CLSA-2026-1774283672 Fix CVE(s): CVE-2026-25965

SECURITY UPDATE: local file disclosure through path traversal bypass of path security policy - debian/patches/CVE-2026-25965.patch: Resolve and canonicalize file paths before policy pattern matching; prevent path traversal by fixing policy checks that matched unnormalized paths including symlinks...

jenkins: File path filters do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories

A link following vulnerability was found in Jenkins. The file path filters do not canonicalize paths allowing operations to follow symbolic links to directories they are not supposed to have access to. This may allow an attacker to read and write arbitrary files on the Jenkins controller file...

Design/Logic Flaw

File path filters in the agent-to-controller security subsystem of Jenkins 2.318 and earlier, LTS 2.303.2 and earlier do not canonicalize paths, allowing operations to follow symbolic links to outside allowed directories...

PT-2021-5282 · Jenkins · Jenkins

Name of the Vulnerable Software and Affected Versions: Jenkins versions 2.318 and earlier Jenkins LTS versions 2.303.2 and earlier Description: The issue is related to the agent-to-controller security subsystem of Jenkins, where file path filters do not canonicalize paths. This allows operations ...