Hi everyone,
as discussed a while back[1], and implemented for the first time with Pipeline Classpath Plugin a few weeks ago[2], we started removing plugins with unfixed security vulnerabilities from distribution.
What we haven't discussed is what to do with plugins that receive fixes: Should we remove their older, vulnerable releases from update sites?
The Jenkins project operates a number of versioned update sites to service older LTS releases versions of plugins compatible with them, currently starting at 1.609 and including every LTS baseline since then.
If a plugin that currently requires e.g. 1.651.x gets fixed, the fixed version will only be available for Jenkins 1.651.x and up. So should we remove older releases from distribution, resulting in the plugin being unavailable for 1.642 and earlier versions of Jenkins, even though (vulnerable) releases of that plugin exist what would be compatible with these older cores?
Of course, plugin maintainers could always back port security fixes to older lines and publish maintenance releases, but what should we do in general?
Daniel
1:
https://groups.google.com/d/msg/jenkinsci-dev/NaAqqChOVmY/BvA_TuzjAQAJ
2:
https://jenkins.io/security/advisory/2017-03-20/#pipeline-classpath-step-plugin-allowed-script-security-sandbox-bypass