[ANNOUNCE] Jenkins Security and Active Choices

620 views
Skip to first unread message

Ioannis Moutsatsos

unread,
Apr 12, 2017, 7:17:29 AM4/12/17
to BioUno Users
The Jenkins team has announced that is suspending the distribution of a number of plugins (through the Jenkins update center).

This is the advisory announcement 
https://jenkins.io/security/advisory/2017-04-10/ 

And the list of plugins that are currently vulnerable. 
https://jenkins.io/blog/2017/04/10/security-advisory/#distributing-vulnerable-plugins 


The Active Choices plugin is listed among these with the following recommendation. 
'Active Choices (uno-choice) Plugin should be updated to version 1.5.1 or newer. As this plugin depends on Scriptler, whose distribution has been suspended, you need to download this plugin from the Jenkins project Maven repository and upload it to Jenkins.
'

Active Choices was updated back in 2016 (v1.5.1) to use the Script Security plugin to execute Groovy scripts in a secure way. However, there is a dependency on Scriptler which has not received the required security updates and is also on the suspended list. This dependency also makes the use of Active Choices a security risk.

As a result, the Jenkins security team has placed Active Choices on the list of plugin that will be suspended from distribution from the update center (they can still be installed manually from the Maven repository).

Follow this Jenkins Developers Group Discussion and stay tuned for additional updates.

Special kudos to Bruno for being proactively working with the Jenkins security team to insure that Active Choices was one of the first Groovy plugins to use the Jenkins Script Security recommendations.


Lionel Orellana

unread,
Jun 13, 2017, 7:30:30 PM6/13/17
to BioUno Users
Hi, 

Is there any update on this? What's the plan going forward? 

Cheers

Bruno P. Kinoshita

unread,
Jun 13, 2017, 7:38:19 PM6/13/17
to biouno...@googlegroups.com
HI Lionel,

Last time I checked, scriptler-plugin was still blacklisted. Haven't checked again so far (busy at $work this week), but once the security bugs are fixed in scriptler-plugin, we should be able to simply update our dependencies in pom.xml, run some testing, and release it again to the Jenkins update center.

In the meantime, I know some users have reverted to using our update center in order to grab the plugin binary - http://biouno.org/jenkins-update-site.html
Hope that helps
Bruno


From: Lionel Orellana <lion...@gmail.com>
To: BioUno Users <biouno...@googlegroups.com>
Sent: Wednesday, 14 June 2017 11:30 AM
Subject: Re: [ANNOUNCE] Jenkins Security and Active Choices

--
You received this message because you are subscribed to the Google Groups "BioUno Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to biouno-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Lionel Orellana

unread,
Jun 14, 2017, 6:36:24 AM6/14/17
to BioUno Users, brunod...@yahoo.com.br
Thanks Bruno. I installed from the update centre but it's not a good look with all the warnings. Good to hear it's an easy fix at your end.
Reply all
Reply to author
Forward
0 new messages