Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58715

Gerrit Trigger Plugin is affected by SECURITY-534 fix in Jenkins 2.176.2 and 2.186

    Details

    • Similar Issues:
    • Released As:
      2.29.0

      Description

      After upgrading our master to CloudBees 2.138.42.0.1, which picked up a back-ported SECURITY-534 fix, I was unable to view the server list on the Gerrit Trigger status page. The table simply read "Data Error." and the /gerrit-trigger/serverStatuses call returns a 404. The servers themselves seemed functional according to the logs. Also in the logs:

      WARNING: New Stapler dispatch rules result in the URL "/gerrit-trigger/serverStatuses" no longer being allowed. If you consider it safe to use, add the following to the whitelist: "com.sonyericsson.hudson.plugins.gerrit.trigger.GerritManagement serverStatuses". Learn more: https://jenkins.io/redirect/stapler-facet-restrictions

      Adding the above to the whitelist fixed the issue. 

        Attachments

          Activity

          Hide
          danielbeck Daniel Beck added a comment -

          Which version of Gerrit Trigger Plugin is this? My guess would be older than 2.29.0.

          Show
          danielbeck Daniel Beck added a comment - Which version of Gerrit Trigger Plugin is this? My guess would be older than 2.29.0.
          Hide
          chrijon3 Chris Jones added a comment - - edited

          Yes, it was left on 2.27.2 after the JEP-200 induced plugin upgrade. I'll try to stand up a clone and test 2.29.0.

          Show
          chrijon3 Chris Jones added a comment - - edited Yes, it was left on 2.27.2 after the JEP-200 induced plugin upgrade. I'll try to stand up a clone and test 2.29.0.
          Hide
          chrijon3 Chris Jones added a comment -

          Using Gerrit Trigger 2.29.0, I can see the server list with without a whitelist. Thanks! 

          I still see the Stapler block on 2.28.0, so I guess the 2.29.0 did the trick.

          Show
          chrijon3 Chris Jones added a comment - Using Gerrit Trigger 2.29.0, I can see the server list with without a whitelist. Thanks!  I still see the Stapler block on 2.28.0, so I guess the 2.29.0 did the trick.

            People

            • Assignee:
              rsandell rsandell
              Reporter:
              chrijon3 Chris Jones
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: