We are also experiencing issues with artifact downloads, likely a collateral damage after the change
On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote: > > Hi all, > > An official update w.r.t this topic is coming soon. I confirm the > assessment by Dmitry, it is a potential security risk which was reported on > multiple occasions. SECURITY-1895 is a report for this incident, and it is > currently being investigated by the security team. > > Just to provide some updates: > > - As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" > location are prohibited. Plugin maintainers will get HTTP 409 when they > try > to upload releases. Incremental releases and snapshot deployment are not > affected b this change > - We are reviewing all audit logs to confirm whether the potential > issue with uploads was exploited. According to the preliminary analysis, > the answer is "no" > > Today at 3:30PM UTC we will also have a Jenkins Infrastructure team > meeting where this issue will be discussed in more details. Calendar link > > Best regards, > Oleg Nenashev > Jenkins Security Team > > > > On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote: >> >> Do you guys plan to reach out to all the extension owners? >> >> We just accidentally found out about the issue: couldn't log in or reset >> password, and then found this thread. When we created a new account >> (42Crunch) for our company it just automatically assumed all access and >> extension ownership for the plugin that we had published a few weeks ago. >> >> This can be dangerous because someone might take over existing accounts >> of other vendors and then push malware updates to customers. >> >> Dmitry >> >> On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote: >>> >>> Yes, it is better to do password reset. >>> Admin UI in the Account App looks a bit strange for me, apparently I >>> cannot reset passwords for other users at the moment. >>> >>> >>> >>> On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[email protected]> wrote: >>> >>>> I'm glad I checked here first! >>>> >>>> Same thing happened to me. My user id is: mezpahlan >>>> >>>> I registered more than 3 months ago but I *have* changed my password >>>> in the last 3 months and don't remember the old one any more. Do I need to >>>> password reset? >>>> >>>> Thanks >>>> >>>> On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote: >>>>> >>>>> Up until two days ago I was able to log into Jenkins LDAP without >>>>> issues. >>>>> Now if I try to login it says invalid password, and a password reset >>>>> attempt on https://accounts.jenkins.io/ isn't working (I receive no >>>>> email, even though password resets have worked for me in the past). >>>>> >>>>> Could someone help take a look? I'll send my username privately. >>>>> >>>> -- >>>> You received this message because you are subscribed to a topic in the >>>> Google Groups "Jenkins Developers" group. >>>> To unsubscribe from this topic, visit >>>> https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe >>>> . >>>> To unsubscribe from this group and all its topics, send an email to >>>> [email protected]. >>>> To view this discussion on the web visit >>>> https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com >>>> >>>> <https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/d947f804-5bb0-40d4-92b4-cca58572ec48o%40googlegroups.com.
