[JIRA] (JENKINS-59552) Detached plugins installed are those with security warnings

13 views
Skip to first unread message

awiddersheim@hotmail.com (JIRA)

unread,
Sep 26, 2019, 11:28:02 AM9/26/19
to jenkinsc...@googlegroups.com
Andrew Widdersheim created an issue
 
Jenkins / Bug JENKINS-59552
Detached plugins installed are those with security warnings
Issue Type: Bug Bug
Assignee: Carlos Sanchez
Components: docker
Created: 2019-09-26 15:27
Priority: Critical Critical
Reporter: Andrew Widdersheim

When running Jenkins with the official Docker container, some plugins will pull in detached plugins that have security vulnerabilities and also have newer versions available that could be used instead.

To replicate, you can install https://plugins.jenkins.io/purge-build-queue-plugin# for example. This will pull in a vulnerable version of https://plugins.jenkins.io/pam-auth:

jenkins_1  | INFO: Loading a detached plugin as a dependency: /var/jenkins_home/plugins/pam-auth.jpi
jenkins_1  | WARNING: Created /var/jenkins_home/plugins/pam-auth/WEB-INF/lib/classes.jar; update plugin to a version created with a newer harness
jenkins_1  | INFO: Took 0ms for Loading plugin PAM Authentication plugin v1.1 (pam-auth) by pool-6-thread-4
jenkins_1  | INFO: Took 0ms for Initializing plugin pam-auth by pool-6-thread-1

According to Jesse Glick, this is a bug and not intended behavior

This might be scoped to just running with Docker but it's the only place I'm able to test and replicate.
Add Comment Add Comment
 
This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)
Atlassian logo

jglick@cloudbees.com (JIRA)

unread,
Sep 26, 2019, 11:33:01 AM9/26/19
to jenkinsc...@googlegroups.com
Jesse Glick updated an issue
Change By: Jesse Glick
Component/s: core
Component/s: docker

jglick@cloudbees.com (JIRA)

unread,
Sep 26, 2019, 11:33:03 AM9/26/19
to jenkinsc...@googlegroups.com
Jesse Glick updated an issue
Change By: Jesse Glick
Labels: security

jglick@cloudbees.com (JIRA)

unread,
Sep 26, 2019, 11:33:03 AM9/26/19
to jenkinsc...@googlegroups.com
Jesse Glick assigned an issue to Unassigned
Change By: Jesse Glick
Assignee: Carlos Sanchez

dbeck@cloudbees.com (JIRA)

unread,
Sep 26, 2019, 11:45:02 AM9/26/19
to jenkinsc...@googlegroups.com
Daniel Beck commented on Bug JENKINS-59552
 
Re: Detached plugins installed are those with security warnings

Andrew Widdersheim Sorry about the lack of responses, I was busy. Happy to take this, unless you want to?

awiddersheim@hotmail.com (JIRA)

unread,
Sep 26, 2019, 1:12:02 PM9/26/19
to jenkinsc...@googlegroups.com

Go for it. I'm busy too.

dbeck@cloudbees.com (JIRA)

unread,
Sep 26, 2019, 4:17:03 PM9/26/19
to jenkinsc...@googlegroups.com
Daniel Beck assigned an issue to Daniel Beck
 
Change By: Daniel Beck
Assignee: Daniel Beck

dbeck@cloudbees.com (JIRA)

unread,
Sep 26, 2019, 8:16:02 PM9/26/19
to jenkinsc...@googlegroups.com
Daniel Beck started work on Bug JENKINS-59552
 
Change By: Daniel Beck
Status: Open In Progress

dbeck@cloudbees.com (JIRA)

unread,
Sep 30, 2019, 6:10:04 AM9/30/19
to jenkinsc...@googlegroups.com
Daniel Beck closed an issue as Fixed
 

Should be in 2.198.
Change By: Daniel Beck
Status: In Progress Closed
Resolution: Fixed
Released As: jenkins-2.198
Reply all
Reply to author
Forward
0 new messages