Plugin: Liquibase Runner
Robert Reeves
Hi, Team!
I’m working with Keith Collison on his Liquibase Runner plugin. I noticed that there is a security issue with it here: https://wiki.jenkins.io/display/JENKINS/Liquibase+Runner. Also noticed it’s not showing up on the new(ish) Jenkins.io pages for plugins. Is this due to the security issue?
Here's the stated issue: https://jenkins.io/security/advisory/2018-03-26/#SECURITY-519
Keith thinks this might be due to classloading in the Util class but that doesn’t look particularly strange and unnatural to me.
Can I get some pointers on what the issue is?
Thanks!
Robert
|
||||||||||||||
|
Robert Reeves
Ha! I found the JEP-200 blog post. I think we have a path to get this corrected and secure. Thanks!
Daniel Beck
Robert Reeves
Roger that! Are we allowed to use the META-INF/hudson.remoting.ClassFilter fix listed here (https://jenkins.io/blog/2018/01/13/jep-200/) to resolve it?
Thanks for keeping Jenkins safe!
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com>
On Behalf Of Daniel Beck
Sent: Friday, March 6, 2020 4:12 PM
To: JenkinsCI Developers <jenkin...@googlegroups.com>
Cc: Keith Collison <keit...@gmail.com>
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/jenkinsci-dev/CAMo7PtKa5j0cEcFit6fCqTEcbpNG8dh9ZU8CnDFbPxhXujJ9tA%40mail.gmail.com.
Daniel Beck
> On 6. Mar 2020, at 23:52, Robert Reeves <r...@datical.com> wrote:
>
> Are we allowed to use the META-INF/hudson.remoting.ClassFilter fix listed here (https://jenkins.io/blog/2018/01/13/jep-200/) to resolve it?
That said, I don't see how JEP-200 or the ClassFilter workaround would apply here.
Not having dug that deep into the purpose of the vulnerable functionality, I would recommend you move any functionality requiring custom classes being loaded out of the Jenkins master process, not just for security, but also stability. The second best approach would probably be to move the driver/classloader configuration to a UI in the global configuration only available to Jenkins admins.
Robert Reeves
Hi!
Just to follow up…we’re trying to get this security issue resolved but have not been able to get access to SECURITY-519. How can we view that so we can fix the issue?
Thanks!
Robert
|
||||||||||||||
|
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com> On Behalf Of Daniel Beck
Sent: Friday, March 6, 2020 4:12 PM
To: JenkinsCI Developers <jenkin...@googlegroups.com>
Cc: Keith Collison <keit...@gmail.com>
Subject: Re: Plugin: Liquibase Runner
Keith has access to SECURITY-519 in the Jenkins issue tracker using his account 'prospero238'. That issue contains complete steps that allow a regular user with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, just as stated in the advisory.
In cases of very serious security vulnerabilities, such as this one, we suspend distribution of plugins so they are no longer available on Jenkins update sites. I did that here. This will remain until the issue is resolved to the satisfaction of the Jenkins security team.
--
Daniel Beck
> On 16. Apr 2020, at 20:16, Robert Reeves <r...@datical.com> wrote:
>
> Just to follow up…we’re trying to get this security issue resolved but have not been able to get access to SECURITY-519. How can we view that so we can fix the issue?
From a Jenkins project POV, Keith is the only maintainer of the plugin, and the only one entitled to view the security issue information for his plugin. (While we can add additional users to the private issue, that requires consent by the current maintainer.)
The only option that doesn't require active involvement from a current maintainer is to request a transfer of maintainership of the plugin per https://jenkins.io/doc/developer/plugin-governance/adopt-a-plugin/
Robert Reeves
Sounds like adoption is the way to go:
Link to a plugin you want to adopt: https://github.com/jenkinsci/liquibase-runner-plugin
Link(s) to pull requests you want to deliver, if applicable: https://github.com/jenkinsci/liquibase-runner-plugin/pull/16 and more to come after we get access to the security tracker
Your GitHub username/id: https://github.com/r2datical & https://github.com/nvoxland
Your Jenkins infrastructure account id. Create your account if you don’t have one: r2datical & nvoxland
Keith has been great and has stated he's open to getting some help on this the Liquibase team. We are indebted to him.
