JENKINS-43637 Secures groovy script execution #15
Conversation
|
Also I volunteer in maintaining this plugin, if you agree. You'll find the discussion in the developer mailing list here: https://groups.google.com/d/msg/jenkinsci-dev/WNNUJA1PYIg/8O8q29MEBQAJ |
|
Since I removed the PostBuildScriptListener, this pull request also fixes JENKINS-31041 |
|
Also fixes JENKINS-19873 |
|
I vote @dheid gets approved as maintainer. He seems to be the only one working on this. |
|
Thx, Patrick!Am 02.11.2017 3:20 nachm. schrieb Patrick Pierson <notifications@github.com>:I vote @dheid gets approved as maintainer. He seems to be the only one working on this.
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Would be great, if @dheid would be approved as maintainer. I use this plugin too. |
|
@dheid looks like the wait time is at least 2 weeks
That being said it this should be an exception because the last commit was on Jan 6, 2015 and now this plugin is vulnerable. @gboissinot mind just agreeing that @dheid can take over? |
|
@gboissinot informed me a while back that all his plugins are to be considered abandoned, so that's not a blocker. We just suck at handling emails. @dheid Please open a PR to https://github.com/jenkins-infra/repository-permissions-updater/ (the README explains what's needed) and mention that you need Git commit access as well (if applicable) and/or that you want to take over as maintainer (if applicable). |
|
Thank you all! Here is the pull request: |
|
This should declare a compatibility warning to make existing users (hopefully) read the changelog: |
|
Thanks for the hint. I added the compatiblity warning: 871b35a |
|
Thanks for fixing this! I saw that you made a new release, but the plugin page says "Distribution of This Plugin Has Been Suspended". I'll try to be patient, but I don't know what the next steps are for allowing people to upgrade. |
|
Ah, I think this is it: jenkins-infra/update-center2#169 |
|
Correct. I'm trying to remove the plugin from the blacklist. The Groovy script security mechanism is now included. |
|
@dheid is this plugin still blacklisted, can we start using this plugin soon. On Jenkins page I see |
|
Hi Vijay! As soon as my pull request will be merged by @daniel-beck, the blacklisting will be removed: https://github.com/jenkins-infra/backend-update-center2/pull/169Am 11.11.2017 7:45 nachm. schrieb Vijay Tripathi <notifications@github.com>:@dheid is this plugin still blacklisted, can we start using this plugin soon. On Jenkins page I see
"Distribution of This Plugin Has Been Suspended"
—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or mute the thread.
|
|
Thanks Daniel , waiting for this PR to be merged. @daniel-beck |
|
Looks like jenkins-infra/update-center2#169 has been merged, but I still see Distribution of This Plugin Has Been Suspended. I'm not sure how frequently they update based on changes like this. |
|
@scpeters It works for my Jenkins server now. Would you please retry it? |
|
@scpeters Oh, you're talking about the Wiki page. Good question. I think I must do a little research on how to disable the warning on these autogenerated pages. |
Fixes the arbitrary code execution vulnerability by using SecureGroovyScript (https://issues.jenkins-ci.org/browse/JENKINS-43637)