Hi everyone,

About a year ago I established a policy that we would publish security 
advisories if there's no expectation of getting them fixed through our private 
process.
https://jenkins.io/security/#vulnerabilities-in-plugins

Today, I did that once again, in a somewhat popular plugin, and for the first 
time for a medium severity vulnerability:
https://jenkins.io/security/advisory/2017-10-23/#scp-publisher-plugin-stores-jenkins-credentials-unencrypted-on-disk-round-trips-in-unencrypted-form

For reference, all previous ones (AFAIR) were for much more serious arbitrary 
code execution vulnerabilities.

I have not tried reaching out to any potential maintainers in this case, the 
last release was seven years ago, the last activity of any kind four years ago. 
Even if there is "a maintainer", they're not doing a lot of maintenance.

If you have feedback to share, please do, here or in private.

Thanks!
Daniel

-- 
You received this message because you are subscribed to the Google Groups 
"Jenkins Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/jenkinsci-dev/71C18527-443E-471E-B6EC-40CAED6DA131%40beckweb.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to