Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resolve open vulnerabilities #259

Closed
schlumpfit opened this issue Jan 23, 2024 · 13 comments
Closed

Resolve open vulnerabilities #259

schlumpfit opened this issue Jan 23, 2024 · 13 comments
Labels
bug

Comments

@schlumpfit
Copy link

Jenkins and plugins versions report

Jenkins: 2.426.2
OS: Linux - 5.10.201-191.748.amzn2.x86_64
Java: 17.0.9 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)

oic-auth:2.6

What Operating System are you using (both controller, and any agents involved in the problem)?

Not relevant.

Reproduction steps

  1. Login to Jenkins controller or check Plugin page: https://plugins.jenkins.io/oic-auth/

Expected Results

No vulnerabilities are shown.

Actual Results

Two open vulnerabilities are shown.

Anything else?

Hello there, I am interested if there are already any efforts made in resolving the issues?
For me it is unclear if anything is going to happen or if these issues have been reported and that is the status quo.

I guess it is fine to ask it "publicly" since they are already displayed publicly on the plugins website

Are you interested in contributing a fix?

No response
@schlumpfit schlumpfit added the bug label Jan 23, 2024
@tumbl3w33d tumbl3w33d mentioned this issue Jan 30, 2024
Merged
@krscheetas
Copy link

Hi all, thanks for working on this. I see that a PR regarding CVE-2023-50771 has been merged. When will this be released to the Jenkins Plugin Servers so we can get it into our instance?

@dR3b
Copy link

dR3b commented Mar 6, 2024

What's going on here? Someone has to take responsibility and create a new release!!!
Thanks!

@pascal-hofmann
Copy link

@michael-doubez Can you create a new release?

@franciscomfcmaia
Copy link

Sooo jenkins has no openid plugin without vulnerabilities? Whats going on here? xD

@tumbl3w33d
Copy link
Contributor

Yet another case of https://xkcd.com/2347/

The plugin project is looking for maintainers by the way.

For those who cannot wait, there's a release built from my fork that was merged. Or you could fork the master branch of this repo yourself and add the github action to create your own release.

@michael-doubez
Copy link
Contributor

Well. I had to fix the code and the tests - silly me merging a PR that fails.
f0d703f

At the same time, java has been switched to 11+.

It took some time, mainly rebuilding my dev env after I scratched everything.
Whatever 3.0 is out: https://github.com/jenkinsci/oic-auth-plugin/releases/tag/oic-auth-3.0

@michael-doubez
Copy link
Contributor

Still one vulnerability.
I don't have the time to tackle it. Contributions are welcome.

@michael-doubez
Copy link
Contributor

Closing issue.

@michael-doubez
Copy link
Contributor

Activating CD for further contribution #276

@schlumpfit
Copy link
Author

Thanks a lot for the great work and fixing this 🎉 👏

@franciscomfcmaia
Copy link

This is incredible! Thanks for the amazing work!

@krscheetas
Copy link

Thanks all for solving this, but how will the new release be delivered here: https://plugins.jenkins.io/oic-auth/releases/ ?

@michael-doubez
Copy link
Contributor

Thanks all for solving this, but how will the new release be delivered here: https://plugins.jenkins.io/oic-auth/releases/ ?

It already is. But it takes some time to be updated in plugin files.
https://updates.jenkins.io/download/plugins/oic-auth/3.0/oic-auth.hpi

@michael-doubez michael-doubez mentioned this issue Apr 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@tumbl3w33d @pascal-hofmann @michael-doubez @dR3b @franciscomfcmaia @schlumpfit @krscheetas