Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59615

Hold back security advisories and update-center.json updates until updates are available

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Cannot Reproduce
    • Component/s: _unsorted
    • Labels:
      None
    • Similar Issues:

      Description

      Currently, plugin (security) updates are announced via update-center.json (and a Jenkins installation can become aware that they exist), and can be announced as available on security advisories, when they are not actually available, yet.

      When this happens, it results in 404 errors (wrapped in Java traces) on the update center.

      This situation is undesirable from a security point of view. It would be desirable to hold back public notification on available security updates (and thus notification on new vulnerabilities to the general public) until patches are actually available. Otherwise it worsens the race between Jenkins administrators and those crafting exploits.

      It was suggested that this (holding back announcement on updates) may be difficult to achieve because some of the mirror servers are not under direct (Jenkins/Cloudbees) project control. However, while certainly more complex and error prone (if the implementation would be too simple), I can see how this can still be achieved with a clever combination of a cron job, curl/wget and tracking state.

      (Please update "Components" as needed - I was unable to identify the correct ones.)

      (I initially brought this up on IRC, but was kindly referred here.)

        Attachments

          Issue Links

            Activity

            Hide
            danielbeck Daniel Beck added a comment -

            If you need more information on our Jenkins installation I'm happy to provide it, including logs if you can provide specific instructions.

            If you still have the failed downloads in the logs somewhere, the message should include which mirror it attempted. This might be useful.

            Show
            danielbeck Daniel Beck added a comment - If you need more information on our Jenkins installation I'm happy to provide it, including logs if you can provide specific instructions. If you still have the failed downloads in the logs somewhere, the message should include which mirror it attempted. This might be useful.
            Hide
            tomreyn Tom Reynolds added a comment - - edited

            Here's the log we have - does this help?

            2019-10-01 18:27:44.367+0000 [id=12]    INFO    hudson.PluginManager#install: Starting installation of a batch of 1 plugins plus their dependencies
            2019-10-01 18:27:50.018+0000 [id=51479] INFO    h.model.UpdateCenter$DownloadJob#run: Starting the installation of script-security on behalf of tomreyn
            2019-10-01 18:27:54.050+0000 [id=51479] INFO    h.m.UpdateCenter$UpdateCenterConfiguration#download: Downloading script-security
            2019-10-01 18:27:54.052+0000 [id=51479] SEVERE  h.model.UpdateCenter$DownloadJob#run: Failed to install script-security
            java.io.FileNotFoundException: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi
                    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1896)
                    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
                    at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3057)
                    at java.net.URLConnection.getHeaderFieldLong(URLConnection.java:629)
                    at java.net.URLConnection.getContentLengthLong(URLConnection.java:501)
                    at java.net.URLConnection.getContentLength(URLConnection.java:485)
                    at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1161)
            Caused: java.io.FileNotFoundException: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi
                    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
                    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
                    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
                    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
                    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1950)
                    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1945)
                    at java.security.AccessController.doPrivileged(Native Method)
                    at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1944)
                    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1514)
                    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
                    at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1177)
            Caused: java.io.IOException: Failed to load http://updates.jenkins-ci.org/download/plugins/script-security/1.66/script-security.hpi to /var/lib/jenkins/plugins/script-security.jpi.tmp
                    at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1184)
            Caused: java.io.IOException: Failed to download from http://updates.jenkins-ci.org/download/plugins/script-security/1.66/script-security.hpi (redirected to: http://archives.jenkins-ci.org/plugins/script-security/1
            .66/script-security.hpi)
                    at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1218)
                    at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:1766)
                    at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2037)
                    at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1740)
                    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
                    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
                    at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:112)
                    at java.lang.Thread.run(Thread.java:748)
            2019-10-01 18:28:19.872+0000 [id=51401] INFO    hudson.util.Retrier#start: Attempt #1 to do the action check updates server
            2019-10-01 18:28:23.900+0000 [id=51401] INFO    hudson.model.UpdateSite#updateData: Obtained the latest update center data file for UpdateSource default
            2019-10-01 18:28:24.242+0000 [id=51401] INFO    h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Maven.MavenInstaller
            2019-10-01 18:28:24.367+0000 [id=51401] INFO    h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Ant.AntInstaller
            2019-10-01 18:28:24.428+0000 [id=35220] INFO    hudson.util.Retrier#start: Attempt #1 to do the action check updates server
            2019-10-01 18:28:25.108+0000 [id=51401] INFO    h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tools.JDKInstaller
            2019-10-01 18:28:25.108+0000 [id=51401] INFO    hudson.util.Retrier#start: Performed the action check updates server successfully at the attempt #1
            2019-10-01 18:28:28.548+0000 [id=35220] INFO    hudson.model.UpdateSite#updateData: Obtained the latest update center data file for UpdateSource default
            2019-10-01 18:28:28.910+0000 [id=35220] INFO    h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Maven.MavenInstaller
            2019-10-01 18:28:29.033+0000 [id=35220] INFO    h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Ant.AntInstaller
            2019-10-01 18:28:29.784+0000 [id=35220] INFO    h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tools.JDKInstaller
            2019-10-01 18:28:29.784+0000 [id=35220] INFO    hudson.util.Retrier#start: Performed the action check updates server successfully at the attempt #1
            2019-10-01 18:28:43.455+0000 [id=51401] INFO    hudson.PluginManager#install: Starting installation of a batch of 1 plugins plus their dependencies
            2019-10-01 18:28:43.457+0000 [id=51503] INFO    h.model.UpdateCenter$DownloadJob#run: Starting the installation of script-security on behalf of tomreyn
            2019-10-01 18:28:45.684+0000 [id=51503] INFO    h.m.UpdateCenter$UpdateCenterConfiguration#download: Downloading script-security
            2019-10-01 18:28:45.684+0000 [id=51503] SEVERE  h.model.UpdateCenter$DownloadJob#run: Failed to install script-security
            java.io.FileNotFoundException: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi
                    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1896)
                    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
                    at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3057)
                    at java.net.URLConnection.getHeaderFieldLong(URLConnection.java:629)
                    at java.net.URLConnection.getContentLengthLong(URLConnection.java:501)
                    at java.net.URLConnection.getContentLength(URLConnection.java:485)
                    at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1161)
            Caused: java.io.FileNotFoundException: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi
                    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
                    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
                    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
                    at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
                    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1950)
                    at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1945)
                    at java.security.AccessController.doPrivileged(Native Method)
                    at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1944)
                    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1514)
                    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
                    at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1177)
            Caused: java.io.IOException: Failed to load http://updates.jenkins-ci.org/download/plugins/script-security/1.66/script-security.hpi to /var/lib/jenkins/plugins/script-security.jpi.tmp
                    at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1184)
            Caused: java.io.IOException: Failed to download from http://updates.jenkins-ci.org/download/plugins/script-security/1.66/script-security.hpi (redirected to: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi)
                    at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1218)
                    at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:1766)
                    at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2037)
                    at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1740)
                    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
                    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
                    at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:112)
                    at java.lang.Thread.run(Thread.java:748)
            

            curl output (1):

            jenkins@ciserver$ curl -i https://updates.jenkins.io/download/plugins/script-security/1.65/script-security.hpi
            HTTP/1.1 302 Found
            Date: Wed, 02 Oct 2019 13:39:58 GMT
            Server: Apache/2.4.29 (Ubuntu)
            Location: http://mirrors.jenkins-ci.org/plugins/script-security/1.65/script-security.hpi
            Content-Length: 262
            Content-Type: text/html; charset=iso-8859-1
            
            <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
            <html><head>
            <title>302 Found</title>
            </head><body>
            <h1>Found</h1>
            <p>The document has moved <a href="http://mirrors.jenkins-ci.org/plugins/script-security/1.65/script-security.hpi">here</a>.</p>
            </body></html>
            

            curl output (2):

