Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43661

Several plug-ins are no longer available through update center.

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      In upgrading plug-ins to address https://jenkins.io/security/advisory/2017-04-10/

      it appears some of the plug-ins affected are no longer available through Update Center (either their new-fixed, or old vulnerable, versions).  Their respective wiki pages still exist, but show "No Information For This Plugin" in the metadata section at the top, specifically:

       

      • scriptler
      • active-choice (uno-choice)
      • postbuild script
      • splunk-devops-extend (and updated splunk-devops is available, but does not encompass the "extended" plug-in previously available).

        Attachments

          Activity

          Hide
          kinow Bruno P. Kinoshita added a comment -

          There are issues already in security project. Creating another issue here will likely get forgotten and may confuse other users with different users.

          Show
          kinow Bruno P. Kinoshita added a comment - There are issues already in security project. Creating another issue here will likely get forgotten and may confuse other users with different users.
          Hide
          cruhl Chaz Ruhl added a comment -

          Great.  I obviously didn't find them when I went looking for them - what are they?  I would like to know when they are resolved.

          Show
          cruhl Chaz Ruhl added a comment - Great.  I obviously didn't find them when I went looking for them - what are they?  I would like to know when they are resolved.
          Hide
          kinow Bruno P. Kinoshita added a comment -

          >Great. I obviously didn't find them when I went looking for them - what are they? I would like to know when they are resolved.

          Daniel Beck, do you know if there is any way of users being notified when SECURITY bugs are fixed?

          Show
          kinow Bruno P. Kinoshita added a comment - >Great. I obviously didn't find them when I went looking for them - what are they? I would like to know when they are resolved. Daniel Beck , do you know if there is any way of users being notified when SECURITY bugs are fixed?
          Hide
          danielbeck Daniel Beck added a comment -

          We notify https://groups.google.com/d/forum/jenkinsci-advisories and the archive is at https://jenkins.io/security/advisories/

          Access to SECURITY issues is limited to the reporter, security team, and possibly assignee (typically plugin maintainer), for obvious reasons. Notably, for Active Choices, since it's just the mandatory dependency to Scriptler that suspended its distribution (unsatisfied dependency when installing from scratch), there's no SECURITY issue for it.

          The unprecedented step to release an advisory without fix in place means that SECURITY issues may not be fixed (well, I closed them as there's no longer a need to track them privately…). Our process doesn't really support that, so public JENKINS issues corresponding to specific private SECURITY issues mentioned in the advisory is actually a good idea IMO. Having a single issue for completely unrelated plugins is less of a good idea – who owns it?

          In this case, there's also https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Support+in+Plugins tracking fix progress that can be subscribed to. Notably, for Active Choices (again), the issue is the Scriptler dependency, not anything wrong with the plugin itself.

          Show
          danielbeck Daniel Beck added a comment - We notify https://groups.google.com/d/forum/jenkinsci-advisories and the archive is at https://jenkins.io/security/advisories/ Access to SECURITY issues is limited to the reporter, security team, and possibly assignee (typically plugin maintainer), for obvious reasons. Notably, for Active Choices, since it's just the mandatory dependency to Scriptler that suspended its distribution (unsatisfied dependency when installing from scratch), there's no SECURITY issue for it. The unprecedented step to release an advisory without fix in place means that SECURITY issues may not be fixed (well, I closed them as there's no longer a need to track them privately…). Our process doesn't really support that, so public JENKINS issues corresponding to specific private SECURITY issues mentioned in the advisory is actually a good idea IMO. Having a single issue for completely unrelated plugins is less of a good idea – who owns it? In this case, there's also https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Support+in+Plugins tracking fix progress that can be subscribed to. Notably, for Active Choices (again), the issue is the Scriptler dependency, not anything wrong with the plugin itself.

            People

            • Assignee:
              kinow Bruno P. Kinoshita
              Reporter:
              cruhl Chaz Ruhl
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: