Publishing security advisories without fix

16 views
Skip to first unread message

Daniel Beck

unread,
Oct 23, 2017, 10:36:06 AM10/23/17
to Jenkins Developers
Hi everyone,

About a year ago I established a policy that we would publish security advisories if there's no expectation of getting them fixed through our private process.
https://jenkins.io/security/#vulnerabilities-in-plugins

Today, I did that once again, in a somewhat popular plugin, and for the first time for a medium severity vulnerability:
https://jenkins.io/security/advisory/2017-10-23/#scp-publisher-plugin-stores-jenkins-credentials-unencrypted-on-disk-round-trips-in-unencrypted-form

For reference, all previous ones (AFAIR) were for much more serious arbitrary code execution vulnerabilities.

I have not tried reaching out to any potential maintainers in this case, the last release was seven years ago, the last activity of any kind four years ago. Even if there is "a maintainer", they're not doing a lot of maintenance.

If you have feedback to share, please do, here or in private.

Thanks!
Daniel

Reply all
Reply to author
Forward
0 new messages