY-1966 / CVE-2020-2275**  
**Severity (CVSS):** Medium  
**Affected plugin: copy-data-to-workspace-plugin**  
**Description:**

Copy data to workspace Plugin allows users to copy files from the Jenkins controller to job workspaces.

Copy data to workspace Plugin 1.0 and earlier does not limit which directories can be copied. This allows attackers with Job/Configure permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**System command execution vulnerability in Selection tasks Plugin**

**SECURITY-1967 / CVE-2020-2276**  
**Severity (CVSS):** High  
**Affected plugin: selection-tasks-plugin**  
**Description:**

Selection tasks Plugin implements a job parameter that dynamically generates possible values from the output of a program. The path to that program is specified as part of the parameter configuration.

Selection tasks Plugin 1.0 and earlier executes this user-specified program on the Jenkins controller. This allows attackers with Job/Configure permission to execute an arbitrary system command on the Jenkins controller as the OS user that the Jenkins process is running as.

As of publication of this advisory, there is no fix.

**Arbitrary file read vulnerability in Storable Configs Plugin**

**SECURITY-1968 (1) / CVE-2020-2277**  
**Severity (CVSS):** Medium  
**Affected plugin: storable-configs-plugin**  
**Description:**

Storable Configs Plugin 1.0 and earlier allows users with Job/Read permission to read arbitrary files on the Jenkins controller.

As of publication of this advisory, there is no fix.

**Arbitrary file write vulnerability in Storable Configs Plugin**

**SECURITY-1968 (2) / CVE-2020-2278**  
**Severity (CVSS):** Medium  
**Affected plugin: storable-configs-plugin**  
**Description:**

Storable Configs Plugin allows storing copies of a job’s config.xml file on the Jenkins controller with a user-specified file name.

Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, except that a .xml suffix is added if it’s not already present. This allows attackers with Job/Configure permission to replace any other .xml file on the Jenkins controller with the job’s config.xml file’s content.

As of publication of this advisory, there is no fix.

**Severity**

*   SECURITY-1813: Medium
*   SECURITY-1851: Medium
*   SECURITY-1869: High
*   SECURITY-1903: Medium
*   SECURITY-1904: Medium
*   SECURITY-1908: High
*   SECURITY-1911: High
*   SECURITY-1912: High
*   SECURITY-1913: High
*   SECURITY-1914: High
*   SECURITY-1916: High
*   SECURITY-1921: High
*   SECURITY-1927: High
*   SECURITY-1935: High
*   SECURITY-1956: Medium
*   SECURITY-1961: Medium
*   SECURITY-1966: Medium
*   SECURITY-1967: High
*   SECURITY-1968 (1): Medium
*   SECURITY-1968 (2): Medium
*   SECURITY-1976: High
*   SECURITY-1979: Medium
*   SECURITY-1980: High
*   SECURITY-1998: Medium
*   SECURITY-2014: Low

**Affected Versions**

*   **android-lint Plugin** up to and including 2.6
*   **Blue Ocean Plugin** up to and including 1.23.2
*   **chosen-views-tabbar Plugin** up to and including 1.2
*   **ClearCase Release Plugin** up to and including 0.3
*   **computer-queue-plugin Plugin** up to and including 1.5
*   **Copy data to workspace Plugin** up to and including 1.0
*   **Coverage/Complexity Scatter Plot Plugin** up to and including 1.1.1
*   **Custom Job Icon Plugin** up to and including 0.2
*   **Description Column Plugin** up to and including 1.3
*   **ElasTest Plugin** up to and including 1.2.1
*   **Email Extension Plugin** up to and including 2.75
*   **Health Advisor by CloudBees Plugin** up to and including 3.2.0
*   **Locked Files Report Plugin** up to and including 1.6
*   **Mailer Plugin** up to and including 1.32
*   **MongoDB Plugin** up to and including 1.3
*   **Perfecto Plugin** up to and including 1.17
*   **Pipeline Maven Integration Plugin** up to and including 3.9.2
*   **Radiator View Plugin** up to and including 1.29
*   **Selection tasks Plugin** up to and including 1.0
*   **Storable Configs Plugin** up to and including 1.0
*   **Validating String Parameter Plugin** up to and including 2.4

