I suspect many of you have been impacted by CVE-2014-6271 (aka "shellshock" bash vulnerability.) We had our share of updates to do for various *.jenkins-ci.org servers.
Java application servers in general (including one that ships in Jenkins) do not fork off processes like Apache does to serve requests, so the kind of CGI attacks you see on Apache does not apply. We are currently unaware of any vulnerabilities in Jenkins related to CVE-2014-6271, and no plan to issue a patch for that.
That said, we did come up with one possible way attackers can exploit vulnerable bash through Jenkins, that you might want to be aware of.
When a build is parameterized, parameters are passed to the processes Jenkins launch as environment variables. So if you have a shell step (which uses bash by default), and if Eve only has a BUILD permission but not CONFIGURE permission, then Eve can exploit this vulnerability by carefully crafting parameter values, and have the bash runs arbitrary processes on the slave that run the build.
In most such scenarios, Eve would have to be an authenticated user on Jenkins. Jenkins also leaves the record of who triggered what build with what parameters, so there's an audit trail. But if your Jenkins fits this description, hopefully this serves as one more reason to update your bash.
Finally, to get notified of future security advisories from Jenkins, see this Wiki page.
There'll be several talks that touch Jenkins. The first is from me and Jesse called Next Step in Automation: Elastic Build Environment [CON3387] Monday 12:30pm.
Then later Tuesday, there's Building a Continuous Delivery Pipeline with Gradle and Jenkins [CON11237] from Benjamin Muschko of Gradleware.
Thursday has several Jenkins talks. One is The Deploy Factory: Open Source Tools for Java Deployment [CON1880] from Bruno Souza (aka the Java Man from Brazil) and Edson Yanaga. In this same time slot, guys from eBay are doing Platform Upgrades as a Service [CON5685], which discusses how they rely on automation to make platform upgrades painless. Then Mastering Continuous Delivery and DevOps [CON1844] from Michael Huttermann.
In the exhibit area, the Jenkins project doesn't have its own booth (JavaOne is too expensive for that), but I'll be at the CloudBees booth, so is Jesse Glick. Find us at the booth for any Jenkins questions or impromptu hacking session, which would really help us as we get distracted from the booth duties that way. Or just drop by to get stickers, pin badges, and other handouts to take for your colleagues.
And finally, Script Bowl 2014: The Battle Rages On [CON2939] gets an honorable mention because our own Tyler Croy is representing JRuby against other scripting languages, including my favorite Groovy. Hmm, who should I root for...
The usual suspects, such as CloudBees, XebiaLabs, SOASTA, PuppetLabs, et al are doing a Jenkins-themed continuous delivery event series called "cdSummit." The event is free, has a nice mix of user/vendor talks, and has an appeal to managers and team leads who are working on and struggling with continuous delivery and automation.
I've spoken in the past events, and I enjoyed the high-level pitches from various speakers. The last two events at Paris and London filled up completely, so I suspect others have liked them, too.
If you live near Chicago, Washington DC, or San Francisco, check out the date and see if you can make it. RSVP is from here. If you do, be sure to pick up Jenkins stickers and pin badges!