Groovy Security Advisory

[Emory Penney]

Hi,

Does anyone know what's going on with the Groovy plugin right now?  My Jenkins instance is bugging me to update Groovy from 1.30 to 2.0 because of this remote code execution security advisory and when I visit plugin manager I see the wonderful message:

Warning: the new version of this plugin claims to use a different settings format than the installed version. Jobs using this plugin may need to be reconfigured, and/or you may not be able to cleanly revert to the prior version without manually restoring old settings. Consult the plugin release notes for details.

When I go to the Groovy Wiki I find no references to WHAT has changed.  Additionally, there aren't even release notes for the new Groovy version... GitHub has nothing.  So... what gives?  What am I going to break if I update this plugin?  It's a pretty big version number jump, so I'm assuming it's a big change, and I refuse to upgrade if I don't have at least SOME heads up about what might break before going in.

[Andrew Bayer]

Basically, the Groovy plugin (and a bunch of other plugins with Groovy scripting involved) now go through the script security process. So by default, not everything is white listed in a system Groovy script. There are no changes to non-system Groovy scripts, and you can approve scripts or signatures that aren't white listed.

A.

--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-use...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/16f507d9-eb9f-4a7a-affd-e99596c09ad8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[ogondza]

Hi,

I have updated the changelog to point to the advisory with all the details. Sorry for the delay.

--
oliver