[JENKINS-34996] Sec-170-related: Release plugin needs to declare parameters

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: release-plugin
Labels:
- security-170
Environment:
1.651.2+ and Jenkins 2.3+

Similar Issues:
Powered by SuggestiMate

Show

Injecting arbitrary parameters is now forbidden, so the plugin should declare them to the jobs.
See https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-05-11

Major impacts:

Undeclared vars are not present anymore

Release Plugin was listed on the page: https://wiki.jenkins-ci.org/display/JENKINS/Plugins+affected+by+fix+for+SECURITY-170 and no issue was yet created for this.

is related to

JENKINS-35257 Release plugin ignores release parameters in Jenkins 2.7

Resolved

links to

Justin Fiore created issue - 2016-05-20 17:59

Antonio Muñiz made changes - 2016-05-24 11:35

Assignee

Original: Peter Hayes [ petehayes ]

New: Antonio Muñiz [ amuniz ]

Antonio Muñiz made changes - 2016-05-24 11:35

Status

Original: Open [ 1 ]

New: In Progress [ 3 ]

Matthew Griffin made changes - 2016-05-27 14:41

Priority

Original: Major [ 3 ]

New: Blocker [ 1 ]

Matthew Griffin added a comment - 2016-05-27 14:42

This renders this plugin entirely unusable, unfortunately. Even simple variable substitution in an Execute Shell is not possible, as the variables are now undefined.

Matthew Griffin added a comment - 2016-05-27 14:42 This renders this plugin entirely unusable, unfortunately. Even simple variable substitution in an Execute Shell is not possible, as the variables are now undefined.

Johnny Shields added a comment - 2016-05-27 14:58

I think this merits an advisory in the documentation, "Jenkins 2.3+ requires GHPRB plugin version X.Y.Z or later"

Johnny Shields added a comment - 2016-05-27 14:58 I think this merits an advisory in the documentation, "Jenkins 2.3+ requires GHPRB plugin version X.Y.Z or later"

Michael Templeton added a comment - 2016-05-27 15:01

Plugin is currently useless. Can't even do basic variable substitution in shell.

Michael Templeton added a comment - 2016-05-27 15:01 Plugin is currently useless. Can't even do basic variable substitution in shell.

Antonio Muñiz made changes - 2016-06-02 14:11

Remote Link

New: This issue links to "PR (Web Link)" [ 14363 ]

Antonio Muñiz added a comment - 2016-06-02 14:12

Proposed fix: https://github.com/jenkinsci/release-plugin/pull/17

Antonio Muñiz added a comment - 2016-06-02 14:12 Proposed fix: https://github.com/jenkinsci/release-plugin/pull/17

Oleg Nenashev made changes - 2016-07-17 10:36

Link

New: This issue is related to ~~JENKINS-35257~~ [ ~~JENKINS-35257~~ ]

Assignee:: Antonio Muñiz

Reporter:: Justin Fiore

Votes:: 7 Vote for this issue

Watchers:: 14 Start watching this issue

Created:: 2016-05-20 17:59

Updated:: 2016-09-29 07:46

Resolved:: 2016-09-29 07:46

Jenkins

Details

Description

Attachments

Issue Links

Activity

Collapse comment: Matthew Griffin added a comment - 2016-05-27 14:42

Expand comment: Matthew Griffin added a comment - 2016-05-27 14:42

Collapse comment: Johnny Shields added a comment - 2016-05-27 14:58

Expand comment: Johnny Shields added a comment - 2016-05-27 14:58

Collapse comment: Michael Templeton added a comment - 2016-05-27 15:01

Expand comment: Michael Templeton added a comment - 2016-05-27 15:01

Collapse comment: Antonio Muñiz added a comment - 2016-06-02 14:12

Expand comment: Antonio Muñiz added a comment - 2016-06-02 14:12

People

Dates