Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-54031

GitHub OAuth plugin fails with Jenkins 2.146

    XMLWordPrintable

    Details

    • Similar Issues:
    • Released As:
      github-oauth-0.31

      Description

      When updating to Jenkins 2.146 the "GitHub Committer Authorization strategy" no longer works.

      Users can log in but get granted no permissions at all.

      Downgrading to Jenkins 2.145 fixes the issue (but due to security advisories being present isn't a good solution at all)

      Setting logging to FINEST shows the plugin "tries" to grant the correct permissions, but Jenkins does not seem to respect them.

        Attachments

          Issue Links

            Activity

            Hide
            kthhrv2 Keith Harvey added a comment -

            Any update on this, Thanks

            Show
            kthhrv2 Keith Harvey added a comment - Any update on this, Thanks
            Hide
            danielbeck Daniel Beck added a comment -

            Per today's security advisory, it is indeed not safe to apply the workaround that disables the additional permission check. Previously published documentation has been updated.

            https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595

            https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-impacts-use-of-github-oauth-plugin

             

            Show
            danielbeck Daniel Beck added a comment - Per today's security advisory, it is indeed not safe to apply the workaround that disables the additional permission check. Previously published documentation has been updated. https://jenkins.io/security/advisory/2018-12-05/#SECURITY-595 https://jenkins.io/doc/upgrade-guide/2.138/#security-hardening-impacts-use-of-github-oauth-plugin  
            Hide
            daniel15 Daniel Lo Nigro added a comment -

            Are there any workarounds that don't cause security issues?

            Show
            daniel15 Daniel Lo Nigro added a comment - Are there any workarounds that don't cause security issues?
            Hide
            sag47 Sam Gleske added a comment -

            A few minutes ago I released 0.31 which includes https://github.com/jenkinsci/github-oauth-plugin/pull/103. This should be resolved. Please re-open if not.

            Show
            sag47 Sam Gleske added a comment - A few minutes ago I released 0.31 which includes https://github.com/jenkinsci/github-oauth-plugin/pull/103 . This should be resolved. Please re-open if not.
            Hide
            jhochheiser jeremy hochheiser added a comment -

            Sam Gleske and Mark Dietzer, this is still an issue all the way from 2.131.2 to LTS (2.164.2). We are stuck on 2.131.1 and unable to move forwards until this is resolved. Could you please revisit this issue?

            Show
            jhochheiser jeremy hochheiser added a comment - Sam Gleske  and Mark Dietzer , this is still an issue all the way from 2.131.2 to LTS (2.164.2). We are stuck on 2.131.1 and unable to move forwards until this is resolved. Could you please revisit this issue?

              People

              Assignee:
              sag47 Sam Gleske
              Reporter:
              doridian Mark Dietzer
              Votes:
              13 Vote for this issue
              Watchers:
              23 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: