[JIRA] (JENKINS-59069) Security Issue in latest version

9 views
Skip to first unread message

matthias.doering@mldsc.de (JIRA)

unread,
Aug 25, 2019, 4:00:03 AM8/25/19
to jenkinsc...@googlegroups.com
Matthias Doering created an issue
 
Jenkins / Bug JENKINS-59069
Security Issue in latest version
Issue Type: Bug Bug
Assignee: Mohamed El Habib
Components: gitlab-oauth-plugin
Created: 2019-08-25 07:59
Environment: Jenkins v2.176.2
Labels: security plugin
Priority: Critical Critical
Reporter: Matthias Doering

I want to ask if these security issues addressed so far and planned on the roadmap?

 https://wiki.jenkins.io/display/JENKINS/Gitlab+OAuth+Plugin

The current version of this plugin may not be safe to use. Please review the following warnings before use:

HTTP session fixation vulnerability
Open redirect vulnerability
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

wfollonier@cloudbees.com (JIRA)

unread,
Oct 21, 2019, 2:03:03 AM10/21/19
to jenkinsc...@googlegroups.com
Wadeck Follonier started work on Bug JENKINS-59069
 
Change By: Wadeck Follonier
Status: Open In Progress
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

wfollonier@cloudbees.com (JIRA)

unread,
Oct 21, 2019, 2:03:04 AM10/21/19
to jenkinsc...@googlegroups.com
Change By: Wadeck Follonier
Status: In Progress Review

wfollonier@cloudbees.com (JIRA)

unread,
Oct 21, 2019, 2:05:02 AM10/21/19
to jenkinsc...@googlegroups.com
Wadeck Follonier commented on Bug JENKINS-59069
 
Re: Security Issue in latest version

The two fixes are proposed in public:

Please Mohamed El Habib review them and if good enough for you, merge them. That will allow the plugin to avoid the security warnings.

matthias.doering@mldsc.de (JIRA)

unread,
Apr 1, 2020, 5:40:03 PM4/1/20
to jenkinsc...@googlegroups.com

Wadeck Follonier Do you know something about the planned time for the release?
This message was sent by Atlassian Jira (v7.13.12#713012-sha1:6e07c38)
Atlassian logo

wfollonier@cloudbees.com (JIRA)

unread,
Apr 2, 2020, 4:15:02 AM4/2/20
to jenkinsc...@googlegroups.com

Matthias Doering following the PR links, you can find the merge commit, in it, you will the version where it was integrated. If it's only "master" (or "dev") it means that there is no release. For those ones, you will see "gitlab-oauth-1.5", meaning the version 1.5 contains those fixes.
Reply all
Reply to author
Forward
0 new messages