Jenkins security update Jan 12th

[rvagg]

The Jenkins project plans to publish new Jenkins releases (weekly and LTS 2.319.2) on Wednesday, January 12. These updates will contain fixes for security issues present in current versions of Jenkins. The highest severity is "Medium". The security advisory will be issued at the same time to provide further information.

Additionally, we will announce security issues in plugins in this security advisory. The highest severity is "High" and these issues affect plugins installed on more than 75% of known instances.

I suppose I'll handle this one.

[targos]

The releases are out and we have some warnings on ci.nodejs.org now.

[rvagg]

A bit delayed, but they're both upgraded now:

ci-release

Jenkins: 2.303.3 -> 2.319.2

Plugins

• AnsiColor 1.0.0 -> 1.0.1
• Ant 1.12 -> 1.13
• Bootstrap 5 API 5.1.1-1 -> 5.1.3-4
• Credentials 2.6.1 -> 1074.v60e6c29b_b44b
• Credentials Binding 1.27 -> 1.27.1
• Durable Task 1.39 -> 493.v195aefbb0ff2
• ECharts API 5.2.1-2 -> 5.2.2-2
• Folders 6.16 -> 6.17
• Font Awesome API 5.15.4-1 -> 5.15.4-5
• Git 4.10.0 -> 4.10.3
• Git client 3.10.0 -> 3.11.0
• GitHub API 1.133 -> 1.301-378.v9807bd746da5
• GitHub Authentication 0.34 -> 0.37
• GitHub Branch Source 2.11.3 -> 2.11.4
• Jackson 2 API 2.13.0-230.v59243c64b0a5 -> 2.13.1-246.va8a9f3eaf46a
• Job Configuration History 2.28.1 -> 2.31-rc1098.b666422863b2
• Mailer 1.34 -> 408.vd726a_1130320
• INCOMPATIBLE (not upgraded): Matrix Authorization Strategy 2.6.8 -> 3.0
• Matrix Project 1.19 -> 1.20
• Maven Integration 3.15.1 -> 3.16
• OkHttp 4.9.2-20211102 -> 4.9.3-105.vb96869f8ac3a
• OWASP Markup Formatter 2.4 -> 2.7
• Parameterized Trigger 2.41 -> 2.43
• Pipeline: API 2.47 -> 1122.v7a_916f363c86
• Pipeline: Groovy 2.94 -> 2648.va9433432b33c
• Pipeline: Job 2.42 -> 1145.v7f2433caa07f
• Pipeline: Multibranch 2.26 -> 706.vd43c65dec013
• INCOMPATIBLE (not upgraded): Pipeline: Nodes and Processes 2.39 -> 1121.va_65b_d2701486
• Pipeline: Step API 2.24 -> 622.vb_8e7c15bc95a
• Pipeline: Supporting APIs 3.8 -> 813.vb_d7c3d2984a_0
• Plugin Usage 2.0 -> 2.1
• Plugin Utilities API 2.5.1 -> 2.12.0
• Popper.js 2 API 2.10.2-1 -> 2.11.2-1
• INCOMPATIBLE (not upgraded): PostBuildScript 2.11.0 -> 3.1.0-348.vaf5cd5c632ce
• Rebuilder 1.32 -> 1.33
• SCM API 2.6.5 -> 595.vd5a_df5eb_0e39
• Script Security 1.78 -> 1131.v8b_b_5eda_c328e
• SSH Agent 1.23 -> 1.24.1
• Structs 1.23 -> 308.v852b473a2b8c
• Subversion 2.15.1 -> 2.15.2
• Text Finder 1.16 -> 1.18
• Throttle Concurrent Builds 2.4 -> 2.6
• Timestamper 1.13 -> 1.16

