Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-68527

Old Plugin Version (1.4.10) on Jenkins 2.332.3 LTS

    XMLWordPrintable

Details

    Description

      Hi,

      we are getting CVE Errors on our Jenkins 2.332.3 (LTS) which i think they are already fixed in Version 1.5.1.

      But unfortunately on Jenkins LTS the latest Version of the Plugin is 1.4.10.

      The CVE Errors we are getting are:

      SECURITY-2241 / CVE-2022-28138 (CSRF), CVE-2022-28139 (missing permission check)

      What's the reason that the Plugin on the LTS Version of Jenkins will not be updated?

      Attachments

        Activity

          nmendola Nicolo Mendola created issue -
          mreinhardt Martin Reinhardt made changes -
          Field Original Value New Value
          Status Open [ 1 ] In Progress [ 3 ]

          Sorry for my late response.

          The breaking change was not happening by intentation. Fixed that with Release 1.5.2

          mreinhardt Martin Reinhardt added a comment - Sorry for my late response. The breaking change was not happening by intentation. Fixed that with Release 1.5.2
          mreinhardt Martin Reinhardt made changes -
          Resolution Fixed [ 1 ]
          Status In Progress [ 3 ] Resolved [ 5 ]

          Hi mreinhardt ,

          that means only User which uses the latest Jenkins Release (not the LTS Release) , can get the latest Plugin Updates?

          Shouldn't Security fixes normally commited in the Release Version from the LTS Branch (1.4.10) and merged into dev/latest?

          Best Regards

          nmendola Nicolo Mendola added a comment - Hi mreinhardt , that means only User which uses the latest Jenkins Release (not the LTS Release) , can get the latest Plugin Updates? Shouldn't Security fixes normally commited in the Release Version from the LTS Branch (1.4.10) and merged into dev/latest? Best Regards

          no I'm totally with you.

          It was a fault from my side. The release from today should be also available to LTS release...

          PS: Plugins in Jenkins are totally independent from Jenkins branching ....

          mreinhardt Martin Reinhardt added a comment - no I'm totally with you. It was a fault from my side. The release from today should be also available to LTS release... PS: Plugins in Jenkins are totally independent from Jenkins branching ....

          Thank you for the clarification!

          Yes, now i see the update.

          nmendola Nicolo Mendola added a comment - Thank you for the clarification! Yes, now i see the update.

          People

            mreinhardt Martin Reinhardt
            nmendola Nicolo Mendola
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: