Jenkins security release December 5th

[rvagg]

The Jenkins project will publish new Jenkins releases (weekly, 2.138.4 LTS, and 2.150.1 LTS) on Wednesday December 5. Jenkins 2.138.4 will only include security fixes as changes since 2.138.3 to allow administrators to apply the security fixes without performing a major update, while 2.150.1 is the regularly scheduled LTS release. These updates will contain fixes for security issues present in current versions of Jenkins. The highest severity is 'critical'. The security advisory will be issued at the same time to provide further information.

We run 2.138.3.

"Critical" suggests that we should probably lock down CI the day before, to give us (probably me) a chance to upgrade everything to avoid the disclosure gap. Without knowing the nature of the flaw it's tricky to know how far such a lockdown should go. Options range from removing access to certain GitHub groups all the way to turning it off. Suggestions welcome.

[mhdawson]

We should probably capture a policy based on what we do this time. My first thought is to do the same as we do for security releases in terms of lockdown unless there are good reasons to do otherwise.

[rvagg]

How about a lockdown that also includes Collaborators? i.e. lock out everyone else.

Unfortunately we just don't know whether there might be bugs that impact Jenkins in a way that the ability to log in don't matter.

Word from the Jenkins folks is that they are expecting the release to be out ~midday UTC, which is midnight for me, so I'm not going to be patching it until maybe 9 hours later. So @mhdawson or @joaocgreis do either of you want to take responsibility for doing an update on the server on the 5th when it comes out. All it really needs is sudo apt-get update && sudo apt-get dist-upgrade -y and then confirming on the UI that it's running 2.138.4. Cross your fingers that it doesn't introduce some new funky setting and it's just a simple upgrade. Upgrading plugins will probably be sensible too via https://ci.nodejs.org/pluginManager/ after the release (also needing a restart).

[rvagg]

And, depending on the nature of the vulnerabilities, I think we can delay updating of ci-release until we're comfortable that ci is running fine. Thankfully we have ci-release fairly locked down already.

[joaocgreis]

A lockdown that also includes Collaborators sounds reasonable (removing permissions from "Authenticated Users"). I won't be around at that time, only a few hours later. I can upgrade it when I arrive if it's not already, can you leave it locked down the day before?

[rvagg]

@nodejs/collaborators ATTN: we're going to do a minor lockdown of ci.nodejs.org for at least the morning of December 5th, UTC. Just removing non-Collaborators this time. There's Jenkins security vulnerabilities and we don't know what they are so are taking a cautious approach. As a collaborator you should be fine, but if you have non-collaborators confused as to why they can't see CI details, this is it.

[Trott]

Technically, it's already morning (12:13 AM) of December 5 in UTC. 😛 I wouldn't mind it getting locked down immediately, to be honest, but I imagine this will happen more like in another 8 hours or so?

[rvagg]

yeah yeah, ok, done

Before:

Now:

[rvagg]

ci.nodejs.org is done and reenabled. I did some other cleanup and updates on some of the workers and I probably interrupted some people's CI runs, sorry to anyone that was impacted by that. I've moved on to ci-release, waiting for the current v8-canary build.

We did an LTS jump in this upgrade, from the 2.131 series to 2.150. That wasn't intentional, it just came from the upstream repo. I won't force a downgrade unless there's a good reason to. If anyone notices anything unusual with ci then please open an issue in this repo about it.

[rvagg]

ci-release is done