Details
-
Task
-
Status: Resolved (View Workflow)
-
Minor
-
Resolution: Fixed
-
None
-
Docker
Jenkins 2.332.3 (LTS)
Description
Hi,
we are getting CVE Errors on our Jenkins 2.332.3 (LTS) which i think they are already fixed in Version 1.5.1.
But unfortunately on Jenkins LTS the latest Version of the Plugin is 1.4.10.
The CVE Errors we are getting are:
SECURITY-2241 / CVE-2022-28138 (CSRF), CVE-2022-28139 (missing permission check)
What's the reason that the Plugin on the LTS Version of Jenkins will not be updated?
Attachments
Activity
Nicolo Mendola
added a comment - Hi mreinhardt ,
that means only User which uses the latest Jenkins Release (not the LTS Release) , can get the latest Plugin Updates?
Shouldn't Security fixes normally commited in the Release Version from the LTS Branch (1.4.10) and merged into dev/latest?
Best Regards
Nicolo Mendola
added a comment - Hi mreinhardt ,
that means only User which uses the latest Jenkins Release (not the LTS Release) , can get the latest Plugin Updates?
Shouldn't Security fixes normally commited in the Release Version from the LTS Branch (1.4.10) and merged into dev/latest?
Best Regards no I'm totally with you.
It was a fault from my side. The release from today should be also available to LTS release...
PS: Plugins in Jenkins are totally independent from Jenkins branching ....
Nicolo Mendola
added a comment - Thank you for the clarification!
Yes, now i see the update. 
Sorry for my late response.
The breaking change was not happening by intentation. Fixed that with Release 1.5.2