            $ curl -IL https://updates.jenkins.io/download/plugins/script-security/1.65/script-security.hpi
            HTTP/1.1 302 Found
            Date: Wed, 02 Oct 2019 13:42:37 GMT
            Server: Apache/2.4.29 (Ubuntu)
            Location: http://mirrors.jenkins-ci.org/plugins/script-security/1.65/script-security.hpi
            Content-Type: text/html; charset=iso-8859-1
            
            HTTP/1.1 302 Found
            Date: Wed, 02 Oct 2019 13:42:40 GMT
            Server: Apache/2.4.29 (Ubuntu)
            X-MirrorBrain-Mirror: serverion.com
            X-MirrorBrain-Realm: region
            Link: <http://mirrors.jenkins-ci.org/plugins/script-security/1.65/script-security.hpi.meta4>; rel=describedby; type="application/metalink4+xml"
            Link: <http://mirror.serverion.com/jenkins/plugins/script-security/1.65/script-security.hpi>; rel=duplicate; pri=1; geo=nl
            Link: <http://ftp-nyc.osuosl.org/pub/jenkins/plugins/script-security/1.65/script-security.hpi>; rel=duplicate; pri=2; geo=us
            Link: <http://ftp-chi.osuosl.org/pub/jenkins/plugins/script-security/1.65/script-security.hpi>; rel=duplicate; pri=3; geo=us
            Location: http://mirror.serverion.com/jenkins/plugins/script-security/1.65/script-security.hpi
            Content-Type: text/html; charset=iso-8859-1
            
            HTTP/1.1 200 OK
            Date: Wed, 02 Oct 2019 13:41:49 GMT
            Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.17
            Last-Modified: Tue, 01 Oct 2019 12:53:35 GMT
            ETag: "f5398-593d8d72071c0"
            Accept-Ranges: bytes
            Content-Length: 1004440
            Content-Type: application/vnd.hp-hpid
            

            Please note the version difference: You had me request version 1.65 whereas the plugin updates our Jenkins installation tried to download yesterday were for version 1.66.

