Vulnerability in JQuery on Jenkins

54 views
Skip to first unread message

eric....@gmail.com

unread,
Aug 26, 2020, 10:38:59 AM8/26/20
to Jenkins Users
Hi All,

Just got gigged by our security team for a vulnerability in Jenkins with the version of JQuery installed.  How do I go about updating the version of JQuery Jenkins runs?  Here's the specifics of the vulnerability:

Plugin Output: 
  URL               : http://myMachine:8081/js/jquery-1.11.1.min.js
  Installed version : 1.11.1
  Fixed version     : 3.5.0

I'm running version 2.235.5 of Jenkins.

Thanks,
Eric

vince bailey

unread,
Aug 26, 2020, 10:44:58 AM8/26/20
to 'Björn Pedersen' via Jenkins Users
Hi All,

You need to go to min 2.241 or 2.251 there are security issues on older version.

docker containers
jenkins/jenkins:2.241
jenkins/jenkins:2.51

or go to this website



-- 
Regards,

Vince Bailey

Live long and prosper !!!







--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13c921b1-02f4-4f00-a474-266fe766ced0n%40googlegroups.com.

Jérôme Godbout

unread,
Aug 26, 2020, 10:51:25 AM8/26/20
to jenkins...@googlegroups.com

So it mean the LTS 2.235.5 is not cover by those security fix? jquery 1.11 is old, like 2014 and security patch stopped in 2015.

vince bailey

unread,
Aug 26, 2020, 11:02:58 AM8/26/20
to 'Björn Pedersen' via Jenkins Users
Hi All,

It’s is because of the plugins mainly, LTS versions are more stable and are supported for a long time but they are not update to fix security holes and your jenkins server will often ask you to update your war file. Or what ever process you use to update Jenkins.

PS if your jenkins sits on an OS like windows/linux/mac you must update they're security patches often.

I am running a docker container version 2.251 and it’s great new look new features and connectively to thinks like atlanian products work much better.

-- 
Regards,

Vince Bailey

Live long and prosper !!!





The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material.  Any review, retransmission, dissemination or other use of, or
taking of any action in reliance upon, this information by persons or
entities other than the intended recipient is prohibited.  If you receive
this in error, please contact the sender Vince Bailey email address
vi...@dns-direct.com and delete the material from any computer.


On 26 Aug 2020, at 15:51, Jérôme Godbout <godb...@amotus.ca> wrote:

So it mean the LTS 2.235.5 is not cover by those security fix? jquery 1.11 is old, like 2014 and security patch stopped in 2015.
 
From: jenkins...@googlegroups.com <jenkins...@googlegroups.com> On Behalf Of vince bailey
Sent: August 26, 2020 10:45 AM
To: 'Björn Pedersen' via Jenkins Users <jenkins...@googlegroups.com>
Subject: Re: Vulnerability in JQuery on Jenkins
 
Hi All,
 
You need to go to min 2.241 or 2.251 there are security issues on older version.
 
docker containers
jenkins/jenkins:2.241
jenkins/jenkins:2.51
 
or go to this website
 
 
-- 
Regards,

Vince Bailey

Live long and prosper !!!


<image001.png>





On 26 Aug 2020, at 15:38, eric....@gmail.com <eric....@gmail.com> wrote:
 
Hi All,
 

Just got gigged by our security team for a vulnerability in Jenkins with the version of JQuery installed.  How do I go about updating the version of JQuery Jenkins runs?  Here's the specifics of the vulnerability:

Plugin Output: 
  URL               : http://myMachine:8081/js/jquery-1.11.1.min.js
  Installed version : 1.11.1
  Fixed version     : 3.5.0
 
I'm running version 2.235.5 of Jenkins.
 
Thanks,
Eric
 
-- 
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email tojenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/13c921b1-02f4-4f00-a474-266fe766ced0n%40googlegroups.com.
 
-- 
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/33DD337C-B069-4D01-BC86-7EF5CD46BBEA%40dns-direct.com.

-- 
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

Ullrich Hafner

unread,
Aug 26, 2020, 11:11:22 AM8/26/20
to Jenkins Users
You cannot update this specific version. There are still some plugins (and maybe some old core scripts as well) that use jQuery 1, so we cannot remove that dependency. If a new plugin wants to use jQuery then there is an additional plugin available: https://github.com/jenkinsci/jquery3-api-plugin

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.

vince bailey

unread,
Aug 26, 2020, 11:29:50 AM8/26/20
to 'Björn Pedersen' via Jenkins Users
Yeah,

Plugins can be a pain in the neck.

You could build a jenkins server as a test server as a test rig which is what I do as a docker container with all your current software and test the new plugins.

That will at least ensure that after your testing you will know if your pipeline still work.



-- 
Regards,

Vince Bailey

Live long and prosper !!!






Reply all
Reply to author
Forward
0 new messages