**Fix**

*   **Blue Ocean Plugin** should be updated to version 1.23.3
*   **computer-queue-plugin Plugin** should be updated to version 1.6
*   **Email Extension Plugin** should be updated to version 2.76
*   **Health Advisor by CloudBees Plugin** should be updated to version 3.2.1
*   **Mailer Plugin** should be updated to version 1.32.1
*   **Perfecto Plugin** should be updated to version 1.18
*   **Pipeline Maven Integration Plugin** should be updated to version 3.9.3
*   **Validating String Parameter Plugin** should be updated to version 2.5

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

As of publication of this advisory, no fixes are available for the following plugins:

*   android-lint Plugin
*   chosen-views-tabbar Plugin
*   ClearCase Release Plugin
*   Copy data to workspace Plugin
*   Coverage/Complexity Scatter Plot Plugin
*   Custom Job Icon Plugin
*   Description Column Plugin
*   ElasTest Plugin
*   Locked Files Report Plugin
*   MongoDB Plugin
*   Radiator View Plugin
*   Selection tasks Plugin
*   Storable Configs Plugin

Learn why we announce these issues.

**Credit**

The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities:

*   **Daniel Beck, CloudBees, Inc.** for SECURITY-1966, SECURITY-1967, SECURITY-1968 (1), SECURITY-1968 (2), SECURITY-1976
*   **Jinchen Sheng, Ant Security FG Lab.** for SECURITY-1956, SECURITY-1961
*   **Matt Sicker, CloudBees, Inc.** for SECURITY-1998
*   **Peter Stöckli (via Github Security Lab)** for SECURITY-1813
*   **Wadeck Follonier, CloudBees, Inc.** for SECURITY-1869, SECURITY-1903, SECURITY-1904, SECURITY-1908, SECURITY-1911, SECURITY-1912, SECURITY-1913, SECURITY-1914, SECURITY-1916, SECURITY-1921, SECURITY-1927, SECURITY-2014
*   **Wadeck Follonier, CloudBees, Inc. and Daniel Beck, CloudBees, Inc.** for SECURITY-1935

CVE-2020-2263: Jenkins Security Advisory 2020-09-16

Jenkins Custom Job Icon Plugin 0.2 and earlier does not escape the job descriptions in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2264: Jenkins Security Advisory 2020-09-16

Jenkins Validating String Parameter Plugin 2.4 and earlier does not escape various user-controlled fields, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2257: Jenkins Security Advisory 2020-09-16

Jenkins Android Lint Plugin 2.6 and earlier does not escape the annotation message in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

CVE-2020-2262: Jenkins Security Advisory 2020-09-16

Jenkins Coverage/Complexity Scatter Plot Plugin 1.1.1 and earlier does not escape the method information in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide report files to the plugin's post-build step.

CVE-2020-2265: Jenkins Security Advisory 2020-09-16

Jenkins computer-queue-plugin Plugin 1.5 and earlier does not escape the agent name in tooltips, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Agent/Configure permission.

CVE-2020-2259: Jenkins Security Advisory 2020-09-16

Jenkins Description Column Plugin 1.3 and earlier does not escape the job description in the column tooltip, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Job/Configure permission.

CVE-2020-2266: Jenkins Security Advisory 2020-09-16

Bitcoin Core 0.20.0 allows remote denial of service.

CVE-2020-14198: Common Vulnerabilities and Exposures - Bitcoin Wiki

WebDAV implementation in Yaws web server versions 1.81 to 2.0.7 is vulnerable to XXE injection.

**Commits on Nov 14, 2022**

2.  Regenerate TLS snakeoil cert
    
    The erlang emulator complains about not having enough security when
    using the TLS snakeoil (i.e. self-signed) cert shipped. This is because
    SHA-1 is used for signing algorithm. Nothing in the TLS standard states
    that it shouldn't be allowed, but the erlang emulator doesn't allow it.
    
