Security Vulnerabilities

[Daniel Spilker]

Hi everyone!

The Job DSL plugin is affected by the vulnerabilities announced in the latest Jenkins Security Advisory. Please make sure to read the advisory as well as the accompanying blog post.

Job DSL 1.60 has been released to fix these vulnerabilities. Please read the migration guide and the new wiki page about script security before upgrading.

Use this mailing list or Stack Overflow to ask any questions.

Daniel

[Kevin Shu]

Hi Daniel,

I see you have implemented security and also allowed users to opt out of this implementation.

In my case, we are a heavy user of the "Additional classpath" option in the Process Job DSLs step. Which means we currently have no choice but to disable the option "Enable script security for Job DSL scripts".

Just wanted to know if there is any other viable way to still use the "Additional classpath" without completely disabling the security.

Thanks,

Kevin

[Daniel Spilker]

Hi Kevin,

currently there is no way to use a custom classpath with security enabled.

The Script Security plugin supports custom classpaths, but each entry needs to be approved by an administrator. This means that if a JAR differs by a single byte it needs to be approved. Would that be feasible?
https://wiki.jenkins.io/display/jenkins/script+security+plugin#ScriptSecurityPlugin-Classpathforevaluatingscripts

Regards,

Daniel

--
You received this message because you are subscribed to the Google Groups "job-dsl-plugin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to job-dsl-plugin+unsubscribe@googlegroups.com.
To post to this group, send email to job-dsl-plugin@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/job-dsl-plugin/2f98d9eb-eade-4a1d-8498-90cfa5ac084a%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Kevin Shu]

That's nice to know. Not really possible for now, as my classpath is really pointing to a list of groovy scripts that may change rather often. But I will keep this in mind for future reference.

Thanks

Kevin

On Thursday, July 6, 2017 at 10:18:25 PM UTC+2, Daniel Spilker wrote:

Hi Kevin,

currently there is no way to use a custom classpath with security enabled.

The Script Security plugin supports custom classpaths, but each entry needs to be approved by an administrator. This means that if a JAR differs by a single byte it needs to be approved. Would that be feasible?
https://wiki.jenkins.io/display/jenkins/script+security+plugin#ScriptSecurityPlugin-Classpathforevaluatingscripts

Regards,

Daniel

On Fri, Jun 30, 2017 at 4:39 PM, Kevin Shu <kevi...@gmail.com> wrote:

Hi Daniel,

I see you have implemented security and also allowed users to opt out of this implementation.

In my case, we are a heavy user of the "Additional classpath" option in the Process Job DSLs step. Which means we currently have no choice but to disable the option "Enable script security for Job DSL scripts".

Just wanted to know if there is any other viable way to still use the "Additional classpath" without completely disabling the security.

Thanks,

Kevin

On Monday, April 10, 2017 at 10:31:33 PM UTC+2, Daniel Spilker wrote:

Hi everyone!

The Job DSL plugin is affected by the vulnerabilities announced in the latest Jenkins Security Advisory. Please make sure to read the advisory as well as the accompanying blog post.

Job DSL 1.60 has been released to fix these vulnerabilities. Please read the migration guide and the new wiki page about script security before upgrading.

Use this mailing list or Stack Overflow to ask any questions.

Daniel

--
You received this message because you are subscribed to the Google Groups "job-dsl-plugin" group.

To unsubscribe from this group and stop receiving emails from it, send an email to job-dsl-plugi...@googlegroups.com.
To post to this group, send email to job-dsl...@googlegroups.com.