Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58715

Gerrit Trigger Plugin is affected by SECURITY-534 fix in Jenkins 2.176.2 and 2.186

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Minor Minor
    • gerrit-trigger-plugin
    • None
    • Core 2.176.2+ and 2.186+
    • 2.29.0

      After upgrading our master to CloudBees 2.138.42.0.1, which picked up a back-ported SECURITY-534 fix, I was unable to view the server list on the Gerrit Trigger status page. The table simply read "Data Error." and the /gerrit-trigger/serverStatuses call returns a 404. The servers themselves seemed functional according to the logs. Also in the logs:

      WARNING: New Stapler dispatch rules result in the URL "/gerrit-trigger/serverStatuses" no longer being allowed. If you consider it safe to use, add the following to the whitelist: "com.sonyericsson.hudson.plugins.gerrit.trigger.GerritManagement serverStatuses". Learn more: https://jenkins.io/redirect/stapler-facet-restrictions

      Adding the above to the whitelist fixed the issue. 

          [JENKINS-58715] Gerrit Trigger Plugin is affected by SECURITY-534 fix in Jenkins 2.176.2 and 2.186

          Daniel Beck added a comment -

          Which version of Gerrit Trigger Plugin is this? My guess would be older than 2.29.0.

          Daniel Beck added a comment - Which version of Gerrit Trigger Plugin is this? My guess would be older than 2.29.0.

          Chris Jones added a comment - - edited

          Yes, it was left on 2.27.2 after the JEP-200 induced plugin upgrade. I'll try to stand up a clone and test 2.29.0.

          Chris Jones added a comment - - edited Yes, it was left on 2.27.2 after the JEP-200 induced plugin upgrade. I'll try to stand up a clone and test 2.29.0.

          Chris Jones added a comment -

          Using Gerrit Trigger 2.29.0, I can see the server list with without a whitelist. Thanks! 

          I still see the Stapler block on 2.28.0, so I guess the 2.29.0 did the trick.

          Chris Jones added a comment - Using Gerrit Trigger 2.29.0, I can see the server list with without a whitelist. Thanks!  I still see the Stapler block on 2.28.0, so I guess the 2.29.0 did the trick.

            rsandell rsandell
            chrijon3 Chris Jones
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: