Downloads are restored. Another workaround has been applied by Daniel in https://github.com/jenkins-infra/repository-permissions-updater/pull/1569 , so no user downloads are no longer broken. Thanks a lot to Daniel Beck for the quick fix!
Uploads are still blocked for everyone except a few users with Artifactory-wide permissions. We will be reviewing our options and communicating the next steps soon Best regards, Oleg On Tuesday, June 9, 2020 at 2:29:39 PM UTC+2, Oleg Nenashev wrote: > > We are also experiencing issues with artifact downloads, likely a > collateral damage after the change > > On Tuesday, June 9, 2020 at 11:15:03 AM UTC+2, Oleg Nenashev wrote: >> >> Hi all, >> >> An official update w.r.t this topic is coming soon. I confirm the >> assessment by Dmitry, it is a potential security risk which was reported on >> multiple occasions. SECURITY-1895 is a report for this incident, and it is >> currently being investigated by the security team. >> >> Just to provide some updates: >> >> - As of 8:50AM UTC, uploads to Jenkins Artifactory "/releases" >> location are prohibited. Plugin maintainers will get HTTP 409 when they >> try >> to upload releases. Incremental releases and snapshot deployment are not >> affected b this change >> - We are reviewing all audit logs to confirm whether the potential >> issue with uploads was exploited. According to the preliminary analysis, >> the answer is "no" >> >> Today at 3:30PM UTC we will also have a Jenkins Infrastructure team >> meeting where this issue will be discussed in more details. Calendar link >> >> Best regards, >> Oleg Nenashev >> Jenkins Security Team >> >> >> >> On Tuesday, June 9, 2020 at 2:08:31 AM UTC+2, Dmitry Sotnikov wrote: >>> >>> Do you guys plan to reach out to all the extension owners? >>> >>> We just accidentally found out about the issue: couldn't log in or reset >>> password, and then found this thread. When we created a new account >>> (42Crunch) for our company it just automatically assumed all access and >>> extension ownership for the plugin that we had published a few weeks ago. >>> >>> This can be dangerous because someone might take over existing accounts >>> of other vendors and then push malware updates to customers. >>> >>> Dmitry >>> >>> On Friday, June 5, 2020 at 1:21:09 AM UTC-7, Oleg Nenashev wrote: >>>> >>>> Yes, it is better to do password reset. >>>> Admin UI in the Account App looks a bit strange for me, apparently I >>>> cannot reset passwords for other users at the moment. >>>> >>>> >>>> >>>> On Fri, Jun 5, 2020 at 10:16 AM Mez Pahlan <[email protected]> wrote: >>>> >>>>> I'm glad I checked here first! >>>>> >>>>> Same thing happened to me. My user id is: mezpahlan >>>>> >>>>> I registered more than 3 months ago but I *have* changed my password >>>>> in the last 3 months and don't remember the old one any more. Do I need >>>>> to >>>>> password reset? >>>>> >>>>> Thanks >>>>> >>>>> On Wednesday, 3 June 2020 16:30:10 UTC+1, Johan Cornelissen wrote: >>>>>> >>>>>> Up until two days ago I was able to log into Jenkins LDAP without >>>>>> issues. >>>>>> Now if I try to login it says invalid password, and a password reset >>>>>> attempt on https://accounts.jenkins.io/ isn't working (I receive no >>>>>> email, even though password resets have worked for me in the past). >>>>>> >>>>>> Could someone help take a look? I'll send my username privately. >>>>>> >>>>> -- >>>>> You received this message because you are subscribed to a topic in the >>>>> Google Groups "Jenkins Developers" group. >>>>> To unsubscribe from this topic, visit >>>>> https://groups.google.com/d/topic/jenkinsci-dev/juHejx8zfdg/unsubscribe >>>>> . >>>>> To unsubscribe from this group and all its topics, send an email to >>>>> [email protected]. >>>>> To view this discussion on the web visit >>>>> https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com >>>>> >>>>> <https://groups.google.com/d/msgid/jenkinsci-dev/cf850002-2412-49a1-988b-65b992a7e633o%40googlegroups.com?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/7278ce98-74d4-4ee3-8f52-c892c94fec8bo%40googlegroups.com.