Thanks!
Robert
Robert Reeves
CTO | Datical
Email: r...@datical.com
Website: www.datical.com
-----Original Message-----
From: Daniel Beck <m...@beckweb.net>
Sent: Friday, April 17, 2020 3:58 AM
To: Jenkins Developers <jenkin...@googlegroups.com>
Cc: Keith Collison <keit...@gmail.com>; Nathan Voxland <nat...@datical.com>; Robert Reeves <r...@datical.com>
Subject: Re: Plugin: Liquibase Runner
Robert Reeves
Nathan updated the PR (https://github.com/jenkinsci/liquibase-runner-plugin/pull/16) to fix the security issue without relying on the class whitelist in META-INF.
How's the adoption process going? We've got a webinar hosted by CloudBees on Thursday and we'd very much like to talk about this release then.
Robert Reeves
Tim Jacomb
Just wanted to check on the adoption status. We have a PR submitted that resolves the security issue. We'd like to be able to push to master and do a release. Thanks!
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB2949655B53B6CEDF5652411A83D30%40CY4PR06MB2949.namprd06.prod.outlook.com.
Robert Reeves
I’ve emailed him a couple times and messaged him on GitHub. We emailed back and forth the first week of March but haven’t gotten a response since then. Right now the plugin is in security jail because of JEP-200 and we’re trying to bail it out with the PR we’ve submitted.
We’re very appreciative of his work and a huge fan of his.
|
||||||||||||||
|
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3Bif-NFff6hBd%3DOgS33nrdWk%2BTLQ2CjyOyo6L6xssN%3DnEkg%40mail.gmail.com.
Keith Collison
Robert Reeves
Of course, Keith. We love your work and are beyond appreciative. Thanks!
Robert Reeves
Hi, Team!
Keith has been great. He’s accepted our PR and added my r2datical GH account to the repos at https://github.com/jenkinsci/liquibase-runner-plugin.
However, we still need to add Nathan. How do we add GH account nvoxland to the Jenkins CI group so that Keith can add Nathan as a contributor?
Thanks!
Robert
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB2949895633D9CAAD5705465783D30%40CY4PR06MB2949.namprd06.prod.outlook.com.
Gavin Mogan
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB29491B11D25B6DCF2EAB808883AF0%40CY4PR06MB2949.namprd06.prod.outlook.com.
Robert Reeves
Hi, team!
My PR to grant access to my GitHub/Jenkins.io account (they’re the same), had an issue with the automated checks. I’m not sure what I can do here to fix it: https://github.com/jenkins-infra/repository-permissions-updater/pull/1513
Thanks!
Robert
From: ga...@gavinmogan.com <ga...@gavinmogan.com>
On Behalf Of 'Gavin Mogan' via Jenkins Developers
Sent: Monday, April 27, 2020 2:00 PM
To: Jenkins Developers <jenkin...@googlegroups.com>
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAG%3D_Duv70psCT%2BAXcoqCj0URFEZ2uu97Bd6hoOieLqy%3DVsrp9w%40mail.gmail.com.
Slide
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB29492DD71E51A86D392D103083AC0%40CY4PR06MB2949.namprd06.prod.outlook.com.
Robert Reeves
Awesome! Looking forward to the acceptance!!! We’re ready to release. Thank you!
Robert Reeves
CTO | Datical
Robert Reeves
Hi, Team! Just checking on the PR. As far as I can tell, it’s passed the checks. Slide asked me to attach the thread to the PR and I’ve done that. What’s next?
https://github.com/jenkins-infra/repository-permissions-updater/pull/1513
Thanks!
