[JIRA] (JENKINS-58715) Gerrit Trigger Plugin is affected by SECURITY-534 fix in Jenkins 2.176.2 and 2.186

9 views
Skip to first unread message

cbjones241@gmail.com (JIRA)

unread,
Jul 29, 2019, 2:24:04 PM7/29/19
to jenkinsc...@googlegroups.com
Chris Jones created an issue
 
Jenkins / Bug JENKINS-58715
Gerrit Trigger Plugin is affected by SECURITY-534 fix in Jenkins 2.176.2 and 2.186
Issue Type: Bug Bug
Assignee: rsandell
Components: gerrit-trigger-plugin
Created: 2019-07-29 18:23
Environment: Core 2.176.2+ and 2.186+
Priority: Minor Minor
Reporter: Chris Jones

After upgrading our master to CloudBees 2.138.42.0.1, which picked up a back-ported SECURITY-534 fix, I was unable to view the server list on the Gerrit Trigger status page. The table simply read "Data Error." and the /gerrit-trigger/serverStatuses call returns a 404. The servers themselves seemed functional according to the logs. Also in the logs:

WARNING: New Stapler dispatch rules result in the URL "/gerrit-trigger/serverStatuses" no longer being allowed. If you consider it safe to use, add the following to the whitelist: "com.sonyericsson.hudson.plugins.gerrit.trigger.GerritManagement serverStatuses". Learn more: https://jenkins.io/redirect/stapler-facet-restrictions

Adding the above to the whitelist fixed the issue. 
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

dbeck@cloudbees.com (JIRA)

unread,
Jul 29, 2019, 3:19:02 PM7/29/19
to jenkinsc...@googlegroups.com
Daniel Beck commented on Bug JENKINS-58715
 
Re: Gerrit Trigger Plugin is affected by SECURITY-534 fix in Jenkins 2.176.2 and 2.186

Which version of Gerrit Trigger Plugin is this? My guess would be older than 2.29.0.

cbjones241@gmail.com (JIRA)

unread,
Jul 29, 2019, 4:42:02 PM7/29/19
to jenkinsc...@googlegroups.com
Chris Jones edited a comment on Bug JENKINS-58715
Yes, it was left on 2. 72 27 .2 after the JEP-200 induced plugin upgrade. I'll try to stand up a clone and test 2.29.0.

cbjones241@gmail.com (JIRA)

unread,
Jul 29, 2019, 4:42:03 PM7/29/19
to jenkinsc...@googlegroups.com

Yes, it was left on 2.72.2 after the JEP-200 induced plugin upgrade. I'll try to stand up a clone and test 2.29.0.

cbjones241@gmail.com (JIRA)

unread,
Jul 29, 2019, 5:22:02 PM7/29/19
to jenkinsc...@googlegroups.com

Using Gerrit Trigger 2.29.0, I can see the server list with without a whitelist. Thanks! 

I still see the Stapler block on 2.28.0, so I guess the 2.29.0 did the trick.

cbjones241@gmail.com (JIRA)

unread,
Jul 29, 2019, 5:25:02 PM7/29/19
to jenkinsc...@googlegroups.com
Chris Jones resolved as Fixed
 
Change By: Chris Jones
Status: Open Resolved
Resolution: Fixed
Released As: 2.29.0
Reply all
Reply to author
Forward
0 new messages