[JIRA] (JENKINS-60913) Remove network discovery services

8 views
Skip to first unread message

jthompson@cloudbees.com (JIRA)

unread,
Jan 29, 2020, 5:55:03 PM1/29/20
to jenkinsc...@googlegroups.com
Jeff Thompson created an issue
 
Jenkins / Task JENKINS-60913
Remove network discovery services
Issue Type: Task Task
Assignee: Jeff Thompson
Components: core
Created: 2020-01-29 22:54
Priority: Minor Minor
Reporter: Jeff Thompson

Dating back many years, Jenkins has supported two network discovery services (UDP multicast/broadcast and DNS multicast). When this was first implemented this may have been a reasonable way to provide useful lookup services. With modern Jenkins capabilities, networks, and security considerations, this is no longer a good mechanism. There are now other ways to accomplish the real needs and concerns with doing it this way.

With [Jenkins Security Advisory 2020-01-29|https://jenkins.io/security/advisory/2020-01-29/|https://jenkins.io/security/advisory/2020-01-29/] these services were disabled by default because of SECURITY-1641 / CVE-2020-2100.

These should just be removed.

Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

jglick@cloudbees.com (JIRA)

unread,
Jan 30, 2020, 1:25:03 PM1/30/20
to jenkinsc...@googlegroups.com

o.v.nenashev@gmail.com (JIRA)

unread,
Feb 10, 2020, 4:23:04 AM2/10/20
to jenkinsc...@googlegroups.com
Oleg Nenashev resolved as Duplicate
 

It was released in Jenkins 2.220. Jeff Thompson it would be great if the pull request submitter ensures to address comments about duplication. I missed it, because I do not always check Jira before merging

Change By: Oleg Nenashev
Status: Open Resolved
Resolution: Duplicate
Released As: Jenkins 2.220

allan.lewis@youview.com (JIRA)

unread,
Feb 10, 2020, 4:59:02 AM2/10/20
to jenkinsc...@googlegroups.com
Allan Lewis updated an issue
Change By: Allan Lewis
Dating back many years, Jenkins has supported two network discovery services (UDP multicast/broadcast and DNS multicast). When this was first implemented this may have been a reasonable way to provide useful lookup services. With modern Jenkins capabilities, networks, and security considerations, this is no longer a good mechanism. There are now other ways to accomplish the real needs and concerns with doing it this way.

With [Jenkins Security Advisory 2020-01-29|
[ https://jenkins.io/security/advisory/2020-01-29/] |https://jenkins.io/security/advisory/2020-01-29/] these services were disabled by default because of SECURITY-1641 / CVE-2020-2100.

These should just be removed.

jthompson@cloudbees.com (JIRA)

unread,
Feb 10, 2020, 12:24:03 PM2/10/20
to jenkinsc...@googlegroups.com

Oleg Nenashev, I'm not sure what you're asking for. You wanted a reference to the ticket Jesse mentioned to also be included in the PR on GitHub?

I noticed that you said you were going to do something like that, so I figured you would take care of what you thought was needed. And it was already mentioned here and at least one other place.

 

Reply all
Reply to author
Forward
0 new messages