            Show
            tomreyn Tom Reynolds added a comment - - edited Here's the log we have - does this help? 2019-10-01 18:27:44.367+0000 [id=12] INFO hudson.PluginManager#install: Starting installation of a batch of 1 plugins plus their dependencies 2019-10-01 18:27:50.018+0000 [id=51479] INFO h.model.UpdateCenter$DownloadJob#run: Starting the installation of script-security on behalf of tomreyn 2019-10-01 18:27:54.050+0000 [id=51479] INFO h.m.UpdateCenter$UpdateCenterConfiguration#download: Downloading script-security 2019-10-01 18:27:54.052+0000 [id=51479] SEVERE h.model.UpdateCenter$DownloadJob#run: Failed to install script-security java.io.FileNotFoundException: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1896) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3057) at java.net.URLConnection.getHeaderFieldLong(URLConnection.java:629) at java.net.URLConnection.getContentLengthLong(URLConnection.java:501) at java.net.URLConnection.getContentLength(URLConnection.java:485) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1161) Caused: java.io.FileNotFoundException: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1950) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1945) at java.security.AccessController.doPrivileged(Native Method) at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1944) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1514) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1177) Caused: java.io.IOException: Failed to load http://updates.jenkins-ci.org/download/plugins/script-security/1.66/script-security.hpi to /var/lib/jenkins/plugins/script-security.jpi.tmp at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1184) Caused: java.io.IOException: Failed to download from http://updates.jenkins-ci.org/download/plugins/script-security/1.66/script-security.hpi (redirected to: http://archives.jenkins-ci.org/plugins/script-security/1 .66/script-security.hpi) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1218) at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:1766) at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2037) at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1740) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:112) at java.lang.Thread.run(Thread.java:748) 2019-10-01 18:28:19.872+0000 [id=51401] INFO hudson.util.Retrier#start: Attempt #1 to do the action check updates server 2019-10-01 18:28:23.900+0000 [id=51401] INFO hudson.model.UpdateSite#updateData: Obtained the latest update center data file for UpdateSource default 2019-10-01 18:28:24.242+0000 [id=51401] INFO h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Maven.MavenInstaller 2019-10-01 18:28:24.367+0000 [id=51401] INFO h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Ant.AntInstaller 2019-10-01 18:28:24.428+0000 [id=35220] INFO hudson.util.Retrier#start: Attempt #1 to do the action check updates server 2019-10-01 18:28:25.108+0000 [id=51401] INFO h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tools.JDKInstaller 2019-10-01 18:28:25.108+0000 [id=51401] INFO hudson.util.Retrier#start: Performed the action check updates server successfully at the attempt #1 2019-10-01 18:28:28.548+0000 [id=35220] INFO hudson.model.UpdateSite#updateData: Obtained the latest update center data file for UpdateSource default 2019-10-01 18:28:28.910+0000 [id=35220] INFO h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Maven.MavenInstaller 2019-10-01 18:28:29.033+0000 [id=35220] INFO h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tasks.Ant.AntInstaller 2019-10-01 18:28:29.784+0000 [id=35220] INFO h.m.DownloadService$Downloadable#load: Obtained the updated data file for hudson.tools.JDKInstaller 2019-10-01 18:28:29.784+0000 [id=35220] INFO hudson.util.Retrier#start: Performed the action check updates server successfully at the attempt #1 2019-10-01 18:28:43.455+0000 [id=51401] INFO hudson.PluginManager#install: Starting installation of a batch of 1 plugins plus their dependencies 2019-10-01 18:28:43.457+0000 [id=51503] INFO h.model.UpdateCenter$DownloadJob#run: Starting the installation of script-security on behalf of tomreyn 2019-10-01 18:28:45.684+0000 [id=51503] INFO h.m.UpdateCenter$UpdateCenterConfiguration#download: Downloading script-security 2019-10-01 18:28:45.684+0000 [id=51503] SEVERE h.model.UpdateCenter$DownloadJob#run: Failed to install script-security java.io.FileNotFoundException: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1896) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) at sun.net.www.protocol.http.HttpURLConnection.getHeaderField(HttpURLConnection.java:3057) at java.net.URLConnection.getHeaderFieldLong(URLConnection.java:629) at java.net.URLConnection.getContentLengthLong(URLConnection.java:501) at java.net.URLConnection.getContentLength(URLConnection.java:485) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1161) Caused: java.io.FileNotFoundException: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) at java.lang.reflect.Constructor.newInstance(Constructor.java:423) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1950) at sun.net.www.protocol.http.HttpURLConnection$10.run(HttpURLConnection.java:1945) at java.security.AccessController.doPrivileged(Native Method) at sun.net.www.protocol.http.HttpURLConnection.getChainedException(HttpURLConnection.java:1944) at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1514) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1177) Caused: java.io.IOException: Failed to load http://updates.jenkins-ci.org/download/plugins/script-security/1.66/script-security.hpi to /var/lib/jenkins/plugins/script-security.jpi.tmp at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1184) Caused: java.io.IOException: Failed to download from http://updates.jenkins-ci.org/download/plugins/script-security/1.66/script-security.hpi (redirected to: http://archives.jenkins-ci.org/plugins/script-security/1.66/script-security.hpi) at hudson.model.UpdateCenter$UpdateCenterConfiguration.download(UpdateCenter.java:1218) at hudson.model.UpdateCenter$DownloadJob._run(UpdateCenter.java:1766) at hudson.model.UpdateCenter$InstallationJob._run(UpdateCenter.java:2037) at hudson.model.UpdateCenter$DownloadJob.run(UpdateCenter.java:1740) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:112) at java.lang.Thread.run(Thread.java:748) curl output (1): jenkins@ciserver$ curl -i https://updates.jenkins.io/download/plugins/script-security/1.65/script-security.hpi HTTP/1.1 302 Found Date: Wed, 02 Oct 2019 13:39:58 GMT Server: Apache/2.4.29 (Ubuntu) Location: http://mirrors.jenkins-ci.org/plugins/script-security/1.65/script-security.hpi Content-Length: 262 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="http://mirrors.jenkins-ci.org/plugins/script-security/1.65/script-security.hpi">here</a>.</p> </body></html> curl output (2): $ curl -IL https://updates.jenkins.io/download/plugins/script-security/1.65/script-security.hpi HTTP/1.1 302 Found Date: Wed, 02 Oct 2019 13:42:37 GMT Server: Apache/2.4.29 (Ubuntu) Location: http://mirrors.jenkins-ci.org/plugins/script-security/1.65/script-security.hpi Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 302 Found Date: Wed, 02 Oct 2019 13:42:40 GMT Server: Apache/2.4.29 (Ubuntu) X-MirrorBrain-Mirror: serverion.com X-MirrorBrain-Realm: region Link: <http://mirrors.jenkins-ci.org/plugins/script-security/1.65/script-security.hpi.meta4>; rel=describedby; type="application/metalink4+xml" Link: <http://mirror.serverion.com/jenkins/plugins/script-security/1.65/script-security.hpi>; rel=duplicate; pri=1; geo=nl Link: <http://ftp-nyc.osuosl.org/pub/jenkins/plugins/script-security/1.65/script-security.hpi>; rel=duplicate; pri=2; geo=us Link: <http://ftp-chi.osuosl.org/pub/jenkins/plugins/script-security/1.65/script-security.hpi>; rel=duplicate; pri=3; geo=us Location: http://mirror.serverion.com/jenkins/plugins/script-security/1.65/script-security.hpi Content-Type: text/html; charset=iso-8859-1 HTTP/1.1 200 OK Date: Wed, 02 Oct 2019 13:41:49 GMT Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.17 Last-Modified: Tue, 01 Oct 2019 12:53:35 GMT ETag: "f5398-593d8d72071c0" Accept-Ranges: bytes Content-Length: 1004440 Content-Type: application/vnd.hp-hpid Please note the version difference: You had me request version 1.65 whereas the plugin updates our Jenkins installation tried to download yesterday were for version 1.66.
            Hide
            dnusbaum Devin Nusbaum added a comment -

