Hi, Team!
I’m working with Keith Collison on his Liquibase Runner plugin. I noticed that there is a security issue with it here: https://wiki.jenkins.io/display/JENKINS/Liquibase+Runner. Also noticed it’s not showing up on the new(ish) Jenkins.io pages for plugins. Is this due to the security issue?
Here's the stated issue: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-519
Keith thinks this might be due to classloading in the Util class but that doesn’t look particularly strange and unnatural to me.
Can I get some pointers on what the issue is?
Thanks!
Robert
|
||||||||||||||
|
Ha! I found the JEP-200 blog post. I think we have a path to get this corrected and secure. Thanks!
Roger that! Are we allowed to use the META-INF/hudson.remoting.ClassFilter fix listed here (https://jenkins.io/blog/2018/01/13/jep-200/) to resolve it?
Thanks for keeping Jenkins safe!
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com>
On Behalf Of Daniel Beck
Sent: Friday, March 6, 2020 4:12 PM
To: JenkinsCI Developers <jenkin...@googlegroups.com>
Cc: Keith Collison <keit...@gmail.com>
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKa5j0cEcFit6fCqTEcbpNG8dh9ZU8CnDFbPxhXujJ9tA%40mail.gmail.com.
Hi!
Just to follow up…we’re trying to get this security issue resolved but have not been able to get access to SECURITY-519. How can we view that so we can fix the issue?
Thanks!
Robert
|
||||||||||||||
|
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com> On Behalf Of Daniel Beck
Sent: Friday, March 6, 2020 4:12 PM
To: JenkinsCI Developers <jenkin...@googlegroups.com>
Cc: Keith Collison <keit...@gmail.com>
Subject: Re: Plugin: Liquibase Runner
Keith has access to SECURITY-519 in the Jenkins issue tracker using his account 'prospero238'. That issue contains complete steps that allow a regular user with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, just as stated in the advisory.
In cases of very serious security vulnerabilities, such as this one, we suspend distribution of plugins so they are no longer available on Jenkins update sites. I did that here. This will remain until the issue is resolved to the satisfaction of the Jenkins security team.
--
Just wanted to check on the adoption status. We have a PR submitted that resolves the security issue. We'd like to be able to push to master and do a release. Thanks!
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB2949655B53B6CEDF5652411A83D30%40CY4PR06MB2949.namprd06.prod.outlook.com.
I’ve emailed him a couple times and messaged him on GitHub. We emailed back and forth the first week of March but haven’t gotten a response since then. Right now the plugin is in security jail because of JEP-200 and we’re trying to bail it out with the PR we’ve submitted.
We’re very appreciative of his work and a huge fan of his.
|
||||||||||||||
|
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3Bif-NFff6hBd%3DOgS33nrdWk%2BTLQ2CjyOyo6L6xssN%3DnEkg%40mail.gmail.com.
Of course, Keith. We love your work and are beyond appreciative. Thanks!
Hi, Team!
Keith has been great. He’s accepted our PR and added my r2datical GH account to the repos at https://github.com/jenkinsci/liquibase-runner-plugin.
However, we still need to add Nathan. How do we add GH account nvoxland to the Jenkins CI group so that Keith can add Nathan as a contributor?
Thanks!
Robert
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB2949895633D9CAAD5705465783D30%40CY4PR06MB2949.namprd06.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB29491B11D25B6DCF2EAB808883AF0%40CY4PR06MB2949.namprd06.prod.outlook.com.
Hi, team!
My PR to grant access to my GitHub/Jenkins.io account (they’re the same), had an issue with the automated checks. I’m not sure what I can do here to fix it: https://github.com/jenkins-infra/repository-permissions-updater/pull/1513
Thanks!
Robert
From: ga...@gavinmogan.com <ga...@gavinmogan.com>
On Behalf Of 'Gavin Mogan' via Jenkins Developers
Sent: Monday, April 27, 2020 2:00 PM
To: Jenkins Developers <jenkin...@googlegroups.com>
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_Duv70psCT%2BAXcoqCj0URFEZ2uu97Bd6hoOieLqy%3DVsrp9w%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB29492DD71E51A86D392D103083AC0%40CY4PR06MB2949.namprd06.prod.outlook.com.
Awesome! Looking forward to the acceptance!!! We’re ready to release. Thank you!
Robert Reeves
CTO | Datical
Hi, Team! Just checking on the PR. As far as I can tell, it’s passed the checks. Slide asked me to attach the thread to the PR and I’ve done that. What’s next?
https://github.com/jenkins-infra/repository-permissions-updater/pull/1513
Thanks!
Robert
Hi, Team!
Thanks for accepting the PR to give my GitHub/Artifactory user access to release the plugin.
My GitHub user is r2datical and accounts.jenkins.io user is r2datical. Same one I’ve used for the daticaldb plugin. I’ve logged into the Artifactory instance with that account. However, I’m getting the 403 error still:
[INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.6:deploy (default-deploy) on project liquibase-runner: Failed to deploy artifacts: Could not transfer artifact org.jenkins-ci.plugins:liquibase-runner:hpi:1.3.0 from/to maven.jenkins-ci.org (https://repo.jenkins-ci.org/releases/): Authorization failed for https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/liquibase-runner/1.3.0/liquibase-runner-1.3.0.hpi 403 Forbidden -> [Help 1]
Is this a timing thing or is there another step I need to perform?
Thanks!
Robert
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com>
On Behalf Of Robert Reeves
Sent: Wednesday, April 29, 2020 8:31 AM
To: jenkin...@googlegroups.com
Cc: Keith Collison <keit...@gmail.com>; Daniel Beck <m...@beckweb.net>; Nathan Voxland <nat...@datical.com>
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB2949FF0BF680C7D0FCC6FBEB83AD0%40CY4PR06MB2949.namprd06.prod.outlook.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB29491CACE61D32F8534DBA7383AB0%40CY4PR06MB2949.namprd06.prod.outlook.com.
Thanks, Tim! Verified that the settings are set with the correct username and password as described here: https://www.jenkins.io/doc/developer/publishing/releasing/. I have gone here (https://repo.jenkins-ci.org/webapp/#/home) and verified the credentials allow me to log in.
Is there more information I can share to help solve this?
Thanks!
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com>
On Behalf Of Tim Jacomb
Sent: Friday, May 1, 2020 8:44 AM
To: jenkin...@googlegroups.com
Subject: Re: Plugin: Liquibase Runner
I would check you deploy credentials in your settings.xml as a first step, it should be fairly quick to give you permission unless the job is broken
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifU%3DK98L5rvvOfr43g5bgc_YORcMiOiraWAGJ4mJZ0Urw%40mail.gmail.com.