GItHub PR Builder Plugin Security Warning

[Craig Barber]

I noticed after installing the GitHub PR Builder plugin that the Managed Plugins page is now showing a security alert linking to this issue: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-261

According to the linked page the security issue was resolved with build 1.40.0

Being that this is an outdated security alert, does it still make sense to show the warning on the Manage Plugins page?

[Daniel Beck]

> On 25. Jul 2019, at 19:28, 'Craig Barber' via Jenkins Developers <jenkin...@googlegroups.com> wrote:
>
> Being that this is an outdated security alert, does it still make sense to show the warning on the Manage Plugins page?

The problem with that warning and a few others like it is that it could be relevant to you even if you have long since moved on from versions with the bug (especially since we only published the advisory quite a while after the fix went out). So we set it to apply to any version of the plugin (and even that might not catch users who've since uninstalled it).

It's probably time to disable that, given its age. I will change the pattern we use to match plugin versions. In the mean time, you can disable this warning being shown to you on the global security configuration.

[Craig Barber]

Sounds good, thanks for the follow up.

--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/87960E78-308C-4EC0-B927-23F2E90100B3%40beckweb.net.

--

Craig Barber

Software Engineer

Cloud Graphite: Platforms