            Probably unrelated to the security update. I released script-security 1.66 a few hours after the 1.65 security release with an unrelated bug fix. Regular non-security plugin releases seem to encounter these 404 errors pretty often (I think the underlying issue is tracked as INFRA-1302). Awkward because the update center always recommends the latest versions of plugins (barring some cases involving old LTS lines), but in this case, users probably just want the release mentioned in the security advisory.

            Show
            dnusbaum Devin Nusbaum added a comment - Probably unrelated to the security update. I released script-security 1.66 a few hours after the 1.65 security release with an unrelated bug fix. Regular non-security plugin releases seem to encounter these 404 errors pretty often (I think the underlying issue is tracked as INFRA-1302 ). Awkward because the update center always recommends the latest versions of plugins (barring some cases involving old LTS lines), but in this case, users probably just want the release mentioned in the security advisory.
            Hide
            danielbeck Daniel Beck added a comment -

            Yup. The maintainers of script-security released a new version shortly after we published the security fix, and it overrode the version we made available. So you experienced INFRA-160 with exceptional bad, security related timing.

            Looks I should ask maintainers don't release new versions for a day or two after advisory publication unless necessary to fix regressions.

            Show
            danielbeck Daniel Beck added a comment - Yup. The maintainers of script-security released a new version shortly after we published the security fix, and it overrode the version we made available. So you experienced INFRA-160 with exceptional bad, security related timing. Looks I should ask maintainers don't release new versions for a day or two after advisory publication unless necessary to fix regressions.
            Hide
            tomreyn Tom Reynolds added a comment -

            Thanks, I subscribed to INFRA-160.

            Show
            tomreyn Tom Reynolds added a comment - Thanks, I subscribed to INFRA-160 .

              People

              • Assignee:
                danielbeck Daniel Beck
                Reporter:
                tomreyn Tom Reynolds
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: