CAS Plugin SECURITY-488 fix
25 views
Skip to first unread message
Fabien Crespel
May 8, 2017, 7:05:22 PM5/8/17
to Jenkins Developers
Hello all,
I'm the maintainer of the CAS Plugin that was recently removed from the Update Center due to SECURITY-488 (https://jenkins.io/security/advisory/2017-04-10/#cas-plugin).
I believe I have fixed the two issues mentioned there, but since I'm completely new to the Script Security plugin could someone with experience (from the security team?) please take a look at these commits:
- https://github.com/jenkinsci/cas-plugin/commit/79a9bd1d1d5014bfb2014c5f1244b79e7ade4e93
- https://github.com/jenkinsci/cas-plugin/commit/d8aba2a5507d95ac9c89d222626fdd951e094d09
If they're fine, what should I do to get the plugin back to the Update Center? just release it as usual? (version will be 1.4.0)
As a side note, when this kind of issue occurs I would appreciate to be notified by mail if possible... it took me 10 days to notice it and even longer to find the time to fix it :-(
Thank you,
- Fabien.
I'm the maintainer of the CAS Plugin that was recently removed from the Update Center due to SECURITY-488 (https://jenkins.io/security/advisory/2017-04-10/#cas-plugin).
I believe I have fixed the two issues mentioned there, but since I'm completely new to the Script Security plugin could someone with experience (from the security team?) please take a look at these commits:
- https://github.com/jenkinsci/cas-plugin/commit/79a9bd1d1d5014bfb2014c5f1244b79e7ade4e93
- https://github.com/jenkinsci/cas-plugin/commit/d8aba2a5507d95ac9c89d222626fdd951e094d09
If they're fine, what should I do to get the plugin back to the Update Center? just release it as usual? (version will be 1.4.0)
As a side note, when this kind of issue occurs I would appreciate to be notified by mail if possible... it took me 10 days to notice it and even longer to find the time to fix it :-(
Thank you,
- Fabien.
Daniel Beck
May 9, 2017, 4:11:38 AM5/9/17
to jenkin...@googlegroups.com
> On 09.05.2017, at 01:05, Fabien Crespel <fab...@crespel.net> wrote:
>
> If they're fine, what should I do to get the plugin back to the Update Center? just release it as usual? (version will be 1.4.0)
- Remove from exclusions
- Adapt warnings regex to only match affected releases
>
> As a side note, when this kind of issue occurs I would appreciate to be notified by mail if possible... it took me 10 days to notice it and even longer to find the time to fix it :-(
Jesse Glick
May 9, 2017, 9:29:24 AM5/9/17
to Jenkins Dev
On Mon, May 8, 2017 at 7:05 PM, Fabien Crespel <fab...@crespel.net> wrote:
> I believe I have fixed the two issues mentioned there, but since I'm
> completely new to the Script Security plugin could someone with experience
> (from the security team?) please take a look at these commits:
> https://github.com/jenkinsci/cas-plugin/commit/79a9bd1d1d5014bfb2014c5f1244b79e7ade4e93
> I believe I have fixed the two issues mentioned there, but since I'm
> completely new to the Script Security plugin could someone with experience
> (from the security team?) please take a look at these commits:
> https://github.com/jenkinsci/cas-plugin/commit/d8aba2a5507d95ac9c89d222626fdd951e094d09
I did not notice any security flaws from a quick inspection.
For the future, if you are requesting review on proposed code changes,
I would recommend creating a pull request as this is a more structured
way of soliciting line-by-line feedback. You can even request
particular reviewers.
Fabien Crespel
May 9, 2017, 12:20:48 PM5/9/17
to Jenkins Developers
Thanks for the review and information :-)
I just released version 1.4.0 and made a PR for the Update Center:
https://github.com/jenkins-infra/backend-update-center2/pull/139
I just released version 1.4.0 and made a PR for the Update Center:
https://github.com/jenkins-infra/backend-update-center2/pull/139
Reply all
Reply to author
Forward
0 new messages