ci

Jenkins: 2.303.3 -> 2.319.2

Plugins

• Ant 1.12 -> 1.13
• Badge 1.9 -> 1.9.1
• Bitbucket Branch Source 2.9.11 -> 751.vda_24678a_f781
• INCOMPATIBLE (not upgraded): Bitbucket Pipeline for Blue Ocean 1.25.1 -> 1.25.2
• INCOMPATIBLE (not upgraded): Blue Ocean 1.25.1 -> 1.25.2
• Blue Ocean Core JS 1.25.1 -> 1.25.2
• INCOMPATIBLE (not upgraded): Blue Ocean Pipeline Editor 1.25.1 -> 1.25.2
• Bootstrap 5 API 5.1.1-1 -> 5.1.3-4
• Common API for Blue Ocean 1.25.1 -> 1.25.2
• Config API for Blue Ocean 1.25.1 -> 1.25.2
• Config File Provider 3.8.1 -> 3.8.2
• Credentials 2.6.1 -> 1074.v60e6c29b_b44b
• Credentials Binding 1.27 -> 1.27.1
• Dashboard for Blue Ocean 1.25.1 -> 1.25.2
• Design Language 1.25.1 -> 1.25.2
• Docker Commons 1.17 -> 1.18
• Docker Pipeline 1.26 -> 1.27
• Durable Task 1.39 -> 493.v195aefbb0ff2
• ECharts API 5.2.1-2 -> 5.2.2-2
• Email Extension 2.84 -> 2.86
• Email Extension Template 1.2 -> 1.4
• INCOMPATIBLE (not upgraded): Events API for Blue Ocean 1.25.1 -> 1.25.2
• Extra Columns 1.24 -> 1.25
• Folders 6.16 -> 6.17
• Font Awesome API 5.15.4-1 -> 5.15.4-5
• Git 4.10.0 -> 4.10.3
• Git client 3.10.0 -> 3.11.0
• Git Parameter 0.9.13 -> 0.9.15
• INCOMPATIBLE (not upgraded): Git Pipeline for Blue Ocean 1.25.1 -> 1.25.2
• GitHub API 1.133 -> 1.301-378.v9807bd746da5
• GitHub Authentication 0.34 -> 0.37
• GitHub Branch Source 2.11.3 -> 2.11.4
• INCOMPATIBLE (not upgraded): GitHub Pipeline for Blue Ocean 1.25.1 -> 1.25.2
• HTML Publisher 1.27 -> 1.28
• INCOMPATIBLE (not upgraded): HTTP Request 1.11 -> 1.13
• i18n for Blue Ocean 1.25.1 -> 1.25.2
• Jackson 2 API 2.13.0-230.v59243c64b0a5 -> 2.13.1-246.va8a9f3eaf46a
• JIRA Integration for Blue Ocean 1.25.1 -> 1.25.2
• Job Configuration History 2.28.1 -> 2.31-rc1098.b666422863b2
• INCOPATIBLE: Job DSL 1.77 -> 1.78.3
• JUnit Realtime Test Reporter 0.6 -> 80.v32337925383c
• JWT for Blue Ocean 1.25.1 -> 1.25.2
• Lockable Resources 2.12 -> 2.13
• Log Parser 2.1 -> 2.2
• Mailer 1.34 -> 408.vd726a_1130320
• INCOMPATIBLE (not upgraded): Matrix Authorization Strategy 2.6.8 -> 3.0
• Matrix Project 1.19 -> 1.20
• Maven Integration 3.15.1 -> 3.16
• Mercurial 2.15 -> 2.16
• Monitoring 1.88.0 -> 1.90.0
• Node and Label parameter 1.9.2 -> 1.10.3
• NodeJS 1.4.1 -> 1.5.1
• OkHttp 4.9.2-20211102 -> 4.9.3-105.vb96869f8ac3a
• OWASP Markup Formatter 2.4 -> 2.7
• Parameterized Trigger 2.41 -> 2.43
• Personalization for Blue Ocean 1.25.1 -> 1.25.2
• Pipeline Graph Analysis 1.11 -> 188.v3a01e7973f2c
• INCOMPATIBLE (not upgraded): Pipeline implementation for Blue Ocean 1.25.1 -> 1.25.2
• Pipeline SCM API for Blue Ocean 1.25.1 -> 1.25.2
• Pipeline Utility Steps 2.10.0 -> 2.11.0
• Pipeline: API 2.47 -> 1122.v7a_916f363c86
• Pipeline: Declarative 1.9.2 -> 1.9.3
• Pipeline: Declarative Extension Points API 1.9.2 -> 1.9.3
• Pipeline: Groovy 2.94 -> 2648.va9433432b33c
• Pipeline: Input Step 2.12 -> 446.vf27b_0b_83500e
• Pipeline: Job 2.42 -> 1145.v7f2433caa07f
• Pipeline: Model API 1.9.2 -> 1.9.3
• Pipeline: Multibranch 2.26 -> 706.vd43c65dec013
• INCOMPATIBLE (not upgraded): Pipeline: Nodes and Processes 2.39 -> 1121.va_65b_d2701486
• Pipeline: REST API 2.19 -> 2.20
• Pipeline: Shared Groovy Libraries 2.21 -> 552.vd9cc05b8a2e1
• Pipeline: Stage Step 2.5 -> 291.vf0a8a7aeeb50
• Pipeline: Stage Tags Metadata 1.9.2 -> 1.9.3
• Pipeline: Stage View 2.19 -> 2.20
• Pipeline: Step API 2.24 -> 622.vb_8e7c15bc95a
• Pipeline: Supporting APIs 3.8 -> 813.vb_d7c3d2984a_0
• Platform Labeler 1018.v93737f630767 -> 1149.v1f78b2a3c1de
• Plugin Usage 2.0 -> 2.1
• Plugin Utilities API 2.5.1 -> 2.12.0
• Popper.js 2 API 2.10.2-1 -> 2.11.2-1
• INCOMPATIBLE (not upgraded): PostBuildScript 2.11.0 -> 3.1.0-348.vaf5cd5c632ce
• Rebuilder 1.32 -> 1.33
• REST API for Blue Ocean 1.25.1 -> 1.25.2
• REST Implementation for Blue Ocean 1.25.1 -> 1.25.2
• SCM API 2.6.5 -> 595.vd5a_df5eb_0e39
• Script Security 1.78 -> 1131.v8b_b_5eda_c328e
• SSH Agent 1.23 -> 1.24.1
• Structs 1.23 -> 308.v852b473a2b8c
• Subversion 2.15.1 -> 2.15.2
• Text Finder 1.16 -> 1.18
• Throttle Concurrent Builds 2.4 -> 2.6
• Timestamper 1.13 -> 1.16
• Web for Blue Ocean 1.25.1 -> 1.25.2
• xUnit 3.0.4 -> 3.0.5

[targos]

What about "PUBLISH OVER SSH 1.22" ?

[richardlau]

What about "PUBLISH OVER SSH 1.22" ?

No available fixes at this time: https://www.jenkins.io/security/advisory/2022-01-12/