    The TLS snakeoil cert is regenerated using SHA-256 as signing algorithm.
    
     
    

**Commits on Sep 23, 2022**

**Commits on Sep 1, 2022**

**Commits on Aug 16, 2022**

1.  Make all erlang files UTF-8
    
    All the Erlang versions that are currently supported by yaws,
    default to UTF-8 files. This converts the couple comments that
    were encoded in Latin-1 to UTF-8 and removes the coding comments.
    
     
    

**Commits on Jun 14, 2022**

**Commits on Jun 11, 2022**

1.  Inline hardcoding of some automake variables for deterministic build
    
    Putting various automake variables in the examples.mk include file
    includes the build path. This makes the build non-deterministic.
    
    Running diffoscope reports that the files www/code/Makefile and
    www/shoppingcart/Makefile, differ between two different installation
    directories because of this.
    
    Inline and hardcode these automake variables to enable deterministic
    builds.
    
     
    

**Commits on May 21, 2022**

1.  Add support for OTP 25.0
    
    Yaws supports 3 major OTP versions, so now that OTP 25.0 has been
    released, change our minimum supported OTP release to 22.0. Fix
    configure.ac and rebar.config to enforce this. Fix the README files
    and yaws.tex to document this.
    
    Add 25.0 to the github workflow matrix. Also add missing point
    releases for versions 22 and 23.
    

**Commits on Apr 6, 2022**

1.  Drop stacktrace polyfill
    
    Yaws requires OTP 21.3 - the Class:Reason:Stack syntax was introduced in
    OTP 21, thus the macro filling in for compatibility with older versions
    is no longer needed and can be removed.
    

**Commits on Mar 16, 2022**

1.  Fix README to drop rebar references
    
    In README.md, drop references to rebar and replace them with
    rebar3. Also note that rebar3 currently works only with the
    rebar3-support branch.
    
2.  Move to python3
    
    Since python 2.x is no longer supported, and since MacOS 12.3 has
    fully dropped python 2.x, switch uses of python to python3.
    

**Commits on Mar 11, 2022**

**Commits on Feb 27, 2022**

1.  Disable urldecode for JSON-RPC
    
    None of the popular JSON-RPC clients apply urlencode to the produced JSON
    request. Consequently, any method parameter that contains percent symbol will be
    either decoded to a wrong value or, more often, will cause request handling
    failure.
    
    Vladislav Glinsky authored and vinoski committed
    
    Feb 27, 2022
    

**Commits on Feb 4, 2022**

3.  Add a new known dialyzer warning
    
    Dialyzer complains about the yaws\_config not being able to match the
    atom 'undefined' when it calls yaws\_generated functions; this is
    because yaws\_generated is generated code, as its name implies, so it
    handles constants as if they were variables. Ignore this complaint by
    adding it to known\_dialyzer\_warnings.
    
    Also in known\_dialyzer\_warnings, augment each regular expression to
    optionally match a column number.
    

**Commits on Jan 31, 2022**

1.  Fix handling of SOURCE\_DATE\_EPOCH
    
    If no SOURCE\_DATE\_EPOCH is specified via configure, then it can't be
    set as an environment variable in doc/Makefile.am build rules. Change
    the build rules to check if SOURCE\_DATE\_EPOCH is non-empty and use it
    if so, otherwise leave it out of the commands.
    
    Also fix verbosity for make in doc/Makefile.am. If V=1 is passed on
    the make command line, echo the build commands, otherwise echo
    abbreviated commands. Special handling is needed because of the "if"
    commands in the build rules have echo unconditionally disabled via @.
    

**Commits on Jan 24, 2022**

1.  Reenable warnings as errors
    
    The -Werror "warnings as errors" option was disabled some time ago due
    to the deprecated ssl:cipher\_suites/0 function. This was fixed awhile
    ago, so reenable -Werror.
    

**Commits on Jan 23, 2022**

1.  Create a deterministic build environment
    
    Enable reproducible builds with a deterministic build environment.
    
