Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43661

Several plug-ins are no longer available through update center.

      In upgrading plug-ins to address https://jenkins.io/security/advisory/2017-04-10/

      it appears some of the plug-ins affected are no longer available through Update Center (either their new-fixed, or old vulnerable, versions).  Their respective wiki pages still exist, but show "No Information For This Plugin" in the metadata section at the top, specifically:

       

      • scriptler
      • active-choice (uno-choice)
      • postbuild script
      • splunk-devops-extend (and updated splunk-devops is available, but does not encompass the "extended" plug-in previously available).

          [JENKINS-43661] Several plug-ins are no longer available through update center.

          There are issues already in security project. Creating another issue here will likely get forgotten and may confuse other users with different users.

          Bruno P. Kinoshita added a comment - There are issues already in security project. Creating another issue here will likely get forgotten and may confuse other users with different users.

          Chaz Ruhl added a comment -

          Great.  I obviously didn't find them when I went looking for them - what are they?  I would like to know when they are resolved.

          Chaz Ruhl added a comment - Great.  I obviously didn't find them when I went looking for them - what are they?  I would like to know when they are resolved.

          >Great. I obviously didn't find them when I went looking for them - what are they? I would like to know when they are resolved.

          danielbeck, do you know if there is any way of users being notified when SECURITY bugs are fixed?

          Bruno P. Kinoshita added a comment - >Great. I obviously didn't find them when I went looking for them - what are they? I would like to know when they are resolved. danielbeck , do you know if there is any way of users being notified when SECURITY bugs are fixed?

          Daniel Beck added a comment -

          We notify https://groups.google.com/d/forum/jenkinsci-advisories and the archive is at https://jenkins.io/security/advisories/

          Access to SECURITY issues is limited to the reporter, security team, and possibly assignee (typically plugin maintainer), for obvious reasons. Notably, for Active Choices, since it's just the mandatory dependency to Scriptler that suspended its distribution (unsatisfied dependency when installing from scratch), there's no SECURITY issue for it.

          The unprecedented step to release an advisory without fix in place means that SECURITY issues may not be fixed (well, I closed them as there's no longer a need to track them privately…). Our process doesn't really support that, so public JENKINS issues corresponding to specific private SECURITY issues mentioned in the advisory is actually a good idea IMO. Having a single issue for completely unrelated plugins is less of a good idea – who owns it?

          In this case, there's also https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Support+in+Plugins tracking fix progress that can be subscribed to. Notably, for Active Choices (again), the issue is the Scriptler dependency, not anything wrong with the plugin itself.

          Daniel Beck added a comment - We notify https://groups.google.com/d/forum/jenkinsci-advisories and the archive is at https://jenkins.io/security/advisories/ Access to SECURITY issues is limited to the reporter, security team, and possibly assignee (typically plugin maintainer), for obvious reasons. Notably, for Active Choices, since it's just the mandatory dependency to Scriptler that suspended its distribution (unsatisfied dependency when installing from scratch), there's no SECURITY issue for it. The unprecedented step to release an advisory without fix in place means that SECURITY issues may not be fixed (well, I closed them as there's no longer a need to track them privately…). Our process doesn't really support that, so public JENKINS issues corresponding to specific private SECURITY issues mentioned in the advisory is actually a good idea IMO. Having a single issue for completely unrelated plugins is less of a good idea – who owns it? In this case, there's also https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Support+in+Plugins tracking fix progress that can be subscribed to. Notably, for Active Choices (again), the issue is the Scriptler dependency, not anything wrong with the plugin itself.

            kinow Bruno P. Kinoshita
            cruhl Chaz Ruhl
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: