XSS vulnerability in Jenkins error pages when running in standalone mode

Patchset from upstream git repo for jenkins-winstone: https://github.com/jenkinsci/winstone/commit/410ed3001d51c689cf59085b7417466caa2ded7b.patch

This fix is currently blocked in Oneiric due to broken versions of the toolchain required to build Jenkins.

Working on resolving this issue upstream;

So #2 should have read 'blocked in Precise'; this is now resolved.

This bug was fixed in the package jenkins - 1.409.3-0ubuntu1

---------------
jenkins (1.409.3-0ubuntu1) precise; urgency=low

  * New upstream release:
    - Refreshed patches.
    - d/maven.rules: Updated jenkins version to 1.409.3.
  * Pickup new version of jenkins-winstone resolving XSS security
    vulnerability (LP: #889181).
  * d/patches/build/apt-stapler-processing.patch: Temporary patch to fix
    build when using later versions of stapler which use standard
    Java annotation processing.
 -- James Page <email address hidden> Tue, 22 Nov 2011 08:31:53 +0000

Thank for updating this James. Are you still planning on providing updates for 11.10? If so, can you follow https://wiki.ubuntu.com/SecurityTeam/SponsorsQueue#Notes_for_Contributors so that it shows up on our radar? Thanks!

I've done a basic commission of 1.409.1-0ubuntu4.1 on oneiric and the fix to jenkins-winstone does not appear to have regressed any functionality.

Un-assigning myself and marking as 'Confirmed' so that this bug shows up on the sponsors queue.

Thanks for your patches! They look great and I have uploaded them to the security ppa. Per irc, it would be good to get htmlunit working again and then re-enable the tests the next time this is updated. Thanks again!

CVE request:
http://www.openwall.com/lists/oss-security/2011/11/23/5

This bug was fixed in the package jenkins - 1.409.1-0ubuntu4.1

---------------
jenkins (1.409.1-0ubuntu4.1) oneiric-security; urgency=low

  * SECURITY UPDATE: Rebuild to pickup new version of jenkins-winstone
    to close out XSS security vulnerability (LP: #889181).
 -- James Page <email address hidden> Tue, 22 Nov 2011 13:04:34 +0000

jenkins-winstone (0.9.10-jenkins-25+dfsg-0ubuntu2.1) oneiric-security; urgency=low

  * SECURITY UPDATE: XSS vulnerability in default error pages.
    - debian/patches/fix_xss.patch: escape error messages which are supposed
      be plain text and not markup in
      src/java/winstone/ErrorServlet.java,
      src/java/winstone/URIUtil.java,
      src/java/winstone/WinstoneResponse.java
    - http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2011-11-08.cb
  * d/maven.{properties,ignoreRules}: Disabled testing as htmlunit is
    currently broken in 11.10.