Hi all, An official update w.r.t this topic is coming soon. I confirm the assessment by Dmitry, it is a potential security risk which was reported on multiple occasions. SECURITY-1895 is a report for this incident, and it is currently being investigated by the security team.
Just to provide some updates: - As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" location are prohibited. Plugin maintainers will get HTTP 409 when they try to upload releases. Incremental releases and snapshot deployment are not affected b this change - We are reviewing all audit logs to confirm whether the potential issue with uploads was exploited. According to the preliminary analysis, the answer is "no" Today at 3:30PM UTC we will also have a Jenkins Infrastructure team meeting where this issue will be discussed in more details. Calendar link <<a target="_blank" href="https://calendar.google.com/event?action=TEMPLATE&tmeid=dTJsaWoxN2xjZHFkajRsbmJlcWFiaXI5b2JfMjAyMDA2MDlUMTUzMDAwWiA0c3MxMmYwbXFyM3RicDF0MmZlMzY5c2xmNEBn&tmsrc=4ss12f0mqr3tbp1t2fe369slf4%40group.calendar.google.com";><img border="0" src="https://www.google.com/calendar/images/ext/gc_button1_en-GB.gif";></a>> Best regards, Oleg Nenashev Jenkins Security Team On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote: > > Do you guys plan to reach out to all the extension owners? > > We just accidentally found out about the issue: couldn't log in or reset > password, and then found this thread. When we created a new account > (42Crunch) for our company it just automatically assumed all access and > extension ownership for the plugin that we had published a few weeks ago. > > This can be dangerous because someone might take over existing accounts of > other vendors and then push malware updates to customers. > > Dmitry > > On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote: >> >> Yes, it is better to do password reset. >> Admin UI in the Account App looks a bit strange for me, apparently I >> cannot reset passwords for other users at the moment. >> >> >> >> On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[email protected]> wrote: >> >>> I'm glad I checked here first! >>> >>> Same thing happened to me. My user id is: mezpahlan >>> >>> I registered more than 3 months ago but I *have* changed my password in >>> the last 3 months and don't remember the old one any more. Do I need to >>> password reset? >>> >>> Thanks >>> >>> On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote: >>>> >>>> Up until two days ago I was able to log into Jenkins LDAP without >>>> issues. >>>> Now if I try to login it says invalid password, and a password reset >>>> attempt on https://accounts.jenkins.io/ isn't working (I receive no >>>> email, even though password resets have worked for me in the past). >>>> >>>> Could someone help take a look? I'll send my username privately. >>>> >>> -- >>> You received this message because you are subscribed to a topic in the >>> Google Groups "Jenkins Developers" group. >>> To unsubscribe from this topic, visit >>> https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe. >>> To unsubscribe from this group and all its topics, send an email to >>> [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com >>> >>> <https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/5e52b5fe-a5a3-455b-a942-1e29cc678391o%40googlegroups.com.
![https://www.google.com/calendar/images/ext/gc_button1_en-GB.gif"](https://www.google.com/calendar/images/ext/gc_button1_en-GB.gif"){kind=link}