    \* Let configure set +debug\_info/+deterministic and SOURCE\_DATE\_EPOCH
    
      New options to ./configure:
    
        --enable-deterministic-build
    
        --with-source-date-epoch=EPOCH
    
      The ./configure script also understands the following two
      environment variables:
    
        YAWS\_DETERMINISTIC\_BUILD
    
        SOURCE\_DATE\_EPOCH
    
      Configuring with either the ./configure options or setting the
      enviroment variables before running autoconf and configure will
      enable a deterministic build.
    
      A deterministic build sets the erlc flag +deterministic instead of
      +debug\_info and also sets the DETERMINISTIC macro.
    
      When configuring a deterministic build, several scripts and
      Makefiles are generated with predefined values; notably include.mk
      and scripts/gen-yaws-generated are now generated by ./configure.
    
    \* If YAWS\_DETERMINISTIC\_BUILD is set, set the +deterministic compiler
      flag.
    
      But remove +deterministic when building tests, as the \*\_SUITE\_data
      directories will not be handled correctly if +deterministic is
      used. When the beam files are built once, they will try to rebuild
      on the next make invocation and it will not work. In other words, if
      the beam is built, it will be built again. This breaks the pattern
      make && make install.
    
      Add +debug\_info when building tests. Prior to using +deterministic,
      this was the default, and since +deterministic isn't used for
      building tests, keep +debug\_info.
    
      Set +deterministic as appropriate in rebar.config.script and
      scripts/rebar-pre-script based on YAWS\_DETERMINISTIC\_BUILD.
    
    \* Hardcode include path in generated mime\_types.erl for deterministic
      build.
    
    \* Generate deterministic www/\*/Makefile
    
      Several things are taken from the build environment when building,
      but they are not needed to build or use the examples, and are hence
      hardcoded or just removed.
    
      Add the examples.mk fragment to support reproducible builds in the
      examples. In it, set the SHELL variable instead of using the one
      from the environment. Omit build environment paths. Remove calls to
      ac-aux/missing and ac-aux/install-sh, as they include absolute build
      environment paths. Include examples.mk in www/code/Makefile and
      www/shoppingcart/Makefile.
    
    See #446 for more information.
    
    Signed-off-by: Steve Vinoski <vinoski@ieee.org>
    
     
    

**Commits on Jan 9, 2022**

2.  Document reproducible builds of YAWS
    
    Document how to enable reproducible builds (export environment variables
    YAWS\_DETERMINISTIC\_BUILD and SOURCE\_DATE\_EPOCH when building) and what
    that entails for the build artefacts. Also note that various paths are
    included in generated files, i.e. installation prefix affects build
    artefacts, which can be mitigated by using DESTDIR.
    
    SOURCE\_DATE\_EPOCH is understood by pdflatex, thus setting it to the same
    Unix timestamp across builds will make yaws.pdf build deterministically.
    However, latex/dvips does not understand SOURCE\_DATE\_EPOCH, thus the
    generated date in the DVIPSSource comment is generated from
    SOURCE\_DATE\_EPOCH if set.
    
    Fixes #446
    
     
    

**Commits on Jan 5, 2022**

1.  Add YAWS\_DETERMINISTIC\_BUILD env var
    
    To avoid embedding different paths for VARDIR and ETCDIR in the
    compiled yaws\_generated.erl beam file, allow the user to set the
    environment variable YAWS\_DETERMINISTIC\_BUILD to any value. When
    generating yaws\_generated.erl, Yaws looks for this environment
    variable and if found, it makes yaws\_generated:vardir() and
    yaws\_generated:etcdir() return undefined instead of pathname strings.
    

**Commits on Dec 22, 2021**

1.  Detect externally rotated logfiles
    
    Currently, Yaws does not play well with an external log rotation
    mechanism (Linux logrotate or BSD newsyslog). When such an external
    program rotates a Yaws log, it will customarily move the existing log
    to a new name, open a new logfile with the old name, and (optionally)
    send a (configurable) signal to the program that writes to the log, to
    notify it to re-open the logfile.
    
    Yaws supports wrapping its logs at a given size (configuration
    variable log\_wrap\_size), but it does not support wrapping it in a
    time-based fashion (e.g., wrap once a day at midnight), which is why
    an external log rotator is useful.
    
    The problem is that in such a case, Yaws will continue writing to the
    old logfile. There is logic to detect that the logfile has been
    wrapped, but it does not work if the log rotator creates a new file
    in place of the old. In such case, Yaws should detect that the logfile
    it sees at the expected path is smaller than what it knows to have
    written to the log, and take that as a signal that the log has been
    wrapped.
    
    This patch adds support for just this. To make use of it, one should
    arrange for the log rotator to issue a 'yaws --hup' post rotating the
    files. This will trigger Yaws to immediately re-evaluate the
    conditions and lead to migrating to the newly opened logfile.
    Otherwise, it will take up to 10 minutes for this to happen, and Yaws
    will have been writing to the old file (via the file descriptor it is
    holding to) prior to that.
    
    Tom Szilagyi authored and vinoski committed
    
    Dec 22, 2021
    

**Commits on Dec 21, 2021**

1.  Fix url\_encode issue
    
    Commit 9cd9173 introduced a problem with yaws\_api:url\_encode/1 that
    wasn't caught because "make check" sometimes reports success on macOS
    even when a failure occurs.
    
    Fix verified on Ubuntu and macOS.
    
2.  Fix #440: handle TLSv1.3-only server
    
    The Erlang/OTP ssl configuration settings "secure\_renegotiate" and
    "client\_renegotiation" don't apply to TLS version 1.3, but Yaws sets
    both to defaults that differ from Erlang/OTP defaults and so always
    tries to include them when setting up SSL listening, which results in
    an error for servers configured for only TLSv1.3.
    
    If a server is configured for TLSv1.3 only, set secure\_renegotiate and
    client\_renegotiation to undefined. Also modify supported configuration
    settings for these variables to allow them to be set to true, false,
    or undefined, where the latter setting restores the Erlang/OTP
    default. Modify the documentation to describe the undefined setting.
    
    Add a new test to sconf\_SUITE to verify settings in an #ssl{} record
    when a server is configured for only TLSv1.3. Note that this test is
    skipped for OTP 21.3 since it doesn't support TLSv1.3.
    

**Commits on Dec 16, 2021**

1.  Allow colons in dir listing file references
    
    When encoding filenames for use as relative URLs in directory
    listings, if a file contains only colons as encoded characters, use
    the original filename prefixed with "./" as its relative URL as per
    RFC3986 section 4.2.
    

**Commits on Dec 15, 2021**

1.  Fix jsonrpc Content-Length header value
    
    OTP 24.2 tightened up header checking in httpc:request calls, which
    uncovered a call in jsonrpc passing Content-Length as an integer
    rather than a string. Fix it to pass the value as a string.
    

**Commits on Dec 6, 2021**

1.  Use special logger handler for report.log
    
    Use logger instead of error\_logger for report.log. This makes it
    possible to run yaws when no error\_logger process running, since we
    don't try to install custom handlers in it.
    
    Because of logger\_std\_h differences in Erlang/OTP 21.0 through 21.2
    that prevent these changes from working correctly for those versions,
    raise the minimum Erlang/OTP version that Yaws supports from 21.0 to
    21.3. Anyone needing 21.0-21.2 support can use Yaws release 2.1.0.
    Change all places mentioning 21.0 as the minimum to be 21.3 instead.
    
     
    
2.  Switch to Github Actions for CI
    
    Travis-CI is no longer useful for open source projects, so switch to
    Github Actions using an OTP versions matrix. Remove legacy .travis.yml
    file.
    
    In testsuite/run\_common\_test.in, add the -noshell option to prevent
    early termination when running in a Github Action.
    
