update Jenkins plugins listed in 2017-04-10 advisory
Description
Activity
Former user June 20, 2017 at 12:06 PM
Available updates installed, separate ticket opened for unmaintained plugins
Former user April 11, 2017 at 8:40 PM
Existing fixed plugins installed. There's still four plugins with no fix so we need to wait till those get released or disable them if vulnerabilities are deemed to serious.
Former user April 11, 2017 at 12:37 PMEdited
Reviewed the plugins we have installed that are affected by this advisory:
Plugin | existing version | fixed version | note |
|---|---|---|---|
Email Extension Plugin | 2.57.1 | 2.57.2 |
|
Environment Injector Plugin | 1.92.1 | 2.0 | |
Groovy Plugin | 1.24 | 2.0 | |
Matrix Authorization Strategy Plugin | 1.1 | 1.5 |
|
Role-based Authorization Strategy | 2.2.0 | 2.4.0 |
|
Warnings Plug-in | 4.50 | 4.61 | analysis-core updated to 1.86 as dependency |
CloudBees Build Flow plugin | 0.17 | SECURITY-293 | |
Dynamic Parameter Plug-in | 0.2.0 | SECURITY-462 | |
Post-Build Script Plug-in | 0.17 | SECURITY-295 | |
Scriptler | 2.9 | SECURITY-367 |
Some still have no fix upstream and some fixed versions bump the major version so may be incompatible with older job definitions. I've applied existing updates on Staging and after some tests will apply in production.
Details
Assignee
Former userFormer user(Deactivated)Reporter
Former userFormer user(Deactivated)Priority
High
Details
Details
Assignee
Former userReporter
Former userPriority
High
A security advisory is out for a bunch of plugins:
https://jenkins.io/security/advisory/2017-04-10/
Opening this ticket to track the process of updating affected ones.