Robert
Robert Reeves
Hi, Team!
Thanks for accepting the PR to give my GitHub/Artifactory user access to release the plugin.
My GitHub user is r2datical and accounts.jenkins.io user is r2datical. Same one I’ve used for the daticaldb plugin. I’ve logged into the Artifactory instance with that account. However, I’m getting the 403 error still:
[INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.6:deploy (default-deploy) on project liquibase-runner: Failed to deploy artifacts: Could not transfer artifact org.jenkins-ci.plugins:liquibase-runner:hpi:1.3.0 from/to maven.jenkins-ci.org (https://repo.jenkins-ci.org/releases/): Authorization failed for https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/liquibase-runner/1.3.0/liquibase-runner-1.3.0.hpi 403 Forbidden -> [Help 1]
Is this a timing thing or is there another step I need to perform?
Thanks!
Robert
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com>
On Behalf Of Robert Reeves
Sent: Wednesday, April 29, 2020 8:31 AM
To: jenkin...@googlegroups.com
Cc: Keith Collison <keit...@gmail.com>; Daniel Beck <m...@beckweb.net>; Nathan Voxland <nat...@datical.com>
--
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB2949FF0BF680C7D0FCC6FBEB83AD0%40CY4PR06MB2949.namprd06.prod.outlook.com.
Tim Jacomb
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CY4PR06MB29491CACE61D32F8534DBA7383AB0%40CY4PR06MB2949.namprd06.prod.outlook.com.
Robert Reeves
Thanks, Tim! Verified that the settings are set with the correct username and password as described here: https://www.jenkins.io/doc/developer/publishing/releasing/. I have gone here (https://repo.jenkins-ci.org/webapp/#/home) and verified the credentials allow me to log in.
Is there more information I can share to help solve this?
Thanks!
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com>
On Behalf Of Tim Jacomb
Sent: Friday, May 1, 2020 8:44 AM
To: jenkin...@googlegroups.com
Subject: Re: Plugin: Liquibase Runner
I would check you deploy credentials in your settings.xml as a first step, it should be fairly quick to give you permission unless the job is broken
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CAH-3BifU%3DK98L5rvvOfr43g5bgc_YORcMiOiraWAGJ4mJZ0Urw%40mail.gmail.com.
Daniel Beck
> On 1. May 2020, at 15:15, Robert Reeves <r...@datical.com> wrote:
>
> [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.6:deploy (default-deploy) on project liquibase-runner: Failed to deploy artifacts: Could not transfer artifact org.jenkins-ci.plugins:liquibase-runner:hpi:1.3.0 from/to maven.jenkins-ci.org(https://repo.jenkins-ci.org/releases/): Authorization failed for https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/liquibase-runner/1.3.0/liquibase-runner-1.3.0.hpi 403 Forbidden -> [Help 1]
https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/liquibase-runner/1.3.0/ exists and has for years. We do not allow deletion/replacement.
Robert Reeves
https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/liquibase-runner/1.4.2/
-----Original Message-----
From: jenkin...@googlegroups.com <jenkin...@googlegroups.com> On Behalf Of Daniel Beck
Sent: Friday, May 1, 2020 12:21 PM
To: Jenkins Developers <jenkin...@googlegroups.com>
Subject: Re: Plugin: Liquibase Runner
>
> [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-deploy-plugin:2.6:deploy (default-deploy) on project liquibase-runner: Failed to deploy artifacts: Could not transfer artifact org.jenkins-ci.plugins:liquibase-runner:hpi:1.3.0 from/to maven.jenkins-ci.org(https://repo.jenkins-ci.org/releases/): Authorization failed for https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/liquibase-runner/1.3.0/liquibase-runner-1.3.0.hpi 403 Forbidden -> [Help 1]
https://repo.jenkins-ci.org/releases/org/jenkins-ci/plugins/liquibase-runner/1.3.0/ exists and has for years. We do not allow deletion/replacement.
You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.