As a plugin maintainer how should i do if i want to fix warning
25 views
Skip to first unread message
liuweiGL
Jan 18, 2020, 10:35:20 PM1/18/20
to Jenkins Developers
I want to fix the problem:
Dingding[钉钉] Plugin stores credentials in plain text
SECURITY-1423 / CVE-2019-10433Dingding[钉钉] Plugin stores an access token unencrypted in job
config.xmlfiles on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.As of publication of this advisory, there is no fix.
and how should i do? I can't find the issue from jenkins jira.
Björn Pedersen
Jan 20, 2020, 2:41:07 AM1/20/20
to Jenkins Developers
You need to switch to a way to store the credentials encrypted .The canonical way is using the credentials plugin features.
(see the consumer guide there for details.) and https://jenkins.io/doc/developer/security/secrets/
See either https://jenkins.io/doc/developer/plugin-development/mark-a-plugin-incompatible/ or/and https://wiki.jenkins.io/display/JENKINS/Hint+on+retaining+backward+compatibility
for how to deal with the necessary changes to configuration.
Björn
Richard Bywater
Jan 20, 2020, 3:23:40 AM1/20/20
to jenkin...@googlegroups.com
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability but guessing if you don't hear anything the you could try firing an email to jenkins...@googlegroups.com which I believe is the security team's private mailing list.
Richard.
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/3262bec6-0aea-4cda-a9d5-32bb45c5aa0f%40googlegroups.com.
Daniel Beck
Jan 20, 2020, 3:36:41 AM1/20/20
to JenkinsCI Developers
On Mon, Jan 20, 2020 at 9:23 AM Richard Bywater <ric...@bywater.nz> wrote:
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability
I granted access to the private security issue to liu wei, but there's not really more information there, other than exactly what field in XML this is about; but between plugin code and advisory, this should be easy enough to determine anyway.
The advice in https://jenkins.io/doc/developer/security/secrets/ about how to fix it is what matters, and Björn already linked that (thanks!).
liuweiGL
Jan 20, 2020, 7:52:40 AM1/20/20
to Jenkins Developers
I had fixed the problem, and i want to close the related jenkins issue but i still can't find it.
在 2020年1月20日星期一 UTC+8下午4:36:41,Daniel Beck写道:
在 2020年1月20日星期一 UTC+8下午4:36:41,Daniel Beck写道:
liuweiGL
Jan 20, 2020, 7:53:56 AM1/20/20
to Jenkins Developers
Thank you.
在 2020年1月20日星期一 UTC+8下午3:41:07,Björn Pedersen写道:
在 2020年1月20日星期一 UTC+8下午3:41:07,Björn Pedersen写道:
liuweiGL
Jan 20, 2020, 7:54:16 AM1/20/20
to Jenkins Developers
Thank you too.
在 2020年1月20日星期一 UTC+8下午4:23:40,Richard Bywater写道:
在 2020年1月20日星期一 UTC+8下午4:23:40,Richard Bywater写道:
Regarding the Jira issue portion of the question, I'm guessing that it's likely sitting in a protected issue within the SECURITY project in Jira. Hopefully Daniel Beck (the Jenkins security officer) or one of the security team will see this message and get in touch with further details of the vulnerability but guessing if you don't hear anything the you could try firing an email to jenkins...@googlegroups.com which I believe is the security team's private mailing list.Richard.
On Sun, 19 Jan 2020 at 16:35, liuweiGL <liuwe...@gmail.com> wrote:
I want to fix the problem:--Dingding[钉钉] Plugin stores credentials in plain text
SECURITY-1423 / CVE-2019-10433Dingding[钉钉] Plugin stores an access token unencrypted in job
config.xmlfiles on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.As of publication of this advisory, there is no fix.
and how should i do? I can't find the issue from jenkins jira.
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkin...@googlegroups.com.
Daniel Beck
Jan 20, 2020, 9:18:32 AM1/20/20
to JenkinsCI Developers
On Mon, Jan 20, 2020 at 1:52 PM liuweiGL <liuwe...@gmail.com> wrote:
I had fixed the problem, and i want to close the related jenkins issue but i still can't find it.
The issue is at https://issues.jenkins-ci.org/browse/SECURITY-1423 and I granted you access and sent you a notification about it via Jira.
Once we publish a security issue (fixed or not), we close it in Jira, as there is no longer a need to track it in private. So there is no issue to close here. If you want to track the fix now in public, you need to create a new issue.
liuweiGL
Jan 20, 2020, 9:46:22 PM1/20/20
to Jenkins Developers
Okay, thanks for your patience.
在 2020年1月20日星期一 UTC+8下午10:18:32,Daniel Beck写道:
在 2020年1月20日星期一 UTC+8下午10:18:32,Daniel Beck写道:
Reply all
Reply to author
Forward
0 new messages