    Co-authored-by: Sergey Prokhorov <sergey.prokhorov@klarna.com>
    
     
    

**Commits on Nov 16, 2021**

1.  src/yaws\_log.erl: Update timestamp every 1 second
    
    Prior to this change, the timestamp of log entries was updated every 3
    seconds. While yaws\_log:fmtnow/0 is not a very fast function, losing
    the precision and yielding inaccurate timestamps does not seem to
    balance with the optimization, so change it to 1 second instead.
    
     
    

**Commits on Nov 14, 2021**

CVE-2020-24379: Commits · erlyaws/yaws

The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. This issue affects OpenSSL 1.0.2 which is out of support and no longer receiving public updates. OpenSSL 1.1.1 is not vulnerable to this issue. Fixed in OpenSSL 1.0.2w (Affected 1.0.2-1.0.2v).

OpenSSL Security Advisory \[09 September 2020\] ============================================= Raccoon Attack (CVE-2020-1968) ============================== Severity: Low The Raccoon attack exploits a flaw in the TLS specification which can lead to an attacker being able to compute the pre-master secret in connections which have used a Diffie-Hellman (DH) based ciphersuite. In such a case this would result in the attacker being able to eavesdrop on all encrypted communications sent over that TLS connection. The attack can only be exploited if an implementation re-uses a DH secret across multiple TLS connections. Note that this issue only impacts DH ciphersuites and not ECDH ciphersuites. OpenSSL 1.1.1 is not vulnerable to this issue: it never reuses a DH secret and does not implement any "static" DH ciphersuites. OpenSSL 1.0.2f and above will only reuse a DH secret if a "static" DH ciphersuite is used. These static "DH" ciphersuites are ones that start with the text "DH-" (for example "DH-RSA-AES256-SHA"). The standard IANA names for these ciphersuites all start with "TLS\_DH\_" but excludes those that start with "TLS\_DH\_anon\_". OpenSSL 1.0.2e and below would reuse the DH secret across multiple TLS connections in server processes unless the SSL\_OP\_SINGLE\_DH\_USE option was explicitly configured. Therefore all ciphersuites that use DH in servers (including ephemeral DH) are vulnerable in these versions. In OpenSSL 1.0.2f SSL\_OP\_SINGLE\_DH\_USE was made the default and it could not be turned off as a response to CVE-2016-0701. Since the vulnerability lies in the TLS specification, fixing the affected ciphersuites is not viable. For this reason 1.0.2w moves the affected ciphersuites into the "weak-ssl-ciphers" list. Support for the "weak-ssl-ciphers" is not compiled in by default. This is unlikely to cause interoperability problems in most cases since use of these ciphersuites is rare. Support for the "weak-ssl-ciphers" can be added back by configuring OpenSSL at compile time with the "enable-weak-ssl-ciphers" option. This is not recommended. OpenSSL 1.0.2 is out of support and no longer receiving public updates. Premium support customers of OpenSSL 1.0.2 should upgrade to 1.0.2w. If upgrading is not viable then users of OpenSSL 1.0.2v or below should ensure that affected ciphersuites are disabled through runtime configuration. Also note that the affected ciphersuites are only available on the server side if a DH certificate has been configured. These certificates are very rarely used and for this reason this issue has been classified as LOW severity. This issue was found by Robert Merget, Marcus Brinkmann, Nimrod Aviram and Juraj Somorovsky and reported to OpenSSL on 28th May 2020 under embargo in order to allow co-ordinated disclosure with other implementations. Note ==== OpenSSL 1.0.2 is out of support and no longer receiving public updates. Extended support is available for premium support customers: https://www.openssl.org/support/contracts.html OpenSSL 1.1.0 is out of support and no longer receiving updates of any kind. The impact of this issue on OpenSSL 1.1.0 has not been analysed. Users of these versions should upgrade to OpenSSL 1.1.1. References ========== URL for this Security Advisory: https://www.openssl.org/news/secadv/20200909.txt Note: the online version of the advisory may be updated with additional details over time. For details of OpenSSL severity classifications please see: https://www.openssl.org/policies/secpolicy.html

Tag

#ssl