• Icon: Task Task
    • Resolution: Duplicate
    • Icon: Minor Minor
    • core
    • None
    • Jenkins 2.220

      Dating back many years, Jenkins has supported two network discovery services (UDP multicast/broadcast and DNS multicast). When this was first implemented this may have been a reasonable way to provide useful lookup services. With modern Jenkins capabilities, networks, and security considerations, this is no longer a good mechanism. There are now other ways to accomplish the real needs and concerns with doing it this way.

      With Jenkins Security Advisory 2020-01-29 these services were disabled by default because of SECURITY-1641 / CVE-2020-2100.

      These should just be removed.

          [JENKINS-60913] Remove network discovery services

          Jeff Thompson created issue -
          Jesse Glick made changes -
          Link New: This issue duplicates JENKINS-33596 [ JENKINS-33596 ]
          Oleg Nenashev made changes -
          Released As New: Jenkins 2.220
          Resolution New: Duplicate [ 3 ]
          Status Original: Open [ 1 ] New: Resolved [ 5 ]
          Philipp Baer made changes -
          Link New: This issue causes JENKINS-61029 [ JENKINS-61029 ]
          Allan Lewis made changes -
          Description Original: Dating back many years, Jenkins has supported two network discovery services (UDP multicast/broadcast and DNS multicast). When this was first implemented this may have been a reasonable way to provide useful lookup services. With modern Jenkins capabilities, networks, and security considerations, this is no longer a good mechanism. There are now other ways to accomplish the real needs and concerns with doing it this way.

          With [Jenkins Security Advisory 2020-01-29|[https://jenkins.io/security/advisory/2020-01-29/]|https://jenkins.io/security/advisory/2020-01-29/] these services were disabled by default because of SECURITY-1641 / CVE-2020-2100.

          These should just be removed.
          New: Dating back many years, Jenkins has supported two network discovery services (UDP multicast/broadcast and DNS multicast). When this was first implemented this may have been a reasonable way to provide useful lookup services. With modern Jenkins capabilities, networks, and security considerations, this is no longer a good mechanism. There are now other ways to accomplish the real needs and concerns with doing it this way.

          With [Jenkins Security Advisory 2020-01-29|https://jenkins.io/security/advisory/2020-01-29/] these services were disabled by default because of SECURITY-1641 / CVE-2020-2100.

          These should just be removed.

            jthompson Jeff Thompson
            jthompson Jeff Thompson
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: