Thanks, guess we'll have to wait. It's not based on what we do, it's just
a security scan software. It's not like anyone can get to it anyway, it's
inside the wall, but it is what it is. This one will have to become a
POAM. Do you have any clue when the fix is coming up? Again, THANKS for
all
I’ve re read your first message, you as for “Jenkins CLI over SSH”, there
you cannot do anything until we replace the ssh-module. The module will
support those MACs and is not posible to disable them. However, I doubt
that the Jenkins CLI use those MACs , and you can always use HTTPS.
El El mié, 1
My MACs line says:
MACs hmac-ripemd160,hmac-sha2-256,hmac-sha2-512,hmac-ripemd...@openssh.com
I believe this is hardened, isn't it?
Thanks,
Eric
On Wed, Feb 10, 2021 at 9:40 AM kuisathaverat
wrote:
> hmac-* are Message authentication code algorithms (MACs), so you have to
> configure your Mes
hmac-* are Message authentication code algorithms (MACs), so you have to
configure your Message authentication code algorithms (MACs) supported, for
example
MACs hmac-sha2-256,hmac-sha2-512
see
https://www.ssh.com/ssh/sshd_config/#common-configuration-changes-for-the-enterprise
El mié, 10 feb 20
Hmmm, I already hardened by that link: https://www.ssh.com/ssh/sshd_config
My /etc/ssh/sshd_config has:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr
This is still showing up on my security scan though. Am I missing
something?
Thanks,
Eric
On Tue, Feb 9, 2021 at 12:23 PM kuisathaverat
wrote:
>
There is work in progress to bump the version of the library and convert
the sshd-module in a plugin to resolve this kind of issues quickly. For the
moment you can configure your sshd servers on the Agents side to do not
allow weak ciphers, see https://www.ssh.com/ssh/sshd_config.
https://github.c
I'm sorry, I just saw the last comment on here and, once again, this showed
up on our vulnerability report. I don't get exactly what I need to do in
order to fix this. Can someone lay it out for me please? Thanks - Eric
On Wednesday, August 26, 2020 at 12:39:40 PM UTC-6 kuisat...@gmail.com
w
I was wrong you cannot configure the ciphers for the ssh server on the Java
security files. The SSH server on Jenkins uses the
https://github.com/apache/mina-sshd , IIRC the Jenkins implementation of
the ssh server not read the sshd_config files so it is not posible to
configure the ssh server.
I think I found the solution to this:
https://www.thegeekdiary.com/how-to-disable-md5-based-hmac-algorithms-for-ssh/
On Tuesday, August 25, 2020 at 1:59:49 PM UTC-6 eric@gmail.com wrote:
> I'm confused. It doesn't look like the ciphers the vulnerability is
> citing are allowed in the ja
I'm confused. It doesn't look like the ciphers the vulnerability is citing
are allowed in the java.security file on this system. We're getting
flagged for:
hmac-md5
hmac-md5-96
hmac-sha1-96
Settings are:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DES, MD5withRSA, DH keySize < 1024, \
EC
Yes, configuring the ciphers accepted by your JDK edit the
file lib\security\java.security (the path will vary based on your Java
version)
El lunes, 24 de agosto de 2020 a las 16:48:22 UTC+2, eric@gmail.com
escribió:
> Hi all! I'm getting hit by my secuity team for a vulnerability for the
Hi all! I'm getting hit by my secuity team for a vulnerability for the
Jenkins CLI via ssh allowing the following weak ciphers:
hmac-md5
hmac-md5-96
hmac-sha1-96
Is there a way to configure ciphers accepted for the Jenkins CLI?
Thanks,
Eric
--
You received this message because you are
SM-7 Missing secure flag on session ID
In secure HTTPS applications, cookies must have the “Secure” flag set. The
“Secure” flag informs browsers that a cookie should only be sent on
connections that are encrypted with SSL.
Without the “secure” flag, the non-encrypted HTTP domain for the
appl
ober 2018 18:02
> To: Jenkins Users
> Subject: Re: Why is Jenkins suddenly telling me about an old security
> vulnerability
>
> This is supposed to only show when Jenkins detects an upgrade from 1.495 or
> older. IIRC, it uses information from the global config.xml to determine
displayed a message in the WebUI:
> "Because of a security vulnerability discovered earlier, we need to change
> the encryption key used to protect secrets in your configuration files on the
> disk. This process scans a large portion of your $JENKINS_HOME, find
> encrypted data
We recently upgraded Jenkins from 2.146 to 2.147 (which is the newest release
at the time of writing).
Since then, Jenkins has displayed a message in the WebUI:
"Because of a security vulnerability discovered earlier, we need to change the
encryption key used to protect secrets in
Hi All,
I just want to know if we have any thing can be done to bring this to
closure.
Any help that you provide is greatly appreciated.
-Mohan
On Monday, May 21, 2018 at 6:43:37 PM UTC+5:30, mohan reddy wrote:
>
> Hi Team,
>
> I was hoping that you would put me in the correct direction. I ha
17 matches
Mail list logo
