accounts.jenkins.io can't login or use password reset

[Johan Cornelissen]

Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

[Oleg Nenashev]

Hi Johan,

This is related to the yesterday's INFRA outage: https://groups.google.com/forum/#!topic/jenkins-infra/zRqdiyarLDE . " Ldap database backup stopped in February 2020 which means that we lost three months of ldap changes.". We restored the latest available backup, so recent changes are lost. We are looking into possible options to fully or partially restore the changes, but no good news right now. 

If you provide your account ID, I will try to reset it manually. If you have registered less than 3 months ago, then you may need to re-register

Best regards,

Oleg

[Johan Cornelissen]

Thanks for the information Oleg. I was worried that it might be related to the outage.

My username is johanc if you are able to reset it manually.

Cheers,
Johan

[Michał Malicki]

Hi Oleg,

I have similiar situation, can't log in into account with id "deviniti". I'd appreciate if you could try to reset that one as well.

If that account is not in current db, can we re-register providing the same id?

Regards,

Michał

[Olblak]

If that account is not in current db, can we re-register providing the same id?

Yes you can, in your case I see that there is already account in the database

--

You received this message because you are subscribed to the Google Groups "Jenkins Developers" group.

To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-de...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/91df7050-6b00-41c2-8354-520370d16caf%40googlegroups.com.

[Mez Pahlan]

I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

[Oleg Nenashev]

Yes, it is better to do password reset.

Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.
To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com.

[Dmitry Sotnikov]

Do you guys plan to reach out to all the extension owners?

We just accidentally found out about the issue: couldn't log in or reset password, and then found this thread. When we created a new account (42Crunch) for our company it just automatically assumed all access and extension ownership for the plugin that we had published a few weeks ago.

This can be dangerous because someone might take over existing accounts of other vendors and then push malware updates to customers.

Dmitry

On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote:

Yes, it is better to do password reset.

Admin UI in the Account App looks a bit strange for me, apparently I cannot reset passwords for other users at the moment.

On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <mez....@gmail.com> wrote:

I'm glad I checked here first!

Same thing happened to me. My user id is: mezpahlan

I registered more than 3 months ago but I have changed my password in the last 3 months and don't remember the old one any more. Do I need to password reset?

Thanks

On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote:

Up until two days ago I was able to log into Jenkins LDAP without issues.
Now if I try to login it says invalid password, and a password reset attempt on https://accounts.jenkins.io/ isn't working (I receive no email, even though password resets have worked for me in the past).

Could someone help take a look? I'll send my username privately.

--
You received this message because you are subscribed to a topic in the Google Groups "Jenkins Developers" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe.

To unsubscribe from this group and all its topics, send an email to jenkin...@googlegroups.com.

[Oleg Nenashev]

Hi all,

An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.

Just to provide some updates:

• As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change
• We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no"

Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link

Best regards,

Oleg Nenashev

Jenkins Security Team

[Oleg Nenashev]

We are also experiencing issues with artifact downloads, likely a collateral damage after the change

[Oleg Nenashev]

Downloads are restored. Another workaround has been applied by Daniel in https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , so no user downloads are no longer broken.

Thanks a lot to Daniel Beck for the quick fix!

Uploads are still blocked for everyone except a few users with Artifactory-wide permissions. We will be reviewing our options and communicating the next steps soon

Best regards,

Oleg

[Roni Segal]

Hi any updates on the uploads? we still cannot upload our plugin

[Oleg Nenashev]

Please see https://groups.google.com/forum/m/#!topic/jenkinsci-dev/3UvrCTflXGk for the status updates. Yes, downloads are still blocked

To unsubscribe from this group and all its topics, send an email to jenkinsci-de...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com.

[Oleg Nenashev]

Uploads should be reenabled now: https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/gWT_tH7VAgAJ 

To unsubscribe from this group and all its topics, send an email to jenkinsci-dev+unsubscribe@googlegroups.com.

[Matt Murphy]

Hi Oleg,

I've hit the same problem as others on this thread (my password no longer works and a reset doesn't send the email).  Can you reset my account pw too?  User id is mattmurp

Thanks,

To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/82dfbbd1-7a72-4560-b2ad-5278e8383c6bo%40googlegroups.com.

[Aaron Whiteside]

Hi Oleg,

I've had the same issue, not able to login or reset my password. My account ID is aaronjwhiteside.

Thanks in advance!

Regards,

Aaron

[Oleg Nenashev]

Hi all,

Please bring up these issues in the Jenkins Infrastructure mailing list: https://groups.google.com/forum/#!forum/jenkins-infra

The user accounts password reset was not finished as communicated here: https://groups.google.com/d/msg/jenkinsci-dev/3UvrCTflXGk/ll-opqUhBgAJ. In the current state I am afraid of touching the user database, and I would prefer that other Jenkins Infra team members with more subject matter knowledge handle account requests. Right now I have no bandwidth to perform history review and manual fix for users.

Thanks for understanding,

Oleg