I assume that if you want a statement from a vendor about Jenkins, you'll need to purchase Jenkins support from a vendor, and have that vendor provide the statement. CloudBees will sell you Jenkins support, so I think they are your best choice to find a vendor. Other than them, I'm not aware of anyone else offering support for Jenkins. Mark Waite
>________________________________ > From: John Henning <darken4...@gmail.com> >To: Jenkins Users <jenkinsci-users@googlegroups.com> >Sent: Friday, April 6, 2012 3:43 PM >Subject: Re: Verification of inability to remediate vulnerability in Jenkins > >J, > >The reported vulnerability is CVE-2002-1858 which is an information >disclosure vulnerability via the WEB-INF folder. Jenkins is the only >application we've installed on the server and I've verified that >Winstone does, in fact, have the vulnerability present. Since I am not >sure how the scan tool detects this vulnerability I am equally unsure >why it would confuse it with Oracle Application Server, but I would >guess that it simply inferred OAS's presence based on the >vulnerability being detected. > >I was hoping that seeking an exemption would be a more efficient >solution than setting up a seperate application server as there is >significant bureaucracy involved when installing new applications on a >managed asset (as this exercise attests). If it isn't possible or >practical to get correspondence stating that Winstone cannot be >patched to remediate the vulnerability I can look into other options >but I wanted to try this avenue first. > >See >http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1858 >https://issues.jenkins-ci.org/browse/JENKINS-11538 > >Thanks for the response. > >On Apr 6, 4:09 pm, johno <johno.crawf...@sulake.com> wrote: >> Hi John, >> >> Can you be more specific about what patch the vulnerability scanner suggests >> or give more information about the service / vulnerability it found? It >> seems strange it would confuse Winstone servlet container with Oracle >> Application Server. >> >> That said, Winstone is not the only choice for running Jenkins. You can also >> run Jenkins in a servlet container of your choice eg. Tomcat / Jetty. >> >> Best of luck, >> >> J >> >> -- >> View this message in >> context:http://jenkins.361315.n4.nabble.com/Verification-of-inability-to-reme... >> Sent from the Jenkins users mailing list archive at Nabble.com. > > >
