Removing security vulnerability warning from CloudFormation plugin
29 views
Skip to first unread message
Damir Suleymanov
Nov 19, 2022, 2:50:55 PM11/19/22
to Jenkins Developers
Hi,
I recently addressed vulnerability CVE-2019-1003061 in the CloudFormation plugin (https://plugins.jenkins.io/jenkins-cloudformation-plugin/)
Here's the PR that fixes it: https://github.com/jenkinsci/jenkins-cloudformation-plugin/pull/58
Here's a PR to update the warning: https://github.com/jenkins-infra/update-center2/pull/657
I tested this release on my production instance of Jenkins and I can see that the secret is now encrypted.
Thanks,
Damir.
Ullrich Hafner
Nov 19, 2022, 5:13:12 PM11/19/22
to JenkinsCI Developers
Please follow our guidelines when reporting vulnerabilities, please see https://www.jenkins.io/security/ for details!
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/923b08db-b23c-4c22-a3d4-8705843db612n%40googlegroups.com.
Alexander Brandes
Nov 20, 2022, 11:18:55 AM11/20/22
to Jenkins Developers
> Please follow our guidelines when reporting vulnerabilities, please see https://www.jenkins.io/security/ for details!
The CVE's details have been published more than 3 years ago, no new information has been disclosed here.
Someone from the security team will need to review your PR to the update-center and the fix integrated, to update the CVE record and the warnings on plugins.jenkins.io etc.
Patience is key, but thanks for letting us know :)
Reply all
Reply to author
Forward
0 new messages