Hi everyone, About a year ago I established a policy that we would publish security advisories if there's no expectation of getting them fixed through our private process. https://jenkins.io/security/#vulnerabilities-in-plugins
Today, I did that once again, in a somewhat popular plugin, and for the first time for a medium severity vulnerability: https://jenkins.io/security/advisory/2017-10-23/#scp-publisher-plugin-stores-jenkins-credentials-unencrypted-on-disk-round-trips-in-unencrypted-form For reference, all previous ones (AFAIR) were for much more serious arbitrary code execution vulnerabilities. I have not tried reaching out to any potential maintainers in this case, the last release was seven years ago, the last activity of any kind four years ago. Even if there is "a maintainer", they're not doing a lot of maintenance. If you have feedback to share, please do, here or in private. Thanks! Daniel -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/71C18527-443E-471E-B6EC-40CAED6DA131%40beckweb.net. For more options, visit https://groups.google.com/d/optout.
