Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-67590

publish-over-ssh plugin removed from update center

    XMLWordPrintable

Details

    • Publish Over SSH 1.24

    Description

      The plugin `publish-over-ssh` appears to be missing from the latest plugin repository (https://updates.jenkins.io/update-center.json) The same plugin was however available in the previous version.

      We use that plugin for close to all jobs and thus we are in desperate need for this plugin to be added to the repository again.

      Plugin removed from update center until security issues are resolved

      Jenkins Security Advisory 2022-01-12 describes the following vulnerabilities:

      • SECURITY-2287 - Stored XSS vulnerability (medium severity)
      • SECURITY-2290 - CSRF vulnerability and missing permission checks (medium severity)
      • SECURITY-2307 - Path traversal vulnerability (medium severity)
      • SECURITY-2291 - Password stored in plain text (low severity)

      Until someone adopts the plugin, fixes the issues, and releases a new version, it will remain unavailable.

      Users that accept the security vulnerabilities can still download the plugin from the Jenkins artifact repository and upload it to their Jenkins installation.

      Attachments

        Activity

          I could not find any other plugins like this that have been removed with regards to security issues

          There's a list at Suspended Plugins.

          kon Kalle Niemitalo added a comment - I could not find any other plugins like this that have been removed with regards to security issues There's a list at Suspended Plugins .
          asimerel Asım Erel added a comment -

          I think the plugin is fixed for vulnerabilities at 1.23 version.

          https://github.com/jenkinsci/publish-over-ssh-plugin/releases/tag/publish-over-ssh-1.23

          Is it possible to remove suspension?

           

          asimerel Asım Erel added a comment - I think the plugin is fixed for vulnerabilities at 1.23 version. https://github.com/jenkinsci/publish-over-ssh-plugin/releases/tag/publish-over-ssh-1.23 Is it possible to remove suspension?  
          louj Jiri L added a comment -

          Version 1.24 seems to be accepted. Many thanks to everyone involved.

          louj Jiri L added a comment - Version 1.24 seems to be accepted. Many thanks to everyone involved.

          Marking as resolved because the plugin is in the update center again.

          kon Kalle Niemitalo added a comment - Marking as resolved because the plugin is in the update center again.

          For your information, all publish-over-ssh component type JENKINS issues related to the Publish Over SSH plugin have been transferred to Github: https://github.com/jenkinsci/publish-over-ssh-plugin/issues

          Here is the direct link to this issue in Github: https://github.com/jenkinsci/publish-over-ssh-plugin/issues/67
          And here is the link to a search for related issues: https://github.com/jenkinsci/publish-over-ssh-plugin/issues?q=%22JENKINS-67590%22

          (Note: this is an automated bulk comment)

          gmcdonald Gavin McDonald added a comment - For your information, all publish-over-ssh component type JENKINS issues related to the Publish Over SSH plugin have been transferred to Github: https://github.com/jenkinsci/publish-over-ssh-plugin/issues Here is the direct link to this issue in Github: https://github.com/jenkinsci/publish-over-ssh-plugin/issues/67 And here is the link to a search for related issues: https://github.com/jenkinsci/publish-over-ssh-plugin/issues?q=%22JENKINS-67590%22 (Note: this is an automated bulk comment)

          People

            Unassigned Unassigned
            blueicarus Martijn
            Votes:
            4 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: