Jenkins before 1.586 does not set the secure flag on session cookies when run on Tomcat 7.0.41 or later, which makes it easier for remote attackers to capture cookies by intercepting their transmission within an HTTP session.
www.openwall.com/lists/oss-security/2015/01/22/3
www.securityfocus.com/bid/72054
bugs.debian.org/cgi-bin/bugreport.cgi?bug=769682
bugzilla.redhat.com/show_bug.cgi?id=1185148
github.com/jenkinsci/jenkins/commit/582128b9ac179a788d43c1478be8a5224dc19710
issues.jenkins-ci.org/browse/JENKINS-25019
jenkins